Definitions
MedStack Confidential
Metadata
- responsible officer: CTO
- date
- effective: 2018-06-20
- revised: 2018-07-03
- reviewed: 2018-06-20
Applicability
- Standard
- People: This policy applies to all of our employees, contractors and agents who have access to PHI or who work in proximity to media or devices containing PHI.
- Customer: This policy applies to all customer organizations and their respective agents who may have access to, and use, our information system assets.
- Assets: This policy applies to all of our information system assets including PHI, system administration and security data, hardware, software, communications networks and facilities.
- Activities: This policy applies to all activities associated with the operation of our information systems and our business operations.
BA
- Business Associate
- Refer to
- HIPAA
- Business associates
Backup System
- An automated system developed by us that backs up the database and data on each server.
Breach
- Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.
- Refer to: HIPAA 164.402
Cloud Provider
- A major public cloud infrastructure provider, such as Amazon Web Services or Microsoft Azure.
Customer
- Our direct customer, which could be a Covered Entity, a Business Associate, a Health Information Custodian, or otherwise depending on regulatory framework.
EHRi
- Electronic Health Record Infostructure
- Refer to: CHI
Employee
- Same as Workforce Member
HIPAA
- Health Insurance Portability and Accountability Act of 1996, including those requirements and standards amended by the HITECH Act, the HIPAA “Omnibus” Final Rule.
- Refer to: HIPAA
ISMP
- Information Security Management Program
Maturity level (in _metadata)
- Maturity level for each policy
- Refer to: NICE Cybersecurity Workforce Planning CMM definition (page iii) https://niccs.us-cert.gov/sites/default/files/Capability%20Maturity%20Model%20White%20Paper.pdf?trackDocs=Capability%20Maturity%20Model%20White%20Paper.pdf
- details
- 1. Limited: Limited is the most basic level, portraying a key activity area or segment of an organization’s cybersecurity workforce planning capability that is in its infancy. This level of capability is at its start of development and may be represented by an organization having limited establishment of processes, lacking clear guidance, or having little in terms of data and analysis methods.
- 2. Progressing: The progressing level describes a key activity area of some aspect of cybersecurity workforce planning which an organization has started to perform, commonly represented by an organization establishing some infrastructure to support workforce planning efforts.
- 3. Optimizing: Optimizing, depicts a key activity area or segment of cybersecurity workforce planning capability that has fully developed, such as one that is integrated with other business processes and can support different levels of workforce and workload analysis, the results of which drive short- and long-term decision making for the cybersecurity workforce.
Mobile devices
- All portable digital devices, such as phones, tablets and laptops.
Operational systems
- All systems and services that are serving data to the internet or to other internet-connected systems, or are managing those systems. Includes servers. Does not include employee workstations.
Password
- This term also includes passphrases and secret access keys (such as SSH keys).
PHI
- Individually identifiable health information
- Protected Health Information
- Personal Health Information
Code Section Title Text HIPAA 160.103 Definitions Individually identifiable health information Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
PII
- Personally Identifiable Information
- also referred to as Personal Data
Code Section Title Text U.S. Code of Federal Regulations 2 CFR § 200.79 Personally Identifiable Information (PII) PII means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Some information that is considered to be PII is available in public sources such as telephone books, public Web sites, and university listings. This type of information is considered to be Public PII and includes, for example, first and last name, address, work telephone number, email address, home telephone number, and general educational credentials. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. Non-PII can become PII whenever additional information is made publicly available, in any medium and from any source, that, when combined with other available information, could be used to identify an individual. NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) PII is “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” GDPR Article 4(1) personal data ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; PIPEDA 2(1) personal information personal information means information about an identifiable individual.
PoS
- Point of Service
- Refer to: CHI
Secret Key
- a password, passphrase, or randomly-generated secret.
Server
- Usually a Linux Virtual Machine.
SLA
- Service Level Agreement.
Telework
- Telecommuting or working remotely in a non-owned-office environment, such as
- home
- third-party office (such as a co-working space)
- public environment (such as a coffee shop)
- while travelling
Unsecured protected health information
- Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5.
- Refer to: HIPAA 164.402
Vendor
- Service provider to us, which could be a Business Associate or otherwise depending on regulatory framework.
Employees
- Employees, volunteers, trainees, and may also include other persons whose conduct is under our direct control (whether or not they are paid by us).
References
| Code | Section | Title | Text |
|---|---|---|---|
| HIPAA | 160.103 | Definitions |