Data Security & Patient Privacy Flashcards
Are research and educational activities exempt from the privacy and security
requirements for PHI?
No, they are not exempt
SSL
secure sockets layer
What are some examples of technical safeguards in place to protect ePHI?
firewalls and secure transmission modes for communication such as virtual private networks (VPN) or secure sockets layer (SSL),and encryption techniques
What are the two dominant types of rewards that may motivate cyber criminals?
Financial and political gains
How may someone aiming for direct financial gain target ePHI?
stealing someone’s
identity in order to take out debt in their name; stealing credit card information; and
black market sale of PHI
How may someone aiming for indirect financial gain target ePHI?
the data affected by the crime is not sold but held for ransom, and the owner of the
data is extorted to pay money to get that data back
Ransomware
A form of cybercrime with indirect financial rewards. Critical data is encrypted, and payment is demanded
in exchange for the de-encryption key
This is the greatest threat to most health systems
Bitcoin makes up what percentage of ransom demands?
99%
Are most cyber attacks targeted at a specific healthcare entity or untargeted and directed at many institutions?
Untargeted
What office enforces HIPAA
The office of Civil RIghts
HIPAA
Health Insurance Portability and Accountability Act
HITECH
Health Information Technology for Economic and Clinical
Health Act
What did HITECH do?
Expanded protections for information systems with a focus on EMRs
GDPR
General Data Protection Regulation
(a) EU-based
(b) Focuses on privacy of data more than security
What are some potential Targets of Patient Health Attacks?
● Active medical devices
– Interrupt lifesaving action or modify to deliver lethal results
● Medicines
– Destroy inventory, change allergy records, and change dosage delivery
● Surgery
– Change work order and medical records, disrupt remote access, disrupt
environment, and disrupt equipment
● Clinicians
– Misdirection or misinformation
What are common issues that open up medical devices to cyber attacks?
– Failure to provide timely security updates
– Malware
– Unauthorized access to the network
– Device reprogramming
– Denial of service attacks
– Poor password management
- Poorly designed software security features for off-the-shelf products
– Poor configuration of networks and security practices
Who created a Safety Action Plan in 2018 to respond to the growing threats towards medical devices?
FDA (Food and Drug Administration)
What are some of the focus area of the Safety Action Plan?
– Establishment of a medical device patient safety net
– Exploration of regulatory options to modernize timely implementation of post-market mitigations
– Innovation toward safer medical devices
– Advancement of medical device cybersecurity
What does the MDS2 contain?
A document available on every healthcare device sold which contains a list of the software systems embedded in the device and the known
vulnerabilities
What is a pitfall of DHCP, in terms of security, and what was added to networks to enhance security?
The ease of adding devices to the network resulted in decreased network security
Network Access Control systems enable networks to assign and manage permissions of devices
What are two ways DICOM receivers can be set?
- Promiscuous (they will accept a DICOM object from any other network node)
- Non-promiscuous (a DICOM object has to be defined in the receiving system before being allowed to send information)
Social engineering
A term used to describe the act of taking advantage of human weaknesses to gain illicit access to a computer network
Phishing
Fake emails used to obtain passwords; usually appearing as familiar websites with benign-appearing links that may allow malicious software onto the network
Spear phishing
Targeted email at a user and which contains content that is specific to that user
so as to gain trust
