Visit our FAQ pages to find questions and answers related to HIPAA Compliance, PCI Standards or IT Security. We are continuously adding terms and definitions to this page. If you do not see the information you are looking for here, use the form below to submit a question.
Access control policies and procedures ensure that only those with the authority to access digital resources are allowed to do so. Only verified, authenticated users with the necessary credentials can access data or systems based on the permission level they have been assigned.
Various authentication methods can be used to verify the identity of a user attempting to access or log into a system or network. See also Two Factor Authentication (TFA).
A programmer or developer of software or hardware (like medical devices, routers, etc.) may create a back door into the system or tool whereby they can gain access at a later date to make updates or perform maintenance. While a back door is usually created with good intentions, to ensure the product can be maintained once it is in use, a back door can also create a vulnerability or an additional access point that is subject to exploitation and can increase the risk of a breach.
A data or security breach involves any unauthorized access or dissemination of information. A security incident which exposes sensitive data may or may not result in a breach. But a breach can occur and data can be exposed due to a malicious attack on the system, theft, or by simple carelessness or failure to follow appropriate procedures. See also Incident.
brute force attack
An exhaustive strategy by a hacker to try every potential access point or every possible password combination to gain access to the system. Given enough time and a dedicated computer set to the task, a brute force attacker may eventually succeed in converting cipher text to plain text to find the key and gain access to the network.
Business Continuity is the ability of an organization to withstand a natural or malicious event that impacts operations. A Business Continuity Plan must be created before an incident arises to determine appropriate emergency response, backup operations, and disaster recovery steps to be taken under a variety of possible scenarios.
business impact analysis
A Business Impact Analysis (BIA) seeks to predict the consequences of any incident that could disrupt business function and processes. A risk assessment should be conducted as the foundation for the BIA which is essential for a solid Business Continuity Plan.
BYOD (bring your own device)
“Bring Your Own Device” and refers to employees who use their own personal mobile devices, smartphones, or laptops to work and to access secure employer networks. BYOD has become an unavoidable part of operations and an issue that virtually all employers will have to address by policies and procedures to avoid the security issues that can arise if employees’ personal devices are not properly managed.
Industry-wide government regulations (like HIPAA and HITECH) or widely accepted industry-standards (such as PCI) require companies and organizations to demonstrate that they have complied with the specific requirements of the regulations or standards. Compliance is an on-going process and, failure to maintain appropriate compliance on an ongoing basis can leave the organization vulnerable to attack or breach and can ultimately result in penalties or fines.
denial of service (DoS) attack
A Denial of Service or DoS attack is a relatively simple hack designed to prevent authorized users from accessing or using the network or system by flooding it with useless traffic. Similarly, a Distributed Denial of Service (DDoS) attack uses multiple compromised systems to simultaneously flood a network. Because there are multiple sources of the traffic, the DDoS attack can be even more difficult to stop. See also Telephony Denial of Service (TDos).
A dictionary attack uses software to try every possible combination of words to breach a password-based system. This automated process can also be used to generate and try possible email addresses to launch a phishing scam to potentially reach a small percentage of real accounts.
Encryption is a method of converting original data of regular text into encoded text. The text is encrypted by means of an algorithm. If information is encrypted, there would be a low probability that anyone other than the receiving party who has the key to the code or access to another confidential process would be able to decrypt (translate) the text and convert it into plain, comprehensible text. For more information about encryption, please also see NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
HIPAA stands for the Health Insurance Portability and Accountability Act. Passed in 1996, the act established national standards to protect the privacy and personal health information (PHI) of patients.
The Health Information Technology for Economic and Clinical Health Act was passed in 2009 within Title XIII of the American Recovery and Reinvestment Act to increase spending by the US Dept of Health and Human Services (HHS) for the expansion and promotion of health information technology.
An IT Security Incident is any malicious, accidental, technical, or natural event that potentially impacts operations and may expose or cause the loss of critical or secure data. It is important to note that a breach always begins with an incident but every incident does not necessarily lead to a breach.
Malware is malicious software designed to damage or disrupt a system. Types of malware include adware, bots, bugs, ransomware, spyware, viruses, trojan horses, worms, etc.
A network is a group of two or more computer systems linked together.
NIST stands for the National Institute of Standards and Technology, a federal agency within the US Department of Commerce. NIST publishes industry standards and best practices related to Information Technolgoy, Health IT, and many other subject areas. Visit www.nist.gov for more.
A patch is a section of code released by the developer of a piece of software to correct an identified bug.
Similar to a phishing scam, a pharming attack redirects a website’s DNS server to send visitors to a hacker’s site instead. On the pharming site, hackers will try to extract personal, financial, and login information from visitors.
Similar to a pharming attack, a phishing scam sends mass emails that appear to come from legitimate companies or organizations to lure or trick the recipient into divulging personal, financial, or login information.
PII, PHI, and ePHI
PII stands for Personally Identifiable Information. PII is any piece of information that can be used to identify, locate, or contact a single person. PHI stands for Protected Health Information. ePHI stands for Electronic Protected Health Information. Both PHI and ePHI are protected by the HIPAA Privacy Rule.
Remote access refers to network-level access originating from outside the company’s own network, either from the Internet or from an “untrusted” network or system such as an employee accessing the corporate network using his/her mobile computer.
Social engineering is any tactic designed to obtain secure information (login, customer, patient, or corporate data) by conning a person into revealing the information. Social engineering relies on the overly trusting nature of most people or a lack of appreciation for the value of hte information they may posses.
telephony denial of service (TDoS)
Like a DoS or DDoS attack, a TDoS attack floods a company or organization’s phone system with incoming calls so that the system becomes completely unusable. This tactic has often been seen targeting hospitals, emergency rooms or other healthcare facilities. See this warning.
two factor authentication
In general, authentication is still primarily based on what you know – your username and password, for example. Increasingly, systems requiring more secure authentication are turning to “two-factor authentication” (TFA) which usually relies upon something you know, your password, plus something you have – like a special, one time pin or code texted to the user’s cell phone.
A zero day exploit is an attack that takes place on the very day that a vulnerability in a system, tool, or piece of software is made public or becomes generally known. This is an opportunistic attack that attempts to take advantage of the newly identified vulnerability before the company or developer is able to release a patch to correct it.
Your question may be answered on FAQ pages for HIPAA Compliance, PCI Standards or IT Security. If you have a question we have not answered or a term to suggest that we have not defined here, please let us know.
Share your question below and Loricca’s IT Security and Compliance experts will be happy to answer it. You can also email firstname.lastname@example.org your question. We will do our best to have the answer for you within one business day.