Upgrade to remove ads
Sayles Chapter 10 (Data Security)
Terms in this set (66)
• Protecting the privacy of data
• Ensuring the integrity of data
• Ensuring the availability of data
What is an effective data security program that embodies three basic elements to help prevent system or access errors from occurring
T/F: In the healthcare context, the protection of data privacy generally refers to patient-related data. However, the privacy of other information in the healthcare organization should be protected as well. For example, the privacy of certain information about providers (physicians, nurses, therapists), employees, and the organization itself should be maintained.
means that data are complete, accurate, consistent, and up-to-date so it is reliable. This concept is at the center of data governance.
ensuring data integrity is important because providers use it in making decisions about patient care.
(For example, an error made while recording a prescribed drug dosage could cause the wrong amount of medication to be given to a patient, potentially resulting in significant injury or even death. Thus, one important aspect of any security program is the implementation of measures that protect the integrity of data.)
Why is ensuring the integrity of healthcare data is important?
False. A security program is as much about ensuring data quality and accuracy as it is about maintaining informational privacy.
T/F: a security program is solely focused on ensuring data quality when it comes to dealing with patient health records.
Ensuring _____ means making sure the organization can depend on the information system to perform as expected, and to provide information when and where it is needed.
when the information system is unreliable or unavailable (for example, either planned or unplanned downtime).
When does retrieval and access problems occur?
To ensure that the organization's business can continue in the event of a disruption. Backup procedures are also necessary to be in compliance with federal and state regulations.
In the event of unplanned downtime (i.e. an emergency), why are backup procedures are necessary?
unauthorized data or system access, by people from both inside and outside the organization. They can occur through hardware or software failures and when an intruder hacks into the system. More often, however, they occur when an employee within an organization either accesses information without authorization or deliberately alters or destroys information.
internal threats/external threats
All threats can be categorized as either ____ which are threats that originate within an organization or _____ which are threats that originate outside an organization. Both can be caused by people or by environmental and hardware and software factors.
Threats Caused by People
•Threats from insiders who make unintentional errors.
.* Examples include employees who accidentally make a typographical error, inadvertently delete files on a computer disk, or unknowingly disclose confidential information. Unintentional error is one of the major causes of security breaches.
•Threats from insiders who abuse their access privileges to information.
.* Examples include employees who knowingly disclose information about a patient to individuals who do not have proper authorization; employees with access to computer files who purposefully snoop for information they do not need to perform their jobs; and employees who store information on a thumb or flash drive, remove it from the facility on a laptop or other storage device, and subsequently lose the device or have it stolen.
•Threats from insiders who access information or computer systems for spite or profit.
.* Generally, such employees seek information to commit fraud or theft. Identity theft—stealing information from patients, their families, or other employees—is on the rise and can result in prosecution of those employees who obtained that information unlawfully.
•Threats from intruders who attempt to access information or steal physical resources.
.* Individuals may physically come onto the organization's property to access information or steal equipment such as laptop computers or printers. They also may loiter in the organization's buildings hoping to access information from unprotected computer terminals or to read or take paper documents, computer disks, or other information.
•Threats from vengeful employees or outsiders who mount attacks on the organization's information systems.
.* Disgruntled employees might destroy computer hardware or software, delete or change data, or enter data incorrectly into the computer system. Outsiders might mount attacks that can harm the organization's information resources. For example, malicious hackers can plant viruses in a computer system or break into telecommunications systems to degrade or disrupt system availability.
Natural disasters such as earthquakes, tornadoes, floods, and hurricanes can demolish physical facilities and electrical utilities.
(In 2005, Hurricane Katrina devastated coastal Louisiana, Mississippi, and neighboring states. New Orleans was hit hard and damage was significant particularly due to flood waters after the hurricane passed. Included in the loss of life and property was damage to medical practices and hospitals and their patient records. Many of the facilities and practices had paper records that were completely destroyed and those that did exist on computer hard drives were destroyed by winds, water, and other forces. Patient care was severely compromised because of lost records that contained vital patient information.)
FYI (for your information)
FYI: Other causes of security breaches are utility, software, and hardware failures. These include hardware breakdowns and software failures that cause information systems to shut down or malfunction unexpectedly. Examples include a hard-disk crash that destroys or corrupts data; a program code that does not execute properly and alters or destroys information; a failed, weak, or poorly configured firewall; and unsecured browsers.
Electrical outages and power surges also can cause problems. When an electrical outage occurs, information is unavailable to the end user. In addition, data might be corrupted or even lost. Power surges also can destroy or corrupt information. Thus, organizations must have the appropriate equipment to protect information systems from power surges and backup equipment to keep them running during an outage.
These software applications can take over partial or full control of a computer and can compromise data security and corrupt both data and hard drives. It gains access to computers via the Internet as attachments in e-mails or through browsing a website that installs the software after the user clicks on a popup window. This is known as a what? (see examples in attached file)
To prevent the intrusion of malware, organizations establish ______ policies and procedures that establish the use of ______ software and specify:
1. what devices should be scanned, such as file servers, mail servers, desktop computers;
2. what programs, documents, and files should be scanned;
3. how often scans should be scheduled;
4. who is responsible for ensuring that scans are completed; and
5. what action should be taken when malware is detected.
the security officer or chief security officer (CSO)
They are responsible for managing all aspects of computer security. They coordinate the development of security policies and to make certain that they are followed.
(In addition to appointing someone to the CSO position, the organization appoints an advisory or policy-making group. This group is called the information security committee or a similar title. It works with the CSO to evaluate the organization's security needs, establish a security program, develop associated policies and procedures including monitoring and sanction policies, and ensure that the policies are followed. The development and enforcement of sanction policies and procedures, which impose penalties, are important so employees understand the consequences for noncompliance with security and privacy rules. Other management positions involved in the information security committee are the chief information officer CIO, information technology system directors, network engineers, and representatives from clinical departments such as, lab, nursing, pharmacy, radiology as appropriate.)
• Employee awareness including ongoing education and training
• Risk management program
• Access safeguards
• Physical and administrative safeguards
• Software application safeguards
• Network safeguards
• Disaster planning and recovery
• Data quality control processes
What components should an effective security program include?
employee awareness program
What would be considered a particularly important tool to reduce security breaches by wrongdoers (either intentional or unintentional) and to make witnesses cognizant of security breaches so they can recognize, respond to them, and report them appropriately.
risk managment process
A _____ encompasses the identification, evaluation and control of risks that are inherent in unexpected and inappropriate events. This program can aid prevention, detection, and mitigation of security breaches including identity theft.
A risk management program starts with a _______, which includes identifying security threats and vulnerabilities that are weaknesses in an organization's operations of which a threat can take advantage. It also includes a determination of how likely it is that any given threat may occur, and estimating the impact of a catastrophic event
FYI (for your information)
FYI: In addition to threats and vulnerabilities, an organization should also identify how electronic protected health information (e-PHI) is created, managed, stored, and transmitted within the organization and whether vendors or consultants use or maintain e-PHI. Of increasing importance is the threat created by the ubiquitous use of mobile devices (phones, tablets, laptops, and so forth).
an estimate of the probability of threats occurring (For example, an organization may be located in a region with frequent tornadoes "high likelihood").
is what the impact of threats on information assets might be (For example, It is known that tornadoes can be extremely destructive "high impact").
This is an occurrence or an event. It should be used to identify both accidental and malicious events. Detection programs monitor the information systems for abnormalities or a series of events that might indicate that a security breach is occurring or has occurred.
Basically, this means being able to identify which employees should have access to what data. The general practice is that employees should have access only to data they need to do their respective jobs. For example, a registrar in the admitting office and a nurse would not have access to the same kinds of data. By establishing this, an organization is taking steps to lessen its vulnerabilities, although it cannot prevent them altogether because of the security threats that humans present.
role-based access control (RBAC)
This is known for having every role in the organization identified along with the type of information required to perform it and is used most often in healthcare organizations.
user-based access control (UBAC)
grants access based on a user's individual identity. For example, every employee in the quality improvement department could potentially have a different degree of access if they have unique responsibilities in that department.
Context-based access control (CBAC)
limits a user's access based not only on identity and role, but also on a person's location and time of access. For example, two respiratory therapists may be given the same access based on their identical roles. However, with this access, their access will be further refined (and may differ) based on the units to which they are assigned and the respective shifts they work.
is the restriction of access to information and information resources (such as computers) to only those who are authorized, by role or other means.
Identification, authentication, and authorization
What are some Access Control mechanisms?
This is usually performed through the username or user number and methods must be robust so that imposters cannot successfully pose as a legitimate user and enter a system illegitimately.
is the act of verifying a claim of identity.
This is used as a type of authentication. Examples of something you know include such things as a personal identification number (PIN), or your mother's maiden name. They are frequently used in conjunction with username. Policies and procedures should be in place to ensure it cannot be easily compromised. For example, It should be of a specific length, include special characters and numbers, should be case sensitive, and should not be words that are included in a dictionary or related to the user's ID or personal information. For example, "______" and "12345" are weak yet popular ones to use if they are allowed by the system in which they are used.
Smart Cards and Tokens
This is used as a type of authentication and are examples of something you have. A ______ is a small plastic card with an embedded microchip that can store multiple identification factors for a specific user. Usually a it is used in combination with a user identification or password. A one-time password (OTP) token is a small electronic device programmed to generate and display new passwords at certain intervals. An OTP token is usually used in combination with user identification or a password. To access a system, a user puts in an identification code and the OTP token generates a one-time password that is displayed on the token.
This is used as a type of authentication that represents Something you are. It includes palm prints, fingerprints, voice prints, and retinal(eye) scans.
Strong authentication requires providing information from two of the three different types of authentication information. For example, an individual provides something he knows and something he has. This is called a _______ . It is considered a stronger method of protecting data access than user identification with passwords. (Example of this is being used at Walt Disney World in Florida. Guests insert their park tickets and also have their index finger scanned.)
allows a user to log in one time and be able to access the many systems. This prevents the user from having to log in again for each of them.
is a right or permission given to an individual to use a computer resource, such as a computer, or to use specific applications and access specific data. It is also a set of actions that gives permission to an individual to perform specific functions such as read, write, or execute tasks.
refer to the physical protection of information resources from physical damage, loss from natural or other disasters, and theft. (Equipment should be located in secure locations and protected from natural and environmental hazards and intrusion. Environmental hazards include such things as fire, floods, moisture, temperature variations, and loss of electricity. To protect from natural or environmental hazards, equipment should be housed in structurally sound and safe areas. There should be smoke and fire alarms, fire suppression systems, heat sensors, and appropriate monitored heating and cooling systems in place. Appropriate backup power sources such as uninterruptible power supply UPS devices or power generators should be available if a power outage occurs.)
include policies and procedures that address the management of computer resources. For example, one such policy might direct users to log off the computer system when they are not using it or employ automatic logoffs after a period of inactivity. Other policies include password security (inappropriate sharing, minimum password requirements, changing the frequency of updating passwords, and failed login monitoring) and timely removal of terminated employee's system access. Another policy might prohibit employees from accessing the Internet for purposes that are not work related.
Information Technology Asset Disposition (ITAD)
identifies how all data storage devices are destroyed and purged of data prior to repurposing or disposal.
These are controls contained in application software or computer programs to protect the security and integrity of information. One common application control is authentication, as previously described. Through the use of passwords, tokens or biometrics, a system keeps a record of end users' identifications and authentication mechanisms and then matches the authentication mechanism to each end user's privileges. This ensures that end users can access only the information they have permission to access.
is a software program that tracks every single access or attempted access of data in the computer system. It logs the name of the individual who accessed the data, terminal location or IP address, the date and time accessed, the type of data, and the action taken (for example, modifying, reading, or deleting data). They are usually examined by system administrators who use special analysis software to identify suspicious or abnormal system events or behavior.
help to ensure data integrity by allowing only reasonable and predetermined values to be entered into the computer. For example, a system using this feature would disallow an International Classification of Disease, Tenth Revision, Clinical Modification (ICD-10-CM) code that does not exist.
Are essential to prevent the threat of hackers
(also called a secure gateway) is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It allows internal users access to an external network while blocking malicious hackers from damaging internal systems. (For example, an e-mail message that is believed to contain a Social Security number may be prohibited from leaving the private network. An e-mail believed to contain a virus may be prohibited from entering the private network. It may control the size of the file that is allowed through the this. It is configured to permit, deny, encrypt, or decrypt computer traffic.)
(Cryptographic technology—such as encryption, digital signatures, and digital certificates—are used to protect information in a variety of situations. This includes protecting data when they are in storage (data at rest), on portable devices such as laptops and flash drives, and while they are being transmitted across networks.)
is a branch of mathematics that is based on the transformation of data by developing ciphers, which are codes that are to be kept secret.
is a method of encoding data, converting them to a jumble of unreadable scrambled characters and symbols as they are transmitted through a telecommunication network so that they are not understood by persons who do not have a key to transform the data into their original form. Data are usually done this way using some type of algorithm.
Upon receipt, data can only be decoded and restored back to their original readable form. It is done by using a special algorithm.
private key infrastructure, or single-key encryption
Is a type of encryption method that allows two or more computers to share the same secret key and that key is used to both encrypt and decrypt a message.However, the key must be kept secret. If it is compromised in any way, the security of the data is likely to be eliminated. The best known secret key security is called the data encryption standard (DES)
Public Key Infrastructure (PKI)
This method uses both a public and a private key, which form a key pair.
(Digital signatures are sometimes confused with e-signatures. E-signature usually means a system for signing or authenticating electronic documents by entering a unique code or password that verifies the identity of the person and creates an individual signature on a document. E-signatures do not necessarily use cryptography.)
is a public key cryptography method that ensures that an electronic document such as an e-mail message or text file is authentic. This means that the receiver knows who created the document and is assured that the document has not been altered in any way since it was created. In this method data are electronically signed by applying the sender's private key to the data.
are used to implement public key encryption on a large scale. It is an electronic document that uses a digital signature to bind together a public key with an identity such as the name of a person or an organization, address, and so forth. The certificate can be used to verify that a public key belongs to an individual.
Intrusion Detection System (IDS)
is the process of identifying attempts or actions to penetrate a system and gain unauthorized access. It can either be performed in real time or after the occurrence. The purpose of this is to prevent the compromise of the confidentiality, integrity, or availability of a resource.
This occurs through a contingency plan which is a set of procedures, documented by the organization to be followed when responding to emergencies. It typically includes policies and procedures to help the business continue operations during an unexpected shutdown or disaster. It also includes procedures the business can implement to restore its computer systems and resume normal operation after the disaster.
disaster recovery plan
addresses the resources, actions, tasks, and data necessary to restore those services identified as critical, as soon as possible, and to manage business recovery processes
Business Continuity Plan
is a set of policies and procedures that directs the organization how to continue its business operations during a computer system shutdown.
means that data do not change no matter how often or in how many ways they are stored, processed, or displayed. (Data values are consistent when the value of any given data element is the same across applications and systems. Procedures are usually developed to monitor data periodically to ensure that they are consistent as they move through computer processes or from one system to another.)
is describing the data. Every data element should have a clear meaning and a range of acceptable values. This is usually stored within the data dictionary
at least every year
When should data security policies and procedures be reviewed and evaluated to make sure they are up-to-date and still relevant to the organization?
Administrative Safeguard Standards
They detail how the security program should be managed from the organization's perspective. Policies and procedures should be written and formalized in a policy manual. The organization should issue a statement of its philosophy on data security. Further, it should outline data security authority and responsibilities throughout the organization. There are a number of ways that an organization can control the use of terminals, including user limitations such as maximum allowed login attempts, screen savers, and the timing out of terminals when a determined period of inactivity has been reached. Physically, terminals should be able to be locked when not in use, and an organization should maintain an inventory such that all terminals used within the organization can be identified.
• Security management process: An organization must have a defined security management process. This means that there is a process in place for creating, maintaining, and overseeing the development of security policies and procedures; identifying vulnerabilities and conducting risk analyses; establishing a risk management program; developing a sanction policy; and reviewing information system activity.
• Assigned security responsibility: Each covered entity must designate a security official who has been assigned security responsibility for the development and implementation of the policies and procedures required by the HIPAA Security Rule. Frequently, this individual is given the title of chief security officer (CSO) or security officer.
• Workforce security: The covered entity must ensure appropriate clearance procedures to grant access to individually identifiable information to workforce members who need to use e-PHI to perform their job duties and must maintain appropriate oversight of authorization and access. Likewise, covered entities must prevent access to information to those who do not need it and have clear procedures of access termination for employees who leave the organization. Sanction policies must also be in place.
• Information access management: This standard requires covered entities to implement a program of information access management. It includes specific policies and procedures to determine who should have access to what information.
• Security awareness and training: This standard requires entities to provide security training for all staff. They must address security reminders, detection and reporting of malicious software, login monitoring, and password management.
• Security incident procedures: This standard requires the implementation of policies and procedures to address security incidents, including responding to, reporting, and mitigating suspected or known incidents.
• Contingency plan: This standard requires the establishment and implementation of policies and procedures for responding to emergencies or failures in systems that contain e-PHI. It includes a data backup plan, disaster recovery plan, emergency mode of operation plan, testing and revision procedures, and applications and data criticality analysis to prioritize data and determine what must be maintained or restored first in an emergency.
• Evaluation: A periodic evaluation must be performed in response to environmental or operational changes affecting the security of e-PHI and appropriate improvements in policies and procedures should follow.
• Business associate contracts: This standard requires business associates to appropriately safeguard information in their possession and covered entities to receive satisfactory assurances that the business associates will do so
General Rules include the following:
• Covered entities must demonstrate and document that they have done the following:
○ Ensure the confidentiality, integrity, and availability of all electronic protected health information (e-PHI) that is created, received, maintained, or transmitted by the covered entity
○ Protect e-PHI against any reasonably anticipated threats or hazards to the security or integrity of e-PHI
○ Protect e-PHI against any reasonable or anticipated uses or disclosure that are not permitted under the HIPAA Privacy Rule
○ Ensure compliance with HIPAA Security Rule by workforce members
• The Security Rule is flexible, scalable, and technology neutral. Regarding flexibility, HIPAA allows a covered entity to adopt security protection measures that are appropriate and reasonable for its organization. For example, security mechanisms will be more complex in a large healthcare organization than in a small group practice. In determining which security measures to use, the following must be taken into account:
○ Size, complexity, and capabilities of the covered entity
○ Technical infrastructure, hardware, and software capabilities
○ Security measure costs
○ Probability and criticality of the potential risks to e-PHI
• Standards: The General Rules specify which HIPAA Security Rule standards covered entities must comply with. Business associates, hybrid entities, and other related entities are also required to comply with these standards.
• Implementation specifications define how standards are to be implemented. Implementation specifications are either required or addressable. Entities must apply all implementation specifications that are required. Addressable does not mean optional. For those implementation specifications that are labeled addressable, the covered entity must conduct a risk assessment and evaluate whether the specification is appropriate to its environment. After conducting a risk assessment, if the covered entity finds that the specification is not a reasonable and appropriate safeguard for its environment (for example, a small organization may decide not to encrypt PHI because it deems it too expensive to do so), then the covered entity must:
1. Document why it is not reasonable and appropriate to implement the specification as written.
2. Implement an equivalent alternative method if reasonable and appropriate.
• Maintenance: HIPAA requires covered entities and business associates to maintain their security measures. Maintenance requires review and modification, as needed, to comply with the provision of reasonable and appropriate protection of e-PHI.
What are the HIPAA general security rules?
Physical Safeguard Standards
include the protection of electronic systems from natural and environmental hazards and intrusion. They encompass related buildings and equipment.
• Facility access controls: This includes establishing safeguards to prohibit the physical hardware and computer system itself from unauthorized access while ensuring that proper authorized access is allowed. Similar safeguards are also required to protect the computer system from catastrophic physical events (for example, fire, flooding, and electrical malfunctions).
• Workstation use: Policies and procedures must relate to workstations that access e-PHI and include proper functions to be performed, how they are to be performed, and the physical environment in which those workstations exist.
• Workstation security: Provisions under workstation security require that physical safeguards be implemented for workstations with access to e-PHI.
• Device and media controls: This standard requires the facility to specify proper receipt and removal of hardware and media with e-PHI and to address items as they move within an organization. The entity must also address procedures for removal or disposal including reuse or redeployment of electronic media, data backup, and the identity of persons accountable for the process. Information technology asset disposition (ITAD) policies are required under this standard. These policies should address end of life cycle hard drives, laptops, servers, and other media that have contained sensitive data. Because such equipment is often redeployed in an organization, all e-PHI and any other sensitive data must be removed. Before hard drives, servers, or laptops are disposed of, appropriate data destruction must be carried out
Technical Safeguard Provisions
consist of five broad categories. These provisions include those things that can be implemented from a technical standpoint using computer software.
• Access controls: The access controls standard requires implementation of technical procedures to control or limit access to health information. The procedures would be executed through some type of software program. This requirement ensures that individuals are given authorization to access only the data they need to perform their respective jobs. The implementation specifications include unique user identifications, emergency access procedures (for example, a break-the-glass capability that allows nonstandard access), automatic logoff after a predetermined period of workstation inactivity, and encryption and decryption, discussed earlier in the chapter.
• Audit controls: The audit control standard requires procedural mechanisms be implemented to record activity in systems that contain e-PHI and that the output be examined to determine appropriateness of access. Audit trails were discussed earlier in this chapter.
• Integrity: The data integrity standard requires covered entities to implement policies and procedures to protect e-PHI from being improperly altered or destroyed. In other words, this standard requires organizations to provide corroboration that their data have not been altered in an unauthorized manner. Data authentication can be substantiated through audit trails and system logs that track users who have accessed or modified data via unique identifiers.
• Person or entity authentication: This standard requires that those accessing e-PHI must be appropriately identified and authenticated as discussed earlier in this chapter.
• Transmission security: This standard requires the guarding of data against unauthorized access (interception) or improper modification without detection when they are in transit, whether via the open networks such as the Internet or private networks such as those internal to an organization. The two implementation specifications—integrity controls and encryption—are addressable. The Security Rule itself does not require encryption unless the organization deems it appropriate, but the security of e-PHI transmitted over public networks or communication systems must be accomplished. Data encryption that provides protection for data across transmission lines is important because eavesdropping is easily accomplished using devices called sniffers. Sniffers can be attached to networks for the purpose of diverting transmitted data. Protecting data during transmission is only one role of encryption. Data at rest can also be encrypted. Passwords stored in a database may also be encrypted. Thus, if a hacker breaks into the password database, the data will be unusable
for your information (FYI)
FYI: This section includes just two standards—one addresses business associates and similar entities and the other addresses group health plan requirements.
• Business associate or other contracts: Covered entities must obtain a written contract with business associates or other entities (hybrid or other) who handle e-PHI. The written contract must stipulate that the business associate will implement HIPAA administrative, physical, and technical safeguards and procedures and documentation requirements that safeguard the confidentiality, integrity, and availability of the e-PHI that it creates, receives, maintains, or transmits on behalf of the covered entity. The contract must ensure that any agent, including a subcontractor, agrees to implement reasonable and appropriate safeguards. Specifically, HIPAA requires a business associate to report to the covered entity any security incident or breach of e-PHI of which it becomes aware. The covered entity must authorize termination of the contract if it determines that the business associate has violated a material term of the contract.
• Group health plan requirements: Group health plans must ensure their plan documents provide that the plan sponsor (an entity that provides a health plan for its employees) will reasonably and appropriately safeguard e-PHI that is created, received, maintained, or transmitted by or to plan sponsors on behalf of the health plans
for your information (FYI)
FYI: The Security Rule requires that covered entities and business associates have policies and procedures and that they be documented in writing. Other information about any actions, assessments, or activities associated with the HIPAA Security Rule also must be in writing.
• Policies and procedures: Entities must implement reasonable and appropriate policies and procedures to comply with the HIPAA security standards, implementation specifications, and other requirements. Policies and procedures should be developed and implemented, taking into account the section on flexibility outlined in the rule.
• Documentation: Entities must maintain their security policies and procedures in writing (this includes electronic format). Any actions, assessments, or activities related to the HIPAA Security Rule also must be documented in writing. Documentation must be retained for six years from the date of its creation or the date when it last was in effect, whichever is later. It must be made available to those individuals responsible for implementing security procedures. Further, it must be reviewed periodically and updated as needed, in response to environmental or organizational changes that affect the security of e-PHI
THIS SET IS OFTEN IN FOLDERS WITH...
(Sayles Chapter 9) Data Privacy and Conf…
(Sayles Chapter 8) HEALTH LAW
Sayles Chapter 14 (Healthcare Statistics)
Sayles Chapter 15 (Revenue Management an…
YOU MIGHT ALSO LIKE...
Health Information Management Chapter 17
Chapter 10- Data Security
HIMT: Information Security (Ch 17)
HIMT: Information Security (Ch 17)
OTHER SETS BY THIS CREATOR
Anatomy of the heart
(Sayles)Check your understanding