 |
| A GLOSSARY OF HIPAA
TERMS |
Ability to add attributes: One possible
capability of a digital signature technology. For example, the ability to add a
time stamp as part of a digital signature.
Access: The ability or the means necessary to
read, write, modify, or communicate data/information or otherwise make use of
any system resource.
Access
authorization: Information-use policies/procedures that establish
the rules for granting and/or restricting access to a user, terminal,
transaction, program, or process.
Access
control: A method of restricting access to resources, allowing only
privileged entities access. Types of access control include, among others,
mandatory access control, discretionary access control, time-of-day,
classification, and subject-object separation.
Access controls: The protection of sensitive
communications transmissions over open or private networks so that it cannot be
easily intercepted and interpreted by parties other than the intended
recipient.
Access establishment: The
security policies, and the rules established therein, that determine an
entity’s initial right of access to a terminal, transaction, program, or
process.
Access level: A level
associated with an individual who may be accessing information (for example, a
clearance level) or with the information which may be accessed (for example, a
classification level).
Access
modification: The security policies, and the rules established
therein, that determine types of, and reasons for, modification to an
entity’s established right of access to a terminal, transaction, program,
or process.
Accountability: The
property that ensures that the actions of an entity can be traced uniquely to
that entity.
Administrative procedures to
guard data integrity, confidentiality and availability: Documented,
formal practices to manage (1) the selection and execution of security measures
to protect data, and (2) the conduct of personnel in relation to the protection
of data.
Alarm, event reporting, and audit
trail: (1) alarm: In communication systems, any device that can
sense an abnormal condition within the system and provide, either locally or
remotely, a signal indicating the presence of the abnormality. The signal may
be in any desired form ranging from a simple contact closure (or opening) to a
time-phased automatic shutdown and restart cycle. (2) event reporting: Network
message indicating operational irregularities in physical elements of a network
or a response to the occurrence of a significant task, typically the completion
of a request for information. (3) audit trail: Data collected and potentially
used to facilitate a security audit.
Applications and data criticality analysis: An
entity’s formal assessment of the sensitivity, vulnerabilities, and
security of its programs and information it receives, manipulates, stores,
and/or transmits.
Assigned security
responsibility: Practices put in place by management to manage and
supervise (1) the execution and use of security measures to protect data, and
(2) the conduct of personnel in relation to the protection of
data.
Assure supervision of maintenance
personnel by authorized, knowledgeable person: Documented formal
procedures/instruction for the oversight of maintenance personnel when such
personnel are in the vicinity of health information pertaining to an
individual.
Asymmetric encryption:
Encryption and decryption performed using two different keys, one of which is
referred to as the public key and one of which is referred to as the private
key. Also known as public-key encryption.
Asymmetric key: One half of a key pair used in an
asymmetric ("public-key") encryption system. Asymmetric encryption systems have
two important properties: (1) the key used for encryption is different from the
one used for decryption (2) neither key can feasibly be derived from the
other.
Audit controls: The
mechanisms employed to record and examine system activity.
Authorization control: The mechanism for
obtaining consent for the use and disclosure of health information.
Automatic logoff: After a pre-determined
time of inactivity (for example, 15 minutes), an electronic session is
terminated.
Availability: The
property of being accessible and useable upon demand by an authorized
entity.
Awareness training for all personnel
(including management): All personnel in an organization should
undergo security awareness training, including, but not limited to, password
maintenance, incident reporting, and an education concerning viruses and other
forms of malicious software.
Biometric: A biometric identification system
identifies a human from a measurement of a physical feature or repeatable
action of the individual (for example, hand geometry, retinal scan, iris scan,
fingerprint patterns, facial characteristics, DNA sequence characteristics,
voice prints, and hand written signature).
Certification: The technical evaluation performed
as part of, and in support of, the accreditation process that establishes the
extent to which a particular computer system or network design and
implementation meet a pre-specified set of security requirements. This
evaluation may be performed internally or by an external accrediting
agency.
Chain of Trust Partner
Agreement: Contract entered into by two business partners in which
it is agreed to exchange data and that the first party will transmit
information to the second party, where the data transmitted is agreed to be
protected between the partners. The sender and receiver depend upon each other
to maintain the integrity and confidentiality of the transmitted information.
Multiple such two-party contracts may be involved in moving information from
the originator to the ultimate recipient, for example, a provider may contract
with a clearing house to transmit claims to the clearing house; the clearing
house, in turn, may contract with another clearing house or with a payer for
the further transmittal of those same claims.
Classification: Protection of data from
unauthorized access by the designation of multiple levels of access
authorization clearances to be required for access, dependent upon the
sensitivity of the information.
Clearing
House: A public or private entity that processes or facilitates the
processing of nonstandard data elements of health information into standard
data elements.
Combination locks
changed: Documented procedure for changing combinations of locking
mechanisms, both on a recurring basis and when personnel knowledgeable of
combinations no longer have a need to know or a requirement for access to the
protected facility/system.
Confidentiality: The property that information is
not made available or disclosed to unauthorized individuals, entities or
processes.
Context-based access: An
access control based on the context of a transaction (as opposed to being based
on attributes of the initiator or target). The "external" factors might include
time of day, location of the user, strength of user authentication,
etc.
Contingency Plan: A plan for
responding to a system emergency. The plan includes performing backups,
preparing critical facilities that can be used to facilitate continuity of
operations in the event of an emergency, and recovering from a disaster.
Contingency plans should be updated routinely.
Continuity of signature capability: The public
verification of a signature shall not compromise the ability of the signer to
apply additional secure signatures at a later date.
Counter signatures:
It shall be possible to prove the order of application of signatures. This is
analogous to the normal business practice of countersignatures, where some
party signs a document which has already been signed by another
party.
Data: A sequence of symbols
to which meaning may be assigned.
Data
authentication: The corroboration that data has not been altered or
destroyed in an unauthorized manner. Examples of how data corroboration may be
assured include the use of a check sum, double keying, a message authentication
code, or digital signature.
Data
backup: A retrievable, exact copy of information.
Data
backup plan: A documented and routinely updated plan to create and
maintain, for a specific period of time, retrievable exact copies of
information.
Data Integrity: The
property that dat has [sic] not been altered or destroyed in an unauthorized
manner.
Data storage: The retention
of health care information pertaining to an individual in an electronic
format.
Digital signature: An
electronic signature based upon cryptographic methods of originator
authentication, computed by using a set of rules and a set of parameters such
that the identity of the signer and the integrity of the data can be
verified.
Disaster recovery: The
process whereby an enterprise would restore any loss of data in the event of
fire, vandalism, natural disaster, or system failure, human error, or any other
reason.
Disaster recovery plan: Part
of an overall contingency plan. The plan for a process whereby an enterprise
would restore any loss of data in the event of fire, vandalism, natural
disaster, or system failure.
Discretionary
access control: Discretionary Access Control (DAC) is used to
control access by restricting a subject's access to an object. It is generally
used to limit a user's access to a file. In this type of access control it is
the owner of the file who controls other users' accesses to the
file.
Disposal: The final
disposition of electronic data, and/or the hardware on which electronic data is
stored.
Documentation: Written
security plans, rules, procedures, and instructions concerning all components
of an entity’s security.
Electronic data
interchange (EDI): Intercompany, computer-to-computer transmission
of business information in a standard format. For EDI purists,
“computer-to-computer” means direct transmission from the originating
application program to the receiving, or processing, application program, and
an EDI transmission consists only of business data, not any accompanying
verbiage or free-form messages. Purists might also contend that a standard
format is one that is approved by a national or international standards
organization, as opposed to formats developed by industry groups or companies.
Electronic signature: The attribute
that is affixed to an electronic document to bind it to a particular entity. An
electronic signature process secures the user authentication (proof of claimed
identity, such as by biometrics (fingerprints, retinal scans, hand written
signature verification, etc.), tokens or passwords) at the time the signature
is generated; creates the logical manifestation of signature (including the
possibility for multiple parties to sign a document and have the order of
application recognized and proven) and supplies additional information such as
time stamp and signature purpose specific to that user; and ensures the
integrity of the signed document to enable transportability, interoperability,
independent verifiability, and continuity of signature capability. Verifying a
signature on a document verifies the integrity of the document and associated
attributes and verifies the identity of the signer. There are several
technologies available for user authentication, including passwords,
cryptography, and biometrics.
Emergency mode
operation: Access controls in place that enable an enterprise to
continue to operate in the event of fire, vandalism, natural disaster, or
system failure.
Emergency mode operation
plan: Part of an overall contingency plan. The plan for a process
whereby an enterprise would be able to continue to operate in the event of
fire, vandalism, natural disaster, or system failure.
Encryption: Transforming confidential plaintext
into ciphertext to protect it. Also called encipherment. An encryption
algorithm combines plaintext with other values called keys, or ciphers, so the
data becomes unintelligible. Once encrypted, data can be stored or transmitted
over unsecured lines.
Entity
authentication: 1. The corroboration that an entity is the one
claimed. 2. A communications/network mechanism to irrefutably identify
authorized users, programs, and processes, and to deny access to unauthorized
users, programs and processes.
Equipment
control (into and out of site): Documented security procedures for
bringing hardware and software into and out of a facility and for maintaining a
record of that equipment. This includes, but is not limited to, the marking,
handling, and disposal of hardware and storage media.
Facility security plan:A plan to safeguard the
premises and building(s) (exterior and interior) from unauthorized physical
access, and to safeguard the equipment therein from unauthorized physical
access, tampering, and theft.
Formal mechanism
for processing records: Documented policies and procedures for the
routine, and non-routine, receipt, manipulation, storage, dissemination,
transmission, and/or disposal of health information.
Hardware/software installation & maintenance review and
testing for security features: Formal, documented procedures for (1)
connecting and loading new equipment and programs, (2) periodic review of the
maintenance occurring on that equipment and programs, and (3) periodic security
testing of the security attributes of that hardware/software.
Independent verifiability: The capability to
verify the signature without the cooperation of the signer. Technically, it is
accomplished using the public key of the signatory, and it is a property of all
digital signatures performed with asymmetric key encryption
Information: Data to which meaning is assigned,
according to context and assumed conventions.
Information access control: Formal, documented
policies and procedures for granting different levels of access to health care
information.
Integrity controls:
Security mechanism employed to ensure the validity of the information being
electronically transmitted or stored.
Internal
audit: The in-house review of the records of system activity (for
example, logins, file accesses, security incidents) maintained by an
organization.
Interoperability: The
applications used on either side of a communication, between trading partners
and/or between internal components of an entity, being able to read and
correctly interpret the information communicated from one to the other.
Inventory: Formal, documented
identification of hardware and software assets.
Key: An input that controls the transformation of
data by an encryption algorithm.
Maintenance of
record of access authorizations: Ongoing documentation and review of
the levels of access granted to a user, program, or procedure accessing health
information.
Maintenance records:
Documentation of repairs and modifications to the physical components of a
facility. For example, hardware, software, walls, doors, locks.
Mandatory Access Control (MAC): A means of
restricting access to objects that is based on fixed security attributes
assigned to users and to files and other objects. The controls are mandatory in
the sense that they cannot be modified by users or their programs.
Media controls: Formal, documented policies and
procedures that govern the receipt and removal of hardware/software (for
example, diskettes, tapes) into and out of a facility.
Message: A digital representation of
information.
Message authentication:
Ensuring, typically with a message authentication code, that a message received
(usually via a network) matches the message sent.
Message authentication code: Data associated with
an authenticated message that allows a receiver to verify the integrity of the
message.
Message integrity: The
assurance of unaltered transmission and receipt of a message from the sender to
the intended recipient.
Multiple
signatures: It shall be possible for multiple parties to sign a
document. Multiple signatures are conceptually, simply appended to the
document.
Need-to-know procedures for
personnel access: A security principle stating that a user should
have access only to the data he or she needs to perform a particular
function.
Nonrepudiation: Strong and
substantial evidence of the identity of the signer of a message and of message
integrity, sufficient to prevent a party from successfully denying the origin,
submission or delivery of the message and the integrity of its contents.
Operating, and in some cases, maintenance
personnel have proper access authorizations: Formal, documented
policies and procedures to be followed in determining the access level to be
granted to individuals working on, or in the vicinity of, health
information.
Password: Confidential
authentication information composed of a string of characters.
Periodic security reminders: Employees, agents
and contractors should be made aware of security concerns on an ongoing
basis.
Personnel clearance
procedure: Automated information is admissible. The need for and
extent of a screening process is normally based on an assessment of risk, cost,
benefit, and feasibility as well as other protective measures in place.
Effective screening processes are applied in such a way as to allow a range of
implementation, from minimal procedures to more stringent procedures
commensurate with the sensitivity of the data to be accessed and the magnitude
of harm or loss that could be caused by the individual.
Personnel security: The procedures established to
ensure that all personnel who have access to sensitive information have the
required authority as well as appropriate clearances.
Personnel security policy/procedure: Formal,
documentation of policies and procedures established to ensure that all
personnel who have access to sensitive information have the required authority
as well as appropriate clearances.
PHI: Protected Health Information.
Physical access controls (limited access): Those
formal, documented policies and procedures to be followed to limit physical
access to an entity while ensuring that properly authorized access is
allowed.
Physical
safeguards:Protection of physical computer systems and related
buildings and equipment from fire and other natural and environmental hazards,
as well as from intrusion. Also covers the use of locks, keys, and
administrative measures used to control access to computer systems and
facilities.
PIN (Personal Identification
Number): A number or code assigned to an individual and used to
provide verification of identity.
Policy/guideline on work station use: Documented
instructions/procedures delineating the proper functions to be performed, the
manner in which those functions are to be performed, and the physical
attributes of the surroundings, of a specific computer terminal site or type of
site, dependant upon the sensitivity of the information accessed from that
site.
Procedure for emergency
access: Documented instructions for obtaining necessary information
during a crisis.
Procedures for verifying
access authorizations prior to physical access: Formal, documented
policies and instructions for validating the access privileges of an entity
prior to granting those privileges.
Provider: A supplier of services as defined in
section 1861(u) of the HIPAA.
Public
key: One of the two keys used in an asymmetric encryption system.
The public key is made public, to be used in conjunction with a corresponding
private key.
Removal from access
lists: The physical eradication of an entity’s access
privileges.
Removal of user
account(s): The termination or deletion of an individual’s
access privileges to the information, services, and resources for which they
currently have clearance, authorization, and need-to-know when such clearance,
authorization and need-to-know no longer exists.
Report procedures: The documented formal
mechanism employed to document security incidents.
Response procedures: The documented formal
rules/instructions for actions to be taken as a result of the receipt of a
security incident report.
Risk
analysis: Risk analysis, a process whereby cost-effective
security/control measures may be selected by balancing the costs of various
security/control measures against the losses that would be expected if these
measures were not in place.
Risk
management: Risk is the possibility of something adverse happening.
Risk management is the process of assessing risk, taking steps to reduce risk
to an acceptable level and maintaining that level of risk.
Role-based access control: Role-based access
control (RBAC) is an alternative to traditional access control models (e.g.,
discretionary or non-discretionary access control policies) that permits the
specification and enforcement of enterprise-specific security policies in a way
that maps more naturally to an organization's structure and business
activities. With RBAC, rather than attempting to map an organization's security
policy to a relatively low-level set of technical controls (typically, access
control lists), each user is assigned to one or more predefined roles, each of
which has been assigned the various privileges needed to perform that
role.
Sanction policy:Organizations
must have policies and procedures regarding disciplinary actions which are
communicated to all employees, agents and contractors, for example, verbal
warning, notice of disciplinary action placed in personnel files, removal of
system privileges, termination of employment and contract penalties. In
addition to enterprise sanctions, employees, agents, and contractors must be
advised of civil or criminal penalties for misuse or misappropriation of health
information. Employees, agents and contractors, must be made aware that
violations may result in notification to law enforcement officials and
regulatory, accreditation and licensure organizations.
Secure work station location: Physical safeguards
to eliminate or minimize the possibility of unauthorized access to information,
for example, locating a terminal used to access sensitive information in a
locked room and restricting access to that room to authorized personnel, not
placing a terminal used to access patient information in any area of a
doctor’s office where the screen contents can be viewed from the reception
area.
Security: Security encompasses
all of the safeguards in an information system, including hardware, software,
personnel policies, information practice policies, disaster preparedness, and
the oversight of all these areas. The purpose of security is to protect both
the system and the information it contains from unauthorized access from
without and from misuse from within. Through various security measures, a
health information system can shield confidential information from unauthorized
access, disclosure and misuse, thus protecting privacy of the individuals who
are the subjects of the stored data.
Security
awareness training: All employees, agents, and contractors must
participate in information security awareness training programs. Based on job
responsibilities, individuals may be required to attend customized education
programs that focus on issues regarding use of health information and
responsibilities regarding confidentiality and security.
Security configuration management: Measures,
practices and procedures for the security of information systems should be
coordinated and integrated with each other and other measures, practices and
procedures of the organization so as to create a coherent system of
security.
Security incident procedures:
Formal, documented instructions for reporting security
breaches.
Security management
process: A security management process encompasses the creation,
administration and oversight of policies to ensure the prevention, detection,
containment, and correction of security breaches. It involves risk analysis and
risk management, including the establishment of accountability, management
controls (policies and education), electronic controls, physical security, and
penalties for the abuse and misuse of its assets, both physical and
electronic.
Security policy: The
framework within which an organization establishes needed levels of information
security to achieve the desired confidentiality goals. A policy is a statement
of information values, protection responsibilities, and organization commitment
for a system. (OTA, 1993) The American Health Information Management
Association recommends that security policies apply to all employees, medical
staff members, volunteers, students, faculty, independent contractors, and
agents.
Security testing: A process
used to determine that the security features of a system are implemented as
designed and that they are adequate for a proposed applications environment.
This process includes hands-on functional testing, penetration testing, and
verification.
Sign-in for visitors and escort,
if appropriate: Formal, documented procedure governing the reception
and hosting of visitors.
Subject/object
separation: Access to a subject does not guarantee access to the
objects associated with that subject. Subject is defined as an active entity,
generally in the form of a person, process, or device that causes information
to flow among objects or changes the system state. Technically, a
process/domain pair. Object is defined as a passive entity that contains or
receives information. Access to an object potentially implies access to the
information it contains. Examples of objects are: records blocks, pages,
segments, files, directories, directory trees, and programs, as well as bits,
bytes, words, fields, processors, video displays, keyboards, clocks, printers,
network nodes, etc.
System users, including
maintenance personnel, trained in security: See Awareness training
(including management).
Technical security
mechanisms The processes that are put in place to guard against
unauthorized access to data that is transmitted over a communications
network,
Technical security
services: The processes that are put in place (1) to protect
information and (2) to control and monitor individual access to
information.
Telephone callback: A
method of authenticating the identity of the receiver and sender of information
through a series of “questions” and “answers” sent back and
forth establishing the identity of each. For example, when the communicating
systems exchange a series of identification codes as part of the initiation of
a session to exchange information, or when a host computer disconnects the
initial session before the authentication is complete, and the host calls the
user back to establish a session at a predetermined telephone
number.
Termination procedures:
Formal, documented instructions, which include appropriate security measures,
for the ending of an employee’s employment, or an internal/external
user’s access.
Testing and
revision: (1)Testing and revision of contingency plans refers to the
documented process of periodic testing to discover weaknesses in such plans and
the subsequent process of revising the documentation if necessary. (2)Testing
and revision of programs should be restricted to formally authorized
personnel.
Time-of-day: Access to
data is restricted to certain time frames, e.,g., Monday through Friday, 8:00
a.m. to 6:00 p.m
Time-stamp: To
create a notation that indicates, at least, the correct date and time of an
action, and the identity of the person that created the notation
Token: A physical item that’s used to
provide identity. Typically an electronic device that can be inserted in a door
or a computer system to obtain access.
Training: Education concerning the
vulnerabilities of the health information in an entity’s possession and
ways to ensure the protection of that information.
Transportability: A signed document can be
transported (over an insecure network) to another system, while maintaining the
integrity of the document.
Turn in keys, token
or cards that allow access: Formal, documented procedure to ensure
all physical items that allow a terminated employee to access a property,
building, or equipment are retrieved from that employee, preferably prior to
termination.
Unique user
identification: The combination name/number assigned and maintained
in security procedures for identifying and tracking individual user
identity.
User authentication: The
provision of assurance of the claimed identity of an entity.
User-based
access: A security mechanism used to grant users of a system access
based upon the identity of the user.
User
education in importance of monitoring log in success/failure, and how to report
discrepancies: Training in the user’s responsibility to ensure
the security of health care information.
User
education concerning virus protection: Training relative to user
awareness of the potential harm that can be caused by a virus, how to prevent
the introduction of a virus to a computer system, and what to do if a virus is
detected.
User education in password
management: A type of user training in the rules to be followed in
creating and changing passwords and the need to keep them confidential.
Virus checking: A computer program that
identifies and disables: (1) another “virus” computer program,
typically hidden, that attaches itself to other programs and has the ability to
replicate. (Unchecked virus programs result in undesired side effects generally
unanticipated by the user.) (2) A type of programmed threat. A code fragment
(not an independent program) that reproduces by attaching to another program.
It may damage data directly, or it may degrade system performance by taking
over system resources which are then not available to authorized users. (3)
Code embedded within a program that causes a copy of itself to be inserted in
one or more other programs. In addition to propagation, the virus usually
performs some unwanted function. |
|
|
|
