By Staff Reporters

SPONSOR: http://www.HealthDictionarySeries.org

***

***

Much has been written and much has been opined on the topic of health information technology, electronic health records and medical security liability for physicians and healthcare providers in this textbook. But occasionally, we all still get lost in a wide array of acronyms, jargon and terms that are constantly changing in this ecosystem. And so, this brief glossary serves as a ready reference for those who want to know about these definitions in a quick and ready fashion.

Access control: The process of controlling the access of a user

Access security: To allow computer or healthcare network entry using ID / password / secure socket layer (SSL) encryption / biometrics, etc; unique identification and password assignments are usually made to medical staff members for access to medical information on a need-to-know basis, and only upon written authority of the owner of the data.

Access level authorization: Establishes a procedure to determine the computer or network access level granted to individuals working on or near protected health information, medical data or secure health data.

Accredited standards committee: Organization that helps develop American National Standards (ANS) for computer and health information technology; accredited by ANSI for the development of American National Standards; ASC X12N develops medical electronic business exchange controls like 835-Health Care Claim Payment/Advice and 837-Health Care Claim.

Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

Accounting: Creating an historical record of who was authenticated, at what time, and how long they accessed the computer system.

Administrative simplification: The use of electronic standard code sets for health information exchange; Title II, Subtitle F of HIPAA gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care and medical information.

Alternative backup sites: Off-site locations that are used for transferring computer operations in the event of an emergency.

American Health Information Management Association: A large trade association of health information and medical data management professionals.

American Medical Informatics Association: An organization that promotes the use of electronic medical management and healthcare informatics for clinical and administrative endeavors.

American Telemedicine Association: Established in 1993 as a leading resource and advocate promoting access to medical care for patients and health professionals via telecommunications technology; membership open to individuals, companies, and other organizations with an interest in promoting the deployment of telemedicine throughout the world.

Anti-virus software: A software package or subscription service used to thwart malicious computer or network attacks, such as: Symantec®, McAfee®, Trend Micro®, Panda Software®, Sunbelt Software®, Computer Associates®, AVG® or MS-FF ®, etc.

Anti-Worm: A software patch, fix; glitch repairer; do-gooder virus; slang term.  

ASC X12N: HIPAA transmission standards, specifications and implementation guides from the Washington Publishing Company; or the National Council of Prescription Drug Programs.

Assurance: Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or bypass.

Asymmetric cryptology: The use of two different but mathematically related electronic keys for secure health data and medical information storage, transmission and manipulation.

Asymmetric encryption: Encryption and decryption performed using two different keys, one of which is referred to as the public key and one of which is referred to as the private key; also known as public-key encryption.

Asymmetric key: A half of a key pair used in an asymmetric “public-key” encryption system with two important properties: (1) the key used for encryption is different from the one used for decryption, (2) neither key can feasibly be derived from the other.

Attack tree: An inverted tree diagram that provides a visual image of the attacks that may occur against an asset.

Audio teleconferencing: A multi-simultaneous dual voice communications between two parties at remote locations; two way communications between physician and patient at various locations.

Authentication: The process of verifying and confirming the identity of a user.

Availability: The security goal that generates the requirement for protection against – Intentional or accidental attempts to (1) perform unauthorized deletion of data or (2) otherwise cause a denial of service or data.

Back door: A means to access to a computer program that bypasses security mechanisms, sometimes installed by a programmer so that the program can be accessed for troubleshooting or other purposes.

Back door trojans or bots: Currently, the biggest threat to healthcare and all PC users worldwide according to the MSFT Corporation.® 

Bandwidth: The amount of information that can be carried over a communications link.

Bar coding systems: Final FDA ruling issued in February 2004 that required bar codes on most prescription and non-prescription medications used in hospitals and dispensed based on a physician’s order; the bar code must contain at least the National Drug Code (NDC) number, which specifically identifies the drug; although hospitals are not required at this time to have a bar code reading system on the wards, this ruling has heightened the priority of implementing hospital-wide systems for patient-drug matching using bar codes.

Baud: A unit of digital transmission that indicates the speed of information flow. The rate indicates the number of events able to be processed in one second and is expressed as bits per second (bps). The baud rate is the standard unit of measure for data transmission capability; typical older rates were 1200, 2400, 9600, and 14,400 baud; the signaling rate of a telephone line in the number of transitions made in a second; 1/300 sec = 300 baud.

Beta test: The secondary or final stress examination of newly developed computer hardware, software or peripheral devices; site, etc.

Bibliographic database: Indexed computer or printed source of citations of journal articles and other reports in the literature; typically include author, title, source, abstract, and/or related information; MEDLINE® and EMBASE®.

Bioinformatics: The application of medical and biological science to the health information management field.

Biological Information technology: Cross industry alliance of the Microsoft Corporation to enhance the ability to use and share digital health and biomedical data.

Biometric: Personal security identity characteristics, such as a signature, fingerprints, voice, iris or retinal scan, hand or foot vein geometry, facial characteristics, hair analysis, eye, blood vessel or DNA; uses the unique human characteristics of a person as a means of authenticating.

Biometric identification: Secure identification using biometrics that identifies a human from a measurement of a physical feature or repeatable action of the individual (for example, hand geometry, retinal scan, iris scan, fingerprint patterns, facial characteristics, DNA sequence characteristics, voice prints, and hand written signature).

Biopassword: Start-up healthcare IT security pioneer of keyboarding patterns to boost online security through neural network patterns.

Bluetooth® device: Machines, like cell phone with headset, transmitting across communications channels 1 to 14, over time.

Bluetooth® technology: Wireless mobile technology standard built into millions of mobile phones, headsets, portable computers, desktops and notebooks; named after Harold Bluetooth, a 10th century Viking king; healthcare telemetry and rural data transmissions; the Bluetooth Special Interest Group (BSIG) advocates measures aimed at pushing healthcare interoperability for wireless devices and other computers designed for use in the medical field; other wireless stands include: Wi-Fi, ZigBe®, IrDA and RFID.

Buffer: A temporary storage area.

Buffer overflow: A security breach that occurs when a computer program attempts to stuff more data into a temporary storage area than it can hold

Business continuity plan: A plan that outlines the procedures to follow after a business experiences an attack on its security.

California Database Security Breach Act: A state act that requires disclosure to California residents if a breach of personal information has or is believed to have occurred.

Certification authority: An independent third-party organization that assigns digital certificates.

Chain of custody: A process that documents everyone who has had contact with or direct possession of the evidence.

Chain of trust: Suggestion that each and every covered entity and business associate share responsibility and accountability for confidential PHI. 

Chain of trust agreement: Contract entered into by two business partners in which it is agreed to exchange data and that the first party will transmit information to the second party, where the data transmitted is agreed to be protected between the partners; sender and receiver depend upon each other to maintain the integrity and confidentiality of the transmitted information; multiple two-party contracts may be involved in moving information from the originator to the ultimate recipient; for example, a provider may contract with a clearing house to transmit claims to the clearing house; the clearing house, in turn, may contract with another clearing house or with a payer for the further transmittal of those same claims.

Children’s Online Privacy Protection Act: A federal act that requires operators of online services or Web sites directed at children under the age of 13 to obtain parental consent prior to the collection, use, disclosure, or display of a child’s personal information.

Cipher lock: A combination lock that uses buttons that must be pushed in the proper sequence in order to open the door.

Clearing house: HIPAA medical invoice, healthcare data transaction exchange and medical data implementation service center that that meets or exceeds Federally-mandated standardized Electronic Data Interchange (EDI) transaction requirements.

Clinger-Cohen Act: Public Law 104-106; Information Technology Management Reform Act (ITMRA) of 1996.

Clinical data: Protected Health Information (PHI) from patient, physician, laboratory, clinic, hospital and/or payer, etc; identifiable patient medical information.

Clinical data information systems: Automatic and securely connected system of integrated computers, central severs and the Internet that transmits Protected Health Information (PHI) from patient, physician, laboratory, clinic, hospital and/or payer, etc.

Clinical data repository: Electronic storehouse of encrypted patient medical information; clinical data storage.

Clinical informatics: The management of medical and clinical data; the use of computers, networks and IT for patient care and health administration.

Clinical information: All the related medical information about a patient; Protected Health Information (PHI) from patients, providers, laboratories, clinics, hospitals and/or payers or other stakeholders, etc.

Clinical information system:  A computer network systems that supports patient care; relating exclusively to the information regarding the care of a patient, rather than administrative data, this hospital-based information system is designed to collect and organize data.

Clinical regional health information system: Electronic entity committed to securely share private patient health information among entities like medical providers, clinics, laboratories, hospitals, outpatient centers, hospice and other healthcare facilities; Community Health Management Information Systems (CHMIS), Enterprise Information Networks (EINs), Regional Health Information Networks (RHINs) and Health Information Networks (HINs).

Cold site: An alternative backup site that provides the basic computing infrastructure, such as wiring and ventilation, but very little equipment.

Compact disc – read only memory (CD-ROM): A computer drive that can read CD-R and CD-RW discs.

Compact disc – recordable (CD-R): An optical disc that contains up to 650 megabytes of data and cannot be changed once recorded.

Compact disc – rewriteable (CD-RW): An optical disc that can be used to record data, erase it, and re-record again.

Computer security: A computer or network that is free from threats against it.

Computerized Physician Order Entry System: Automatic medical provider electronic medical chart ordering system that usually includes seven features: medication analysis, system order clarity, increased work efficiency, point of care utilization, benchmarking and performance tracking, on-line alerts and regulatory reporting.

Confidential health information: Protected Health Information (PHI) that is prohibited from free-use and secured from unauthorized dissemination or use; patient specific medical data.

Counter signature: The ability to prove the order of application of signatures; analogous to the normal business practice of signing a document which has already been signed by another party (ASTM E 1762 -95); part of a digital signature.

Covered entity: 42 CFR § 164.504(e)(2)(i)(B). Any of three broadly defined entities that deal with protected health information (PHI): providers, individuals or group health plans, and clearinghouses.

Cracker: A person who breaks into or otherwise violates the system security with a malicious intent.

Cryptography: The science of transforming information so that it is secure while it is being transmitted or stored.

Cyber-terrorism: Attacks by a terrorist group using computer technology and the Internet to cripple or disable a nation’s electronic infrastructure.

Data backup: The process of copying data to another media and storing it in a secure location.

Data encryption standard: An older health or medical data private key cryptology federal protocol for secure information exchange; replaced by AES.

Data interchange standard: X12 HIPAA health data transmission standard format.

Data interchange standard association: The organization that provides X12 HIPAA transmission standards and formats.

Deadbolt lock: A lock that extends a solid metal bar into the door frame for extra security.

Decision support system: Computer tools or applications to assist physicians in clinical decisions by providing evidence-based knowledge in the context of patient-specific data; examples include drug interaction alerts at the time medication is prescribed and reminders for specific guideline-based interventions during the care of patients with chronic disease; information should be presented in a patient-centric view of individual care and also in a population or aggregate view to support population management and quality improvement.

Decryption: Changing an encrypted message back to its original form.

Definition files: Files that contain updated antivirus information.

De-identified health information: Protected health information that is no longer individually identifiable health information; a covered entity may determine that health information is not individually identifiable health information only if: (1) a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable determines that the risk is very small that the information could be used, alone or in combination with other available information, to identify an individual, and documents the methods and results of the analysis; or (2) the following identifiers of the individual, relatives, employers or household members of the individual are removed.

Denial of service: The prevention of authorized access to resources or the delaying of time critical operations.

Designated record set: Contains medical and billing records and any other records that a physician and/or medical practice utilizes for making decisions about a patient;  a hospital, emerging healthcare organization, or other healthcare organization is to define which set of information comprises “protected health information” and which set does not; contains medical or mixed billing records, and any other information that a physician and/or medical practice utilizes for making decisions about a patient.  It is up to the hospital, EHO, or healthcare organization to define which set of information comprises “protected health information” and which does not though logically this should not differ from locale to locale.  The patient has the right to know who in the lengthy data chain has seen their PHI. This sets up an audit challenge for the medical organization, especially if the accountability is programmed, and other examiners view the document without cause.

Designated standard: HIPAA standard as assigned by the department of HHS

Device lock: A steel cable and a lock used to secure a notebook computer.

Digital certificate: A certificate that binds a specific person to a public key.

Digital imaging and communications in medicine: Technology broadband transmission imaging standards for X-rays, MRIs, CT and PET scans, etc; health IT standard transmissions platform aimed at enabling different computing platforms to share image data without compatibility problems; a set of protocols describing how radiology images are identified and formatted that is vendor-independent and developed by the American College of Radiology and the National Electronic Manufacturers Association. 

Digital radiology: Medical digital imaging applied to x-rays, CT, PET scans and related non-invasive and invasive technology; broadband intensive imaging telemedicine.

Digital rights management: The control and protection of digital intellectual property.

Digital signature: Encrypted electronic authorization with verification and security protection; private and public key infrastructure; based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters so that the identity of the signer and the integrity of medical or other data can be verified.

Digital signature standard: Encryption technology to ensure electronic medical data transmission integrity and authentication of both sender and receiver; date and time stamps; public and private key infrastructure.

Digital versatile disc – recordable (DVD-R): An optical disc technology that can record once up to 3.95 gigabytes of data on a single-sided disc and 7.9 GB on a double-sided disc.

Digital versatile disc – rewriteable (DVD-RAM): An optical disc technology that can record, erase, and re-record data and has a capacity of 2.6 GB (single side) or 5.2 GB (double side).

Digital versatile disc (DVD): A technology that permits large amounts of data to be stored on an optical disc.

Disaster recovery plan: A process to restore vital health and/or critical healthcare technology systems in the event of a medical practice, clinic, hospital or healthcare business interruption from human, technical or natural causes; focuses mainly on technology systems, encompassing critical hardware, operating and application software, and any tertiary elements required to support the operating environment; must support the process requirements to restore vital company data inside the defined business requirements; does not take into consideration the overall operating environment; an emergency mode operation plan is still necessary.

Disclosure: Release of PHI outside a covered entity or business agreement space, under HIPAA; the release, transfer, provision of access to or divulging of medical information outside the entity holding the information.

Disc – rewriteable (DVD-RW): An optical disc technology that allows data to be recorded, erased, and re-recorded.

Due care: Managers and their organizations have a duty to provide for information security to ensure that the type of control, the cost of control, and the deployment of control are appropriate for the system being managed.

e-health: Emerging field in the intersection of medical informatics, public health and business, referring to health services and information delivered or enhanced through the Internet and related technologies; characterizes not only a technical development, but also a state-of-mind, attitude, and a commitment for networked, global thinking, to improve health care worldwide by using information and communication technology.

Electronic data interchange: Inter healthcare organization computer-to-computer transmission of business or health information in a standard format; direct transmission from the originating application program to the receiving, or processing, application program; an EDI transmission consists only of business or health data, not any accompanying verbiage or free-form messages; a standard format is one that is approved by a national or international standards organization, as opposed to formats developed by health industry groups, medical practices, clinics or companies; the electronic transmission of secure medical and financial data in the healthcare industrial complex; X12 and similar variable-length formats for the electronic exchange of structured health data. The Centers for Medicare and Medicaid Services (CMS) regulates security and Electronic Data Interchange (EDI).

Electronic data interchange standards: The American National Standards Institute (ANSI) set of EDI standards known as the X12 standards. These standards have been developed by private sector standards development organizations (SDOs) and are maintained by the Accredited Standards Committee (ASC) X12. ANSI ASC X12N standards, Version 4010, were chosen for all of the transactions except retail pharmacy transactions, which continue to use the standard maintained by the National Council for Prescription Drug Programs (NCPDP) because it is already in widespread use. The NCPDP Telecommunications Standard Format Version 5.1 and equivalent NCPDP Batch Standard Version 1.0 have been adopted in this rule (health plans will be required to support one of these two NCPDP formats). The standards are designed to work across industry and company boundaries. Changes and updates to the standards are made by consensus, reflecting the needs of the entire base of standards users, rather than those of a single organization or business sector. Specifically, the following nine healthcare transactions were required to use X12N standard electronic claim formats by October 16, 2003.

Electronic health record: A real-time patient health record with access to evidence-based decision support tools that can be used to aid clinicians in decision-making; the EHR can automate and streamline a clinician’s workflow, ensuring that all clinical information is communicated; prevents delays in response that result in gaps in care; can also support the collection of data for uses other than clinical care, such as billing, quality management, outcome reporting, and public health disease surveillance and reporting; electronic medical record.

Electronic medication administrative record: Electrical file keeping computerized system for tracking clinical medication dispensation and use; integrated with TPAs, PBMs, robotic dispensing devices and CPOEs, etc.

Electronic medical (media) claims: Usually refers to a flat file format used to transmit or transport medical claims, such as the 192-byte UB-92 Institutional EMC format and the 320-byte Professional EMC-NSF.

Electronic prescribing: A type of computer technology whereby physicians use handheld or personal computer devices to review drug and formulary coverage and to transmit prescriptions to a printer or to a local pharmacy; e-prescribing software can be integrated into existing clinical information systems to allow physician access to patient-specific information to screen for drug interactions and allergies.

Electronic preventive services selector: A digital tool for primary care clinicians to use when recommending preventive services for their patients unveiled by the Department of Health and Human Services’ Agency for Healthcare Research and Quality (AHRQ), in November 2006;  designed for use on a personal digital assistant (PDA) or desktop computer to allow clinicians to access the latest recommendations from the AHRQ-sponsored U.S. Preventive Services Task Force; designed to serve as an aid to clinical decision-making at the point of care and contains 110 recommendations for specific populations covering 59 separate preventive services topics; a real time search function allows a clinician to input a patient’s age, gender, and selected behavioral risk factors, such as whether or not they smoke, in the appropriate fields, while the software cross-references the patient characteristics entered with the applicable Task Force recommendations and generates a report specifically tailored for that patient.

Electronic signature: Various date and time stamped electronic security verification systems, such as passwords, encryption, ID numbers, biometrics identifiers, etc; electrical transmission and authentication of real signatories; signatory attribute that is affixed to an electronic health document to bind it to a particular entity; an electronic signature process secures the user authentication (proof of claimed health identity, such as by biometrics (fingerprints, retinal scans, hand written signature verification, etc.), tokens or passwords) at the time the signature is generated; creates the logical manifestation of signature (including the possibility for multiple parties to sign a medical document and have the order of application recognized and proven) and supplies additional information such as time stamp and signature purpose specific to that user; and ensures the integrity of the signed document to enable transportability, interoperability, independent verifiability, and continuity of signature capability; verifying a signature on a document verifies the integrity of the document and associated attributes and verifies the identity of the signer; there are several technologies available for user authentication, including passwords, cryptography, and biometrics (ASTM 1762-95).

Encryption: Changing the original text to a secret message.

Gigabytes (GB): Billions of bytes of data.

Gramm-Leach-Bliley Act: A federal act that requires private data be protected by banks and financial institutions.

Hacker: A person who possesses advanced computer skills and is adept at exploring computers and networks in order to break into them.

HEALTH 1.0:  This is the dying healthcare system of yesterday and today. Information is communicated from doctors to patients. It is a basic B2C [business-to-consumer] website as the internet became one big encyclopedia by aggregating knowledge silos. Some doctors maintain websites, others do not. Nevertheless, Health 1.0 has a command and control hierarchy; doctors on top of the pyramid, patients on the bottom.

HEALTH 2.0:  According to Matthew Holt [personal communication] Healthcare 2.0 may be defined as: “The foundation of healthcare 2.0 is information exchange plus technology. It employs user-generated content, social networks and decision support tools to address the problems of inaccessible, fragmentary or unusable health care information. Healthcare 2.0 connects users to new kinds of information, fundamentally changing the consumer experience (e.g., buying insurance or deciding on/managing treatment), clinical decision-making (e.g., risk identification or use of best practices) and business processes (e.g., supply-chain management or business analytics)”.

And so, if Health 1.0 was a static book, Health 2.0 is a dynamic discussion

Example: The power of the internet is illustrated in the phenomenon of “crowd-sourcing.” In this context, the term means to harvest the reach of social networking [wisdom of crowds] to solve a problem. A knowledge seeker asks a question and participants respond.  For example, readers can participate on the www.MedicalExecutivePost.com or www.BusinessofMedicalPractice.com sites to improve the administration of any medical practice. And, www.PodiatryPrep.com is an example of how podiatrists connect for global board certification assistance.

***

***

HEALTH 2.0 Plus:The Dictionary of Health Insurance and Managed Care defines this emerging hybrid as a bridge uniting the philosophy of contemporary Health 2.0 with futuristic Health 3.0 technologies. Cisco System’s HealthPresence is one example developed in 2010, by Dr. T. Warner Hudson. Using the network as a platform, HealthPresence combines video, audio and information to create an environment similar to what patients experience when they visit their own doctor.

HEALTH 3.0: Soon, patients will not only be seeking information; but actionable intelligence – whether it is artificial or real. Patients will communicate almost as with another patient or doctor. The internet won’t just blindly do what we tell it to do – it will think and represent some amazing opportunities. For example, imagine your toilet running a SMAC 20 and then being instantly notified of the results by your smart phone? Or; use your iPhone to send pictures and streaming videos of conditions for a second opinion www.KnockingLive.com

Health information technology: The application of information processing involving both computer hardware and software that deals with the storage, retrieval, sharing, and use of health care information, medical data, and knowledge for communication and decision making.

Health information technology auditor: An expert who evaluate a health organization’s computer systems to ensure the proper safeguards are in place to protect and maintain the integrity of the firm’s data; While the position has existed since the mid-1960s, companies that previously employed just a handful of HIT auditors are now significantly adding to their ranks, sometimes doubling, tripling or quadrupling current staff levels; much current demand is due to the Sarbanes-Oxley Act and other legislation aimed at improving corporate governance in the wake of major accounting scandals earlier in the decade; publicly traded hospital systems require the expertise of HIT auditors to meet ongoing compliance requirements; the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA), among other regulations, also are fueling the need for HIT auditors.  Health IT auditors must have a general understanding of accounting principles and the strategic vision to ensure a health organization’s HIT systems allow it to achieve its short- and long-term objectives. Many hospitals promote from within for this role. Health facilities who look outside the organization for these professionals usually seek candidates with experience, knowledge of healthcare of emerging technologies and issues, and increasingly, certifications such as the certified information systems auditor (CISA) designation.

Health information technology promotion act: Legislation to accelerate the adoption of interoperable electronic health records by ensuring uniform standards, championed by Rep. Nancy Johnson, R-Conn, (H.R. 4157) which would: codify the Office of the National Coordinator for Health Information Technology in statute and delineate its ongoing responsibilities; create exceptions to the fraud and abuse statutes to allow certain providers to fund health information technology equipment and services for other providers; and provide for a study of federal and state health privacy policies.

Health Insurance Portability and Accountability Act (HIPAA): A federal act that requires enterprises in the health sector to guard protected health information and implement policies and procedures to safeguard it.

Health level seven: An international community of healthcare subject matter experts and information technology physicians and scientists collaborating to create standards for the exchange, management and integration of protected electronic healthcare information; the Ann Arbor, Mich.-based Health Level Seven (HL7) standards developing organization has evolved Version 3 of its standard, which includes the Reference Information Model (RIM) and Data Type Specification (both ANSI standards); HL7 Version 3 is the only standard that specifically deals with creation of semantically interoperable healthcare information, essential to building the national infrastructure; HL7 promotes the use of standards within and among healthcare organizations to increase the effectiveness and efficiency of healthcare delivery for the benefit of all patient, payers, and third parties; uses an Open System Interconnection (OSI) and high level seven healthcare electronic communication protocol that is unique in the medical information management technology space and modeled after the International Standards Organization (ISO) and American National Standards Institute (ANSI); each has a particular healthcare domain such as pharmacy, medical devices, imaging or insurance (claims processing) transactions. Health Level Seven’s domain is clinical and administrative data.

Hot site: An alternative backup site that contains the same equipment as found in the organization’s actual IT center.

Human firewall: An employee who practices good security techniques to prevent any security attacks from passing through them.

Incident response team: An employee team charged with gathering and handling the digital evidence of an attack.

Individually identifiable health information: Medical information that is created or received by a covered entity; relates to the physical or mental health condition of an individual, provision of health care or the payment for the provision of health care; identifies the individual or there is reasonable belief that the information can be used to identify the individual.

Information security: A computer or network that is free from threats against it.

Integrity: The security goal that generates the requirement for protection against either intentional or accidental attempts to violate data integrity (the property that data has when it has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation).

Intellectual property: Works created by others such as books, music, plays, paintings, and photographs.

IT-related risk: The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to:

* Unauthorized (malicious or accidental) disclosure, modification, or destruction of information

* Unintentional errors and omissions

* IT disruptions due to natural or man-made disasters

* Failure to exercise due care and diligence in the implementation and operation of the IT system.

Key-in-knob lock: A basic lock that has the lock mechanism embedded in the knob or handle.

Keystroke logger: A type of hardware spyware that captures keystrokes as they are typed.

Logic bombs: A computer program that lies dormant until it is triggered by a specific event.

Lossless: To compress electronic digital data.

Malicious code: Programs that are intentionally created to break into secure computers or to create havoc after the computers are accessed.

Master patient index: Healthcare facility composite that links and assists in tracking patient, person, or member activity within an organization (or health enterprise) and across patient care settings; hardcopy or electronic identification of all patients treated in a facility or enterprise and lists the medical record or identification number associated with the name; can be maintained manually or as part of a computerized system; typically, those for healthcare facilities are retained permanently, while those for insurers, registries, or others may have different retention periods; a database of all the patients ever registered (within reason) at a facility; name, demographics, insurance, next of kin, spouse, etc.

Medically unbelievablE event: Implemented on Jan. 1, 2007, the CMS blockage of payments for medical services that make no sense based on “anatomic considerations” or medical reasonableness when the same patient, date of service, HCPCS code or provider is involved; unlike other National Correct Coding Initiative (NCCI) edits, MUEs can’t be overridden by a modifier because there will never be a scenario where the physician had a good reason to submit a claim for removing a second appendix from the same person; etc.

Megabytes (MB): Millions of bytes of storage.

Memory stick: USB flash or non-volatile storage device; Sony CompactFlash®, pen or mini-drive; flash card, smart media, slang terms.

Mesh: Medical Subject Headings, the controlled vocabulary of about 16,000 terms used for MEDLINE and certain other MEDLARS databases.

Minimum necessary: The amount of protected health information shared among internal or external parties determined to me the smallest amount needed to accomplish its purpose for Use or Disclosure; the amount of health information or medical data needed to accomplish a purpose varies by job title, CE or job classification.

Minimum necessary rule: HIPAA regulation that suggests any PHI used to identify a patient, such as a social security number, home address or phone number; divulge only essential elements for use in transferring information from patient record to anyone else that requires the information; especially important with financial information; changes the way software is written and vendor access is provided.  The “Minimum Necessary” Rule states the minimum use of PHI that can be used to identify a person, such as a social security number, home address or phone number. Only the essential elements are to be used in transferring information from the patient record to anyone else that needs this information.  This is especially important when financial information is being addressed.  Only the minimum codes necessary to determine the cost should be provided to the financial department.  No other information should be accessed by that department.  Many institutions have systems where a registration or accounting clerk can pull up as much information as a doctor or nurse, but this is now against HIPAA policy and subject to penalties.  The “minimum necessary” rule is also changing the way software is set up and vendor access is provided. 

Mirror site: A secondary location identical to the primary IT site that constantly receives a copy of data from the primary site.

National health information network: The technologies, standards, laws, policies, programs and practices that enable health information to be shared among health decision makers, including consumers and patients, to promote improvements in health and healthcare; vision for the NHII began more than a decade ago with publication of an Institute of Medicine report, The Computer-Based Patient Record. The path to a national network of healthcare information is through the successful establishment of Regional Health Information Organizations (RHIO).

National provider identifier: Originally was an eight-digit alphanumeric identifier. However, the healthcare industry widely criticized this format, claiming that major information systems incompatibilities would make it too expensive and difficult to implement. DHHS therefore revised its recommendation, instead specifying a 10-position numeric identifier with a check digit in the last position to help detect keying errors. The NPI carries no intelligence; in other words, its characters will not in themselves provide information about the provider. More recently, CMS announced that HIPAA-covered entities such as providers completing electronic transactions, healthcare clearinghouses, and large health plans, must use only the NPI to identify covered healthcare providers in standard transactions by May 23, 2007. Small health plans must use only the NPI by May 23, 2008. The proposal for a Standard Unique National Health Plan (Payer) Identifier was withdrawn on February, 2006. (According to CMS, “withdrawn” simply means that there is not a specific publication date at this time. Development of the rule has been delayed; however, when the exact date is determined, the rule will be put back on the agenda.)

Network: A group of interconnected computers.

Notebook safe: A special safe secured to a wall or the trunk of a car used for storing a notebook computer.

Operating system hardening: Steps that can be taken to make a personal computer operating system more secure.

Optical disc: A disc that uses laser technology to record data.

Password: A secret combination of words or numbers that authenticates or identifies the user.

Patch: A software update to correct a problem.

Patch management: Tools, utilities, and processes for keeping computers up to date with new software updates that are developed after a software product is released.

Pharmacy information system: Drug tracking and dispensation related health management information system for hospitals and healthcare organizations.

PhisHing: An attempt to fraudulent gather confidential information by masquerading as a trustworthy entity, person or business in an apparently official email, text message or website; carding or spoofing; video vishing; phish-tank; vish-tank; slang terms.

Physical security: The process of protecting the computer itself.

Port scanning: Sending a flood of information to all of the possible network connections on a computer.

Ports: The network connections on a computer.

Preset lock: A basic lock that has the lock mechanism embedded in the knob or handle.

Privacy: The quality or state of being hidden, encrypted, obscure, or undisclosed; especially medical data or PHI.

Privacy act: Federal legislature of 1974 which required giving patient some control over their PHI.

Privacy enhanced mail: Email message standard protocol for enhanced medical, health data or other security.

Privacy officer: A medical entity’s protected client information and security officer; required by each covered entity, to be responsible for “the development and implementation of the policies and procedures” necessary for compliance.

Privacy rule: The Federal privacy regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 that created national standards to protect medical records and other protected health information. The Office of Civil Rights (OCR) within the Department of Health and Human Services (DHHS) regulates the privacy rules.

Privacy standards: Any protocol to ensure the confidentiality of PHI.

Private key system: A means of cryptography where the same key is used to both encrypt and decrypt a message.

Public key system: A means of cryptography where two keys are used.

Records, medical: 20 U.S.C. 1232g(a)(4)(B)(iv), all:

* Psychotherapy notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record; excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.

* Public health authority means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.

* Required by law means a mandate contained in law that compels a covered entity to make a use or disclosure of protected health information and that is enforceable in a court of law; includes but is not limited to, court orders and court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.

Regional health information organization: A multi-stakeholder organization that enables the exchange and use of health information, in a secure manner, for the purpose of promoting the improvement of health quality, safety and efficiency; the U.S. Department of Health and Human Services see RHIOs as the building blocks for the national health information network (NHIN) that will provide universal access to electronic health records; other experts maintain that RHIOs will help eliminate some administrative costs associated with paper-based patient records, provide quick access to automated test results and offer a consolidated view of a patient’s history.

Risk assessment: The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact.

Risk management: The total process of identifying, controlling, and mitigating information system–related risks. It includes risk assessment; cost-benefit analysis; and the selection, implementation, test, and security evaluation of safeguards.  This overall system security review considers both effectiveness and efficiency, including impact on the mission and constraints due to policy, regulations, and laws.

Royalties: Payment to the owner or creator of intellectual property for their work.

Sarbanes-Oxley Act (Sarbox): A federal act that enforces reporting requirements and internal controls on electronic financial reporting systems.

Scanning: Locating a computer that can be broken into.

Script kiddies: Younger and less sophisticated users who break into a computer with malicious intent.

Secure virtual private network: Cryptographic tunneling protocols to provide the necessary health data confidentiality (preventing snooping), sender authentication (preventing identity spoofing), and message integrity (preventing message alteration) to achieve the medical privacy intended. When properly chosen, implemented, and used, such techniques can provide secure communications over unsecured networks.

Security: A set of healthcare information technology system characteristic and  mechanisms which span the system both logically and physically; electronic access control against unauthorized intervention, both friendly or malicious;  encompasses all of the safeguards in an information system, including hardware, software, personnel policies, information practice policies, disaster preparedness, and the oversight of all these areas; the purpose of health information security is to protect both the system and the information it contains from unauthorized access from without and from misuse from within; through various security measures, a health information system can shield confidential information from unauthorized access, disclosure and misuse, thus protecting privacy of the individuals who are the subjects of the stored data; security life cycle.

Security administration: The physical and electrical protection features of an IT health system needed to be managed in order to meet the needs of a specific installation and to account for changes in the healthcare entities operational environment.

Security compromise: Physical or electronic data, file, program or transmission error due to malicious miscreants or software interventions; health data confidentiality breach.

Security configuration: Measures, practices, and procedures for the safety of information systems that must be coordinated and integrated with each other and other methods, practices, and procedures of the organization established in order to credential safekeeping policy; provides written security plans, rules, procedures, and instructions concerning all components of a healthcare entity’s security; procedures must give instructions on how to report breaches and how those breaches are to be handled within the organization.

Security configuration management: The measurement of practices and procedures for the security of information systems that is coordinated and integrated with each other and other measures, practices and procedures of the organization so as to create a coherent system of health data security (NIST Pub 800-14).

Security domain: A set of subjects, their information objects, and a common security policy; foundation for IT security is the concept of security domains and enforcement of data and process flow restrictions within and between these domains.

Security goals: The five security goals are integrity, availability, confidentiality, accountability, and assurance.

Security information system: security is a system characteristic and a set of mechanisms that span the system both logically and physically.

Security policy: A formal written policy that outlines the importance of security to the organization and establishes how the security program is organized.

Share: An object that is shared with others over a computer network.

Signature files: Files that contain updated antivirus information.

Smart card: A device that contains a chip that stores the user’s private key, login information, and public key digital certificate.

Sniffing: Listening to the traffic on a computer network and then analyzing it.

Social engineering: Relying on trickery and deceit to break security and gain access to computers.

Spam: Unsolicited e-mail messages.

Spy: A person who has been hired to break into a computer and steal data.

Spyware: Hardware or software that “spies” on what the user is doing and captures that activity without their knowledge.

Stealth signal transmitter: Software installed on a notebook computer that sends a signal that can be traced.

Threat analysis: The examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.

Threat modeling: A process of constructing scenarios of the types of threats that assets face.

Threat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.

Threat-source: Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.

Token: A security device used to authenticate the user by having the appropriate permission (like a password) embedded into the device.

USA Patriot Act: A federal act designed to broaden the surveillance of law enforcement agencies to enhance the detection and suppression of terrorism.

Username: A unique identifier of a person used to access a computer system.

Virus: A program that secretly attaches itself to other programs and when executed causes harm to a computer.

Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

Vulnerability assessment: A process to determine what vulnerabilities exist in the current system against these attacks.

Vulnerability assessment managed services: Agencies that use scanning devices connected to probe an organization’s security to look for vulnerabilities.

War driving: A technique used to locate wireless local area networks (WLANs).

WiMax: A more powerful version of Wi-Fi that can provide wireless Internet access over wider geographic location such as a city; an acronym that stands for Worldwide Interoperability for Microwave Access, and is a certification mark for products that pass conformity and interoperability tests for the IEEE 802.16 standards. IEEE 802.16 is working group number 16 of IEEE 802, specializing in point-to-multipoint broadband wireless access.

Wireless hot spot: Specific geographic location in which an access point provides public wireless broadband network services; security is risky for PHI; hotspot.

Wireless local area networks: A computer network that uses radio waves instead of wires to connect computers.

Worm: A program that does not attach itself to other programs or need user intervention to execute.

EDUCATION: Books

ACKNOWLEDGEMENTS: To Richard J. Mata MD MS MI-CIS CMP^™[Hon]; Mackenzie H. Marcinko PhD of iMBA Inc., and Shahid N. Shah MS, Washington DC.

COMMENTS APPRECIATED

Refer, Like and Subscribe

***

***

Filed under: "Ask-an-Advisor", "Doctors Only", Glossary Terms, Health Economics, Health Insurance, Health Law & Policy, Touring with Marcinko | Tagged: dictionary health economics, dictionary health information technology, dictionary health insurance, Health Economics, health information technology, HIT, kenneth arrow, Managed Care, Marcinko, nudge, QALY, Rick Mata, uk-government, wtp | Leave a comment »