Only $2.99/month

Sayles Chapter 10 (Data Security)

Key Concepts:

Terms in this set (66)

•Threats from insiders who make unintentional errors..* Examples include employees who accidentally make a typographical error, inadvertently delete files on a computer disk, or unknowingly disclose confidential information. Unintentional error is one of the major causes of security breaches.
•Threats from insiders who abuse their access privileges to information..* Examples include employees who knowingly disclose information about a patient to individuals who do not have proper authorization; employees with access to computer files who purposefully snoop for information they do not need to perform their jobs; and employees who store information on a thumb or flash drive, remove it from the facility on a laptop or other storage device, and subsequently lose the device or have it stolen.
•Threats from insiders who access information or computer systems for spite or profit..* Generally, such employees seek information to commit fraud or theft. Identity theft—stealing information from patients, their families, or other employees—is on the rise and can result in prosecution of those employees who obtained that information unlawfully.
•Threats from intruders who attempt to access information or steal physical resources..* Individuals may physically come onto the organization's property to access information or steal equipment such as laptop computers or printers. They also may loiter in the organization's buildings hoping to access information from unprotected computer terminals or to read or take paper documents, computer disks, or other information.
•Threats from vengeful employees or outsiders who mount attacks on the organization's information systems..* Disgruntled employees might destroy computer hardware or software, delete or change data, or enter data incorrectly into the computer system. Outsiders might mount attacks that can harm the organization's information resources. For example, malicious hackers can plant viruses in a computer system or break into telecommunications systems to degrade or disrupt system availability.
They detail how the security program should be managed from the organization's perspective. Policies and procedures should be written and formalized in a policy manual. The organization should issue a statement of its philosophy on data security. Further, it should outline data security authority and responsibilities throughout the organization. There are a number of ways that an organization can control the use of terminals, including user limitations such as maximum allowed login attempts, screen savers, and the timing out of terminals when a determined period of inactivity has been reached. Physically, terminals should be able to be locked when not in use, and an organization should maintain an inventory such that all terminals used within the organization can be identified.

• Security management process: An organization must have a defined security management process. This means that there is a process in place for creating, maintaining, and overseeing the development of security policies and procedures; identifying vulnerabilities and conducting risk analyses; establishing a risk management program; developing a sanction policy; and reviewing information system activity.
• Assigned security responsibility: Each covered entity must designate a security official who has been assigned security responsibility for the development and implementation of the policies and procedures required by the HIPAA Security Rule. Frequently, this individual is given the title of chief security officer (CSO) or security officer.
• Workforce security: The covered entity must ensure appropriate clearance procedures to grant access to individually identifiable information to workforce members who need to use e-PHI to perform their job duties and must maintain appropriate oversight of authorization and access. Likewise, covered entities must prevent access to information to those who do not need it and have clear procedures of access termination for employees who leave the organization. Sanction policies must also be in place.
• Information access management: This standard requires covered entities to implement a program of information access management. It includes specific policies and procedures to determine who should have access to what information.
• Security awareness and training: This standard requires entities to provide security training for all staff. They must address security reminders, detection and reporting of malicious software, login monitoring, and password management.
• Security incident procedures: This standard requires the implementation of policies and procedures to address security incidents, including responding to, reporting, and mitigating suspected or known incidents.
• Contingency plan: This standard requires the establishment and implementation of policies and procedures for responding to emergencies or failures in systems that contain e-PHI. It includes a data backup plan, disaster recovery plan, emergency mode of operation plan, testing and revision procedures, and applications and data criticality analysis to prioritize data and determine what must be maintained or restored first in an emergency.
• Evaluation: A periodic evaluation must be performed in response to environmental or operational changes affecting the security of e-PHI and appropriate improvements in policies and procedures should follow.
• Business associate contracts: This standard requires business associates to appropriately safeguard information in their possession and covered entities to receive satisfactory assurances that the business associates will do so
General Rules include the following:
• Covered entities must demonstrate and document that they have done the following:
○ Ensure the confidentiality, integrity, and availability of all electronic protected health information (e-PHI) that is created, received, maintained, or transmitted by the covered entity
○ Protect e-PHI against any reasonably anticipated threats or hazards to the security or integrity of e-PHI
○ Protect e-PHI against any reasonable or anticipated uses or disclosure that are not permitted under the HIPAA Privacy Rule
○ Ensure compliance with HIPAA Security Rule by workforce members
• The Security Rule is flexible, scalable, and technology neutral. Regarding flexibility, HIPAA allows a covered entity to adopt security protection measures that are appropriate and reasonable for its organization. For example, security mechanisms will be more complex in a large healthcare organization than in a small group practice. In determining which security measures to use, the following must be taken into account:
○ Size, complexity, and capabilities of the covered entity
○ Technical infrastructure, hardware, and software capabilities
○ Security measure costs
○ Probability and criticality of the potential risks to e-PHI
• Standards: The General Rules specify which HIPAA Security Rule standards covered entities must comply with. Business associates, hybrid entities, and other related entities are also required to comply with these standards.
• Implementation specifications define how standards are to be implemented. Implementation specifications are either required or addressable. Entities must apply all implementation specifications that are required. Addressable does not mean optional. For those implementation specifications that are labeled addressable, the covered entity must conduct a risk assessment and evaluate whether the specification is appropriate to its environment. After conducting a risk assessment, if the covered entity finds that the specification is not a reasonable and appropriate safeguard for its environment (for example, a small organization may decide not to encrypt PHI because it deems it too expensive to do so), then the covered entity must:
1. Document why it is not reasonable and appropriate to implement the specification as written.
2. Implement an equivalent alternative method if reasonable and appropriate.
• Maintenance: HIPAA requires covered entities and business associates to maintain their security measures. Maintenance requires review and modification, as needed, to comply with the provision of reasonable and appropriate protection of e-PHI.
include the protection of electronic systems from natural and environmental hazards and intrusion. They encompass related buildings and equipment.

• Facility access controls: This includes establishing safeguards to prohibit the physical hardware and computer system itself from unauthorized access while ensuring that proper authorized access is allowed. Similar safeguards are also required to protect the computer system from catastrophic physical events (for example, fire, flooding, and electrical malfunctions).
• Workstation use: Policies and procedures must relate to workstations that access e-PHI and include proper functions to be performed, how they are to be performed, and the physical environment in which those workstations exist.
• Workstation security: Provisions under workstation security require that physical safeguards be implemented for workstations with access to e-PHI.
• Device and media controls: This standard requires the facility to specify proper receipt and removal of hardware and media with e-PHI and to address items as they move within an organization. The entity must also address procedures for removal or disposal including reuse or redeployment of electronic media, data backup, and the identity of persons accountable for the process. Information technology asset disposition (ITAD) policies are required under this standard. These policies should address end of life cycle hard drives, laptops, servers, and other media that have contained sensitive data. Because such equipment is often redeployed in an organization, all e-PHI and any other sensitive data must be removed. Before hard drives, servers, or laptops are disposed of, appropriate data destruction must be carried out
consist of five broad categories. These provisions include those things that can be implemented from a technical standpoint using computer software.

• Access controls: The access controls standard requires implementation of technical procedures to control or limit access to health information. The procedures would be executed through some type of software program. This requirement ensures that individuals are given authorization to access only the data they need to perform their respective jobs. The implementation specifications include unique user identifications, emergency access procedures (for example, a break-the-glass capability that allows nonstandard access), automatic logoff after a predetermined period of workstation inactivity, and encryption and decryption, discussed earlier in the chapter.
• Audit controls: The audit control standard requires procedural mechanisms be implemented to record activity in systems that contain e-PHI and that the output be examined to determine appropriateness of access. Audit trails were discussed earlier in this chapter.
• Integrity: The data integrity standard requires covered entities to implement policies and procedures to protect e-PHI from being improperly altered or destroyed. In other words, this standard requires organizations to provide corroboration that their data have not been altered in an unauthorized manner. Data authentication can be substantiated through audit trails and system logs that track users who have accessed or modified data via unique identifiers.
• Person or entity authentication: This standard requires that those accessing e-PHI must be appropriately identified and authenticated as discussed earlier in this chapter.
• Transmission security: This standard requires the guarding of data against unauthorized access (interception) or improper modification without detection when they are in transit, whether via the open networks such as the Internet or private networks such as those internal to an organization. The two implementation specifications—integrity controls and encryption—are addressable. The Security Rule itself does not require encryption unless the organization deems it appropriate, but the security of e-PHI transmitted over public networks or communication systems must be accomplished. Data encryption that provides protection for data across transmission lines is important because eavesdropping is easily accomplished using devices called sniffers. Sniffers can be attached to networks for the purpose of diverting transmitted data. Protecting data during transmission is only one role of encryption. Data at rest can also be encrypted. Passwords stored in a database may also be encrypted. Thus, if a hacker breaks into the password database, the data will be unusable