WEEK 5 ANNOTATED BIBLIOGRAPHY

Using the attached form fill out the required sections to develop an annotated bibliography for the journal article that you accessed and read this week.  Submit your completed form using the above link.

Annotated Bibliography Rubric

50 Pts

Don't use plagiarized sources. Get Your Custom Essay on
WEEK 5 ANNOTATED BIBLIOGRAPHY
Just from $13/Page
Order Essay

Exemplary

Developing

Needs Improvement

Written Criteria

10 Points

7 Points

4 Points

Faculty Comments

Bibliographical Information 

Bibliographical information is accurately stated and formatted.

Bibliographical information contains 2-3 errors.

Bibliographical information contains more than 3 errors.

Summary of Article 

Article is concisely summarized in one paragraph with no more than one error

Article is more than one paragraph with one error

Article exceeds one paragraph and has more than 2 errors.

Evaluation of Article

Article is evaluated in light of its purpose and credibility

Evaluation is loosely based on evidence but well organized

Evaluation does not relate to purpose of article and is not evidence-based.

Reflection on Application to Practice

Reflection contains reference to application to current of future practice merits or lack of merit.

Reflection is vague and only loosely related to current or future practice.

Reflection does not connect merit or lack of merit to practice.

Grammar, Syntax, APA Format

APA format, grammar, spelling, and/or punctuation are accurate, or with zero to three errors.

Four to six errors in APA format, grammar, spelling, and syntax noted.

Paper contains greater than six errors in APA format, grammar, spelling, and/or punctuation or repeatedly makes the same errors after faculty feedback.

Annotated Bibliography Worksheet

Student Name:

A. Bibliographical Information:

Author(s) Name:

Title of Article:

Date of Article:

Journal Name:

B. Summary of Article:

C. Evaluation of Article:

D. Reflection on Application to Practice:

Chapter 13:
Security Threats and Controls

Fundamentals of Law for Health Informatics and Information Management, Third Edition

© 2017 American Health Information Management Association

© 2017 American Health Information Management Association

Overview

Healthcare organizations must address circumstances that threaten privacy and security of patient information.

The HIPAA Security Rule requires implementation of security safeguards to protect ePHI.

NIST and other standards are also covered in the chapter

© 2017 American Health Information Management Association
Types of Security Threats
Threats to health information can be categorized as
Human
Natural
Environmental
Both human and natural/environmental threats can also be categorized as:
Internal threats
External threats

© 2017 American Health Information Management Association
Human Security Threats
Human threats
Can be intentional
For example, theft, intentional alteration and destruction, virus attacks
May be due to disgruntled employees (internal)
May be due to external hackers or pranksters (cybersecurity, phishing, ransomware)
Can be unintentional
For example, employee error, unintentional alteration and destruction
Internal breaches caused by humans are more common than external breaches.

© 2017 American Health Information Management Association
Figure 13.1 has an example of employee breach
4

Natural and Environmental Security Threats
Are generally unintentional
Examples of external threats:
Hurricanes, tornadoes, lightning
Examples of internal threats:
Fire, water damage from an internal source
Highlight the need for disaster recovery/ business continuity/planning to minimize downtime and restore data

© 2017 American Health Information Management Association
Vulnerabilities
Weaknesses that impact security
It is something that can be exploited
Threat vector—The path taken to exploit the vulnerability

© 2017 American Health Information Management Association
Identity Theft: A Security Threat
Identity theft
Made possible due to ease by which electronic information can be stolen
Identity Theft and Assumption Deterrence Act of 1998 makes it a federal crime to commit identity theft
Federal Trade Commission has oversight of identity theft regulations

© 2017 American Health Information Management Association
Medical Identity Theft
Two main types
Use of name and other personal identifiers without knowledge or consent of the victim to obtain medical services
In some circumstances, victim’s consent may be obtained, but victim doesn’t realize the consequences
Example: Victim gives permission to another to use the victim’s insurance card to obtain medical services
Use of name and other personal identifiers to obtain money by falsifying claims for medical services

© 2017 American Health Information Management Association
Medical Identity Theft
Medical identity theft can be internal or external
Internal (most common): Committed by organization insiders
Examples: Clinical or administrative staff with access to patient information, sophisticated crime rings infiltrating an organization by posing as staff
External: Committed by outsiders
Example: A patient who uses another’s medical insurance information (with or without permission)

© 2017 American Health Information Management Association
Medical Identity Theft
If a patient’s information is altered but the patient’s identity is not abused, this is not medical identity theft.
If a patient’s financial information is used to purchase goods or services that are not medical in nature, this is not medical identity theft.

© 2017 American Health Information Management Association
Implications of Medical Identity Theft
Financial consequences
Debt collection
Monetary losses
Damaged credit
Insurance denials
Medical consequences
Possibility of wrong care
Incorrect medical history

© 2017 American Health Information Management Association
Detecting Theft of One’s Own Medical Identity
HIPAA
Accounting of disclosures (all covered entities) and accounting of payment disclosures for covered entities with EHRs
Weak; requires patient to make request
HITECH
Breach notification requirement
Application of HIPAA to personal health record vendors and third-party service providers

© 2017 American Health Information Management Association
Reporting Medical Identity Theft
HIPAA breach notification requirement
Fair and Accurate Credit Transactions Act (FACTA)
Requires financial institutions and creditors to develop and implement written identity theft programs to identify, detect, and respond to red flags that may signal presence of identity theft (Red Flags Rule)
Red flag: Pattern, practice, or specific activity that could indicate identity theft

© 2017 American Health Information Management Association

13

FACTA and the Red Flags Rule
FACTA and the Red Flags Rule do not specifically address medical identity theft, but many healthcare organizations must follow it because they meet the definition of creditor.
The Red Flags Rule went into effect December 31, 2010.

© 2017 American Health Information Management Association
Examples are in Figure 13.2
14

Red Flags Rule
Five categories of red flags that trigger an alert of possible identity theft:
Alerts, notifications, or warnings from a consumer reporting agency
Suspicious documents
Suspicious personally identifying information such as a suspicious address
Unusual use of, or suspicious activity relating to, a covered account
Notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with an account
Red slags should be incorporated into healthcare provider policies and procedures

© 2017 American Health Information Management Association
Prevention, Detection, and Mitigation of Medical Identity Theft
Prevention challenges
Ensuring that preventive safeguards are in place to protect the privacy and security of patient information
Balancing patient privacy protections with disclosure of identity theft events to victims, law enforcement, and federal agencies
Identifying resources to assist healthcare organizations, providers, and patients who are victims of identity theft

© 2017 American Health Information Management Association

16

Prevention of Medical Identity Theft
Ensure appropriate background checks of employees and business associates who may have access to business and patient protected health information (PHI).
Minimize the use of Social Security numbers for identification. Whenever possible, redact or replace some of the digits in the number. Avoid displaying the entire number on any document, screen, or data collection field.
Store patient information in a secure manner, ensuring that physical safeguards such as restricted access and locks are in place. Consider securing a release of liability from patients who refuse to use facility-provided lockboxes or other storage for personal items.

© 2017 American Health Information Management Association
Prevention of Medical Identity Theft
Implement and comply with organizational policies for the appropriate disposal, destruction, and reuse of any media used to collect and store patient information.
Implement and comply with organizational policies and procedures that provide safeguards to ensure the security and privacy of patient information collected, maintained, and transmitted electronically.
Train staff on organizational policies and practices developed to provide protection and appropriate use and disclosure of patient information, as well as appropriate responses to identity theft events.
Develop a proactive identity theft response plan or policy that clearly outlines the response process and identifies the organization’s obligations to report or disclose to law enforcement or government agencies information related to such crimes.

© 2017 American Health Information Management Association
Prevention of External Medical Identity Theft
When a patient presents for service or seeks to obtain benefits such as medical equipment:
Require a driver’s license to verify identity
Take photograph of patient
Biometric identifiers
Compare patient signature from previous encounters
All measures depend on valid baseline information
If baseline information is fraudulent, all subsequent encounters will be based on fraudulent information.

© 2017 American Health Information Management Association
Prevention of Internal Medical Identity Theft
Background checks for employees and business associates
Minimize temporary hiring of individuals not licensed, certified, credentialed, or bound by professional codes of ethics
Avoid using or showing full Social Security numbers on data collection fields
Stringent access controls and systems controls

© 2017 American Health Information Management Association
Mitigation of Medical Identity Theft
Address breach notification requirements
Separate intermingled health information of victim and perpetrator
Contact law enforcement

© 2017 American Health Information Management Association
Security Access and Systems Controls
Access controls: Prevent unauthorized individuals from retrieving, using, or altering information rights
Only individuals with a “need to know” should have access to ePHI.

© 2017 American Health Information Management Association
Security Access and Systems Controls
Access parameters:
Who has a right to information
How a user can access information

© 2017 American Health Information Management Association
Access Controls
Types of access rights
User-based
Example: Specific access given to an individual
Role-based: Access based on roles that individuals have in an organization
Example: All nurses given same level of access
Context-based: Most stringent; additional layer beyond user-based or role-based access and considers context of transaction
Example: Nurses given access to only their units and only during their assigned shifts

© 2017 American Health Information Management Association
Access Controls: Entity Authentication
Entity authentication: Determining an entity is the one claimed based on predetermined criteria
User ID (is often logical and/or public)
Authentication methods:
Something you know (for example, password)
Something you are (for example, biometric identifier)
Something you have (for example, tokens and swipe cards)
Telephone call-back can also be used for remote access

© 2017 American Health Information Management Association

25

Access Controls: Entity Authentication
Single-factor authentication
Combines user ID with one of the three authentication methods
Two-factor authentication
Combines user ID with any two of the three authentication methods

© 2017 American Health Information Management Association
Access Controls: Passwords
Often 4–16 characters
Minimum of 8 characters is common
Easy to remember for the user
Difficult for others to determine
Organizations must develop password guidelines

© 2017 American Health Information Management Association

27

Access Controls: Password Guidelines
Should
Be a combination of letters and numbers
Have at least 8 characters, mixing upper- and lower-case
Be changed frequently
Should not be
Easily guessed (for example, a pet’s name)
A word that is in the dictionary
A word that is newsworthy
Similar to one’s previous password
Shared with others or displayed

© 2017 American Health Information Management Association
Figure 13.3 in text
28

Access Controls: Other Common Security Mechanisms
Automatic log-off
Termination of access
Prior to or at end of employment
When user roles change within organization
Audit trail
Reactive, but shows log-on attempts and successful computer access
Tokens
Biometric identification

© 2017 American Health Information Management Association

29

Access Controls: Other Common Security Mechanisms
Employee nondisclosure agreements and training
Frequent review/modification of individual access
Security training should evolve with new technologies and policy changes

© 2017 American Health Information Management Association
Remote Access Control
Create security policy and train workforce
Issue proper equipment for work purposes only
Deploy virtual private networks
Use two-factor authentication
Do not allow information to be stored locally
Monitor status of all computers
Check virus updates regularly
Require personal firewalls
Require shredders for printed information
Balance security with ease of access

© 2017 American Health Information Management Association
Remote Network Access
SANS recommendations
Acceptable encryption policy
Acceptable use policy
Password policy
Third-party agreement
Hardware and software configuration standards for remote access

© 2017 American Health Information Management Association
Access Controls: Mechanisms for Mobile Devices
Require that laptop always be carried
Use physical security device
Never leave laptop unattended
Never leave laptop visible
Install desktop firewall, antivirus, and intrusion software
Encrypt files on laptop
Do not store password on device

© 2017 American Health Information Management Association
Systems Controls
Protect ePHI in addition to access controls discussed previously
Also addressed by the HIPAA Security Rule
Generally relate to systems hardware or software, and functions such as ePHI transmission (for example, fax and e-mail)

© 2017 American Health Information Management Association
Cybersecurity
“Preventative methods used to protect information from being stolen, compromised or attacked. It requires an understanding of potential information threats, such as viruses and other malicious code. Cybersecurity strategies include identity management, risk management and incident management.”
One of the major causes of data breaches

© 2017 American Health Information Management Association
Systems Controls
Workstation use and security
Screen savers
Screen shields
Screen positioning
Policies and procedures

© 2017 American Health Information Management Association
Systems Controls
Data encryption
Codes or scrambles data being transferred from one location to another
Pretty good privacy
Used to encrypt e-mail messages
Wired equivalent privacy
Used to protect information on wireless networks

© 2017 American Health Information Management Association
Systems Controls
Encryption
Public key: Uses two keys, one private and one public
Data encrypted with public key can be decrypted only by private key
Data encrypted with private key can be decrypted only by public key
Single key
Used more frequently for large files

© 2017 American Health Information Management Association
Systems Controls
Firewall protection
A firewall is hardware or software that examines traffic entering and leaving a network
Most commonly used between healthcare organization’s internal (trusted) network and Internet (untrusted network)
Provides limits
Internal users are limited in accessing the internet.
Internet users are limited in accessing portions of internal network.

© 2017 American Health Information Management Association
Systems Controls
Routers
Routers link different networks
Are responsible for sending network traffic to correct designation
Not as robust as firewalls, but may filter certain network traffic

© 2017 American Health Information Management Association
Systems Controls
Intrusion detection systems (IDS)
Alarm network for the system
Warn of possible inappropriate access attempts
Intrusion prevention systems (IPS)
Identify malicious network traffic
Apply rules to block its passage
Both IDS and IPS require significant human monitoring to check for false alarms.

© 2017 American Health Information Management Association
Systems Controls
Antivirus programs
Common types of viruses
File infectors: Attach to program files
System or boot-record infectors: Infect areas of hard disks or diskettes
Macro viruses: Infects Microsoft Word application, inserting unwanted words or phrases
Worm: Stores and replicates itself
Trojan horse: Destructive programming code that hides itself in another piece of programming code

© 2017 American Health Information Management Association
Systems Controls
Antivirus programs
Virus checking is an important system security mechanism.
Antivirus software packages
Virus catalog must be updated frequently
Zero-day exploits may do considerable harm within one day.

© 2017 American Health Information Management Association
Transmission of ePHI
Policies and procedures must be put into place to safeguard data transmitted via
Faxing
Internet
E-mail
Telehealth/telemedicine
Wireless communication devices
Social media

© 2017 American Health Information Management Association
Faxing Health Records
AHIMA guidelines:
Generally: Only in urgent medical situations or for ongoing payer certification
Never prudent to fax highly sensitive information
Verify that recipient is authorized to receive, will be on stand-by to receive, will call to confirm receipt
Preprogram frequent fax numbers
Fax machines in secure locations
Confidentiality statement on cover page

© 2017 American Health Information Management Association

45

Internet
Used more widely to transmit PHI with advent of integrated healthcare delivery systems
Uses:
Information source
Communication device
Extension of organizational network (functional)
Protection of data and system:
Policies and procedures
Systems protections (for example, firewalls)

© 2017 American Health Information Management Association
E-mail
Prohibition against sending highly sensitive information
Issues
Potential for broader discovery
Possible interception (compromises privacy) during transmission or by erroneous recipient
Retention periods
May be difficult to determine true identity of sender
Group e-mails compromise confidentiality
Poor communication can trigger patient dissatisfaction/liability
E-mail attachments can contain computer viruses

© 2017 American Health Information Management Association
Medical Device Security
Potential for security risks
FDA has published new guidance based on 2014 NIST voluntary Framework for Improving Critical Infrastructure Cybersecurity

© 2017 American Health Information Management Association
Telehealth/Telemedicine
Telemedicine: Electronic exchange of medical information from one site to another to improve patients’ health
Telehealth: The digital use of technologies to deliver medical care, health education, and public health services by connecting multiple users in separate locations

© 2017 American Health Information Management Association
Telehealth/Telemedicine
Issues include privacy during transmission
Videoconferencing
Transmission of still images
e-Health
Patient portals
Remote patient monitoring
Continuing medical education
Nursing call centers

© 2017 American Health Information Management Association
Social Media
Texting
Video
Audio
Exponential risks to privacy and security of PHI
Organizations must have policies and procedures regarding what constitutes appropriate and inappropriate posting.

© 2017 American Health Information Management Association
Contingency and Disaster Planning
Continuity plan: Ensures critical business functions can withstand emergencies
Contingency/disaster plan: Includes technical, procedural, and organizational components to follow after a loss. Includes
Risk assessment and analysis
Downtime and contingency planning
Data backup
Data recovery
Emergency mode of operations

© 2017 American Health Information Management Association

52

Data Backup
Backup servers
Storage media such as backup tapes
Data “dump” onto tapes or other media
Removing it to another location outside the vicinity of the event

© 2017 American Health Information Management Association
Data Recovery
Need is not extensive if data backup efforts are successful
If restoration is not possible, efforts should be made to reconstitute the record as much as possible
Upload documents from undamaged databases
Retranscribe documents from dictation system
Obtain copies from recipients of previously distributed copies

© 2017 American Health Information Management Association
Emergency Mode of Operations
In a healthcare organization, may include recording clinical information:
How will the information be collected?
How will the information be secured?

© 2017 American Health Information Management Association
Figure 13.5 includes a sample disaster plan and checklist
Figure 13.6 is a sample contingency plan
55

Emergency Mode of Operations
Determine other core operations (for example, MPI and transcription)
Identify contingency plan for each type of disaster and core process
Consider temporary and long-term effects of disasters
Anticipate operations both with and without electricity

© 2017 American Health Information Management Association
Resources to Assist with Threats
Computer Security Resource Center of National Institute of Standards and Technology (NIST)
National Cyber Security Alliance (NCSA)
SANS Institute
AHIMA

© 2017 American Health Information Management Association

What Will You Get?

We provide professional writing services to help you score straight A’s by submitting custom written assignments that mirror your guidelines.

Premium Quality

Get result-oriented writing and never worry about grades anymore. We follow the highest quality standards to make sure that you get perfect assignments.

Experienced Writers

Our writers have experience in dealing with papers of every educational level. You can surely rely on the expertise of our qualified professionals.

On-Time Delivery

Your deadline is our threshold for success and we take it very seriously. We make sure you receive your papers before your predefined time.

24/7 Customer Support

Someone from our customer support team is always here to respond to your questions. So, hit us up if you have got any ambiguity or concern.

Complete Confidentiality

Sit back and relax while we help you out with writing your papers. We have an ultimate policy for keeping your personal and order-related details a secret.

Authentic Sources

We assure you that your document will be thoroughly checked for plagiarism and grammatical errors as we use highly authentic and licit sources.

Moneyback Guarantee

Still reluctant about placing an order? Our 100% Moneyback Guarantee backs you up on rare occasions where you aren’t satisfied with the writing.

Order Tracking

You don’t have to wait for an update for hours; you can track the progress of your order any time you want. We share the status after each step.

image

Areas of Expertise

Although you can leverage our expertise for any writing task, we have a knack for creating flawless papers for the following document types.

Areas of Expertise

Although you can leverage our expertise for any writing task, we have a knack for creating flawless papers for the following document types.

image

Trusted Partner of 9650+ Students for Writing

From brainstorming your paper's outline to perfecting its grammar, we perform every step carefully to make your paper worthy of A grade.

Preferred Writer

Hire your preferred writer anytime. Simply specify if you want your preferred expert to write your paper and we’ll make that happen.

Grammar Check Report

Get an elaborate and authentic grammar check report with your work to have the grammar goodness sealed in your document.

One Page Summary

You can purchase this feature if you want our writers to sum up your paper in the form of a concise and well-articulated summary.

Plagiarism Report

You don’t have to worry about plagiarism anymore. Get a plagiarism report to certify the uniqueness of your work.

Free Features $66FREE

  • Most Qualified Writer $10FREE
  • Plagiarism Scan Report $10FREE
  • Unlimited Revisions $08FREE
  • Paper Formatting $05FREE
  • Cover Page $05FREE
  • Referencing & Bibliography $10FREE
  • Dedicated User Area $08FREE
  • 24/7 Order Tracking $05FREE
  • Periodic Email Alerts $05FREE
image

Our Services

Join us for the best experience while seeking writing assistance in your college life. A good grade is all you need to boost up your academic excellence and we are all about it.

  • On-time Delivery
  • 24/7 Order Tracking
  • Access to Authentic Sources
Academic Writing

We create perfect papers according to the guidelines.

Professional Editing

We seamlessly edit out errors from your papers.

Thorough Proofreading

We thoroughly read your final draft to identify errors.

image

Delegate Your Challenging Writing Tasks to Experienced Professionals

Work with ultimate peace of mind because we ensure that your academic work is our responsibility and your grades are a top concern for us!

Check Out Our Sample Work

Dedication. Quality. Commitment. Punctuality

Categories
All samples
Essay (any type)
Essay (any type)
The Value of a Nursing Degree
Undergrad. (yrs 3-4)
Nursing
2
View this sample

It May Not Be Much, but It’s Honest Work!

Here is what we have achieved so far. These numbers are evidence that we go the extra mile to make your college journey successful.

0+

Happy Clients

0+

Words Written This Week

0+

Ongoing Orders

0%

Customer Satisfaction Rate
image

Process as Fine as Brewed Coffee

We have the most intuitive and minimalistic process so that you can easily place an order. Just follow a few steps to unlock success.

See How We Helped 9000+ Students Achieve Success

image

We Analyze Your Problem and Offer Customized Writing

We understand your guidelines first before delivering any writing service. You can discuss your writing needs and we will have them evaluated by our dedicated team.

  • Clear elicitation of your requirements.
  • Customized writing as per your needs.

We Mirror Your Guidelines to Deliver Quality Services

We write your papers in a standardized way. We complete your work in such a way that it turns out to be a perfect description of your guidelines.

  • Proactive analysis of your writing.
  • Active communication to understand requirements.
image
image

We Handle Your Writing Tasks to Ensure Excellent Grades

We promise you excellent grades and academic excellence that you always longed for. Our writers stay in touch with you via email.

  • Thorough research and analysis for every order.
  • Deliverance of reliable writing service to improve your grades.
Place an Order Start Chat Now
image

Order your essay today and save 30% with the discount code Happy