A rose for emily quiz answers

Quiz For IT: Electronic Documents Management ,20 Questions Multiple Choice

1-The HIPAA Security Rule protects:

verbal data

electronic data

written data

All of the above

2-According to HIPAA, PHI does NOT include:

IP addresses

Patient's past medical treatment information

Payments for health care provision

Health information with the identifiers removed

3-Which of the following access control mechanisms used to prevent employees from copying a document labeled with high security to another document labeled with 'public'?

Firewall

Zones

Encryption

Archive

4-It would be appropriate to release patient information to:

the patient's (non-attending) physician brother

personnel from the hospital the patient transferred from 2 days ago, who is calling to check on the patient

the respiratory therapy personnel doing an ordered procedure

retired physician who is a friend of the family

5-Healthcare providers must ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits under:

HIPAA

EHR

FCRA

FERPA

6-The mission of the law is to protect consumers’ personal financial information held by financial institutions

PCAOB

PHR

HIPAA

GLB

7-Which of the following statements about retention principles is true?

Organizations should keep business records as long as possible.

We only need to manage the records that are in use.

How long the records should be kept depends on the legal requirements and business needs.

Due to the security consideration, organizations should retain records longer than required.

8-Red flag rule requires that financial institutions:

must implement a written Identity Theft prevention Program

must comply with PCI standards

notify the customer that they may be a victim of identity theft

All of the above

9-Restricting access to the IT Department office of a hospital would fall under which type of safeguard required by the Security Rule of HIPAA?

electronic

technical

physical

administrative

10-According to Omnibus Final Rule, which of the following statements are correct?

If one EMR software vendor needs access to PHI, it would need to complete a BAA.

Business associates does not include entity that maintain PHI.

A BAA is required for the US Postal Service.

Cloud service providers for EMR storage and backup are not liable for compliance with the HIPAA privacy rule.

11-Which of the following is not part of the PII definition established by GAPP:

Address

Credit card number

Student ID

Medical information

12-This term refers to the security practice where no one has more access than is needed to do their job

Auditing

Least privilege

Authentication

CIA Triangle

13-The law “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to securities laws, and for other purposes.”

CIA

PCI

SOX

SEC

14-Being able to recover records after a disaster:

Effectiveness

Efficiency

Competency

Continuity

15-Law that requires a free credit report annually

FACTA

Red Flag Rule

FERPA

FCRA

16-Any list, description, or other grouping of consumers (and publicly available information pertaining to them) derived using any personally identifiable financial information that is not publicly available

PII

NPI

FTC

PIN

17-Which of the following is specific to the health care industry?

PII

Non-public financial information

Student academic record

PHI

18-The statutory requirement that public companies submit quarterly and annual reports is promulgated by which agency:

FBI

SEC

CIA

CICA

19-Disposition is not part of the records management lifecycle.

True.

False.

20-In the CIA Triangle, the letters refer to what:

Confidentiality, Integrity, and Availability

Central Intelligence Agency

Confidentiality, Intrusion, and Availability

Cybersecurity In Action

iPhone
Functionality Requirements

3

▪ Policy and Rules ▪ Creating, maintaining, and enforcing information management policies,

whether a result of law and regulation, internal policy and process, or business agreements

▪ Must operate across technology platforms and resources

▪ Examples include policies for retention, disposition, security, privacy, use, and distribution.

▪ Content Management ▪ Creating, templating, capturing, storing, version managing, retaining,

archiving, disposing, collaborating, holding and preserving information

▪ Configuration Management ▪ Establishing ownership and custodial responsibilities and business

application dependencies

▪ Classification ▪ Classification of data, including the ability to distinguish between

business records and non-business information, classified and non- classified in the government sense, personally identifiable information (PII), and classifying information based on policy attributes

▪ Crawling (Gathering) ▪ Locating and gathering unstructured information scattered across the

information management environment

Functionality Requirements (Continued)

4

▪ Information Access and Discovery ▪ Indexing, searching, and discovery across resources

▪ Creation , Transfer and Copy Management ▪ Rules on the creation of information, copies to be maintained, transfer

of information, and de-duplication (single instancing)

▪ Security and Privacy ▪ Policies for identity management, information authentication, access

management, privacy control, use management and auditing

▪ For example, this functionality allows the user to determine the authenticity of business records and to establish and maintain a policy based relationship between users and data

▪ Analytics and Reporting ▪ Monitoring, alerting, and real-time reporting on key information

management events such as policy updates, configuration changes, security anomalies, classification events, and “right-to-know” requests

▪ Compliance and Risk Mitigation ▪ Legal compliance and mitigation of risk resulting from inappropriate use

of the unstructured documents

Security of Electronic Documents

5

▪ Much of computer security also applies to documents: ▪ Network defenses (firewalls, etc)

▪ Access control

▪ Encryption

▪ Journaling and logging

▪ Special techniques: ▪ Digital signatures

▪ Watermarking

▪ Digital Rights Management (DRM)

▪ Preservation

iPhone
iPhone
iPhone
Privacy of Electronic Documents

6

▪ Much of privacy same as other types of data ▪ Privacy policy

▪ Disclosure of personally identifiable information (PII)

▪ Internet access and availability

▪ Breach notification rules

▪ Global variations

▪ Document specific concerns ▪ Classification

▪ Collaboration

▪ Redaction

▪ Proliferation

▪ Source: “Commercial Data Privacy and Innovation in the Internet Economy: a Dynamic Policy Framework” , Department of Commerce, December 2010

Known Problems

7

▪ Need for end-to-end solution ▪ From creation to disposal

▪ Lack of scalability

▪ Integration issues

▪ Escalating storage growth

▪ Inflexible policy management

▪ Inaccurate auto-classification engines

▪ Inadequate search capabilities

▪ Increasing regulatory compliance

▪ Increasing amounts of e-discovery

Electronic Document Management

Roadmap

8

▪ Basic principles and objectives

▪ Inventory of document assets (where are they)

▪ Converting existing paper records

▪ Managing distribution inside and outside the

organization

▪ A methodology to automate data classification

▪ Records management policies and procedures

▪ Educational materials (for communicating 'the why')

▪ Training materials (for transferring knowledge of 'the

how')

▪ Auditing and compliance parameters and metrics

▪ A lifecycle strategy/plan for continuous improvement

Making Priorities

9

▪ Get better understanding of the user’s

information flow needs

▪ Identifying the information flow disconnects and

resulting unintentional non-compliance with

regulatory, legislative, and corporate policies

▪ More effective management of cultural change

and better opportunity for project marketing

▪ Initial focus on education (the why) and save

training (the how) for later on in the process

Selecting Tools

10

▪ No single solution available from a vendor that will meet all requirement ▪ All current single solutions will be overkill in some areas and

lacking in others.

▪ Integration of solutions, therefore, will be necessary ▪ Technologies and vendors that do not facilitate and “play

nice” with other solutions should be avoided

▪ Short-term solutions to fix critical business problems may be necessary ▪ Cost of replacing the solution should be built into the

business case and budget

▪ Solutions can and should be different for different departments/LOBs.

▪ The ability to effectively classify data in line with policy must be included in every tool selected

Electronic Discovery

11

From edrm.net

References

▪ ISO 15489

▪ MoReq2

▪ US DOD 5015.2

▪ Other relevant

sources

12

Definition of Record

▪ “Information created, received, and

maintained as evidence and information by

an organization or person, in pursuance of

legal obligations or in the transaction of

business.”

–Source: ISO 15489

13

Key Points of Record

▪ A record could, in principle, be in any form or

format we can think of, so long as it conveys

information.

▪ Records are not only created within

organizations but also received by them.

▪ The word “maintained” indicates that it is not

enough to ‘capture’ records. They have to

be stored, and managed properly once

stored. ▪ Include disposing of records when they are no

longer needed 14

Key Points of Record, Cont’d

▪ For a record to be good evidence (e.g., in a

court case), there must be no doubt that it is

complete and unchanged. ▪ Place requirements on ERM systems

▪ Records need to be kept for two reasons: ▪ Legal obligations

▪ Transaction of business

15

Records Management

16

▪ In the past, the term used to refer only to the management of

records which were no longer in everyday use but still needed to

be kept

▪ Today, refers to the entire 'lifecycle' of records - from the point of

creation right through until their eventual disposal

▪ The ISO 15489-1: 2001 standard ("ISO 15489-1:2001") defines

records management as "[the] field of management responsible

for the efficient and systematic control of the creation, receipt,

maintenance, use and disposition of records, including the

processes for capturing and maintaining evidence of and

information about business activities and transactions in the

form of records“

▪ The ISO considers management of both physical and electronic

records

Question

▪ What is a document?

17

Definition of Document

18

Recorded information or object which can be

treated as a unit.

Source: ISO15489

Information set down in any physical form or

characteristic. A document may or may not meet

the definition of a record.

Source: DoD 5015.2

Document vs. Record

▪ The definition of “document” does not say

anything about whether, or how, the

documents are kept.

▪ The definition of “record” sets out strictly how

they must be managed.

▪ Some documents become records at some

time in their existence. ▪ Others don’t!

▪ Document can be changed by suitably-

authorized people ▪ By definition, document is not necessarily

controlled. 19

Changes to Documents not Records

20

▪ Documents can change BUT records do not

and MUST not change

▪ The record is a document or set of documents,

all relating to a specific matter that has

happened in the past ▪ A record of history

▪ A document could be a work in progress ▪ Subject to change and therefore not a record

automatically

▪ Documents do become records once they are

finalized

Worldwide Shift

▪ In today’s digital world, the distinction between

records and documents has become vague

▪ Any document can be considered a record and any

piece of its content can be extracted and used in a

context different from the original intention of the

document, making it a separate record

▪ The traditional view of records management as a

discipline has been changed ▪ Not restricted in library catalogue and archive

management any more

▪ How records are created and used in

organizations is also reshaped 213/5/2021

Worldwide Shift, cont’d

22

▪ In recent years there has been a worldwide shift toward electronic transactions, in business and government ▪ Internet ▪ Mobile applications ▪ BYOD

▪ People do not to have to be physically present at an office location

▪ Organizations need to be able to access information quickly, easily, and efficiently

▪ Paper files and folders have been used for years and are an ingrained culture

▪ Need to be replaced by electronic document and record management system

Archive

▪ Files that are selected for permanent or long-

term preservation due to enduring historical

value

▪ Area or media used for long-term storage

▪ Inactive or not as active but required to be

maintained for legal or operational reasons

23

Information Leaking

24

▪ Web-facing documents contain confidential data ▪ Internal server?

▪ Spiders?

▪ Multiple drafts before document is published ▪ History ▪ Properties

▪ Redaction

▪ Lost laptops with no access controls

▪ Storage media that do not show sensitive content

▪ Reuse of electronic media ▪ Deleted files?

▪ Credentials easy to forge ▪ Physical access

▪ Small hard drives and thumb drives that can be easily hidden

Protection Against Information

Leakage

25

▪ Not always intentional

▪ Common problems: ▪ Not understanding the information conveyed in

metadata such as in a Word document

▪ Not employing robust encryption protection

▪ Inadequate monitoring of sensitive data and filtering of data leaving a company

▪ Email

▪ IM

▪ FTP

▪ Inadequate erasure of magnetic media

▪ Delete not enough

Google Hacking

26

▪ Uses Google Search and other Google applications to find confidential information in various places on the Web

▪ Examples of sources: ▪ Naming Web tools on Web site: “Powered by:” ▪ Published paper in a professional journal ▪ Employment Ad. describing systems environment

including Web infrastructure ▪ Posting a newsgroup asking for technical advice on an

issue ▪ Blog posting ▪ Biography of researcher indicating areas of research

▪ Need to develop appropriate search patterns to find the information

Need for Controls

27

▪ Controls result from a security policy put in place to manage the problem

▪ If an organization does not have means to identify its assets, cannot protect them from ▪ Unauthorized access

▪ Theft

▪ Compromise

▪ Based on principle of least privilege ▪ Only have access if needed by my job

▪ Organize into security zones to minimize disclosure of sensitive information

▪ Label according to the zone in which it was created

Use of Zones

28

▪ Example: ▪ Public ▪ Internal ▪ Sensitive ▪ Confidential ▪ High security

▪ Cannot move a document created in one zone to a zone of lesser security without some form of control ▪ Redaction

▪ Only public documents can be used on mobile applications

▪ Security auditing software is used to check that documents are labeled and in the appropriate zone otherwise an alert is raised

Mobile Devices

29

▪ Increasingly mobile and digital society ▪ PDAs

▪ Laptops

▪ Cell phones

▪ Thumb drives

▪ CD/DVDs

▪ Mobile devices become easy target ▪ Small and easy to conceal

▪ Easy to resell device

▪ Information may be valuable for fraud or

blackmail activities

Losing Mobile Devices

30

▪ Nearly every type of organization has reported

a data breach because of a lost mobile devices ▪ Hospital

▪ University

▪ Financial services company/bank

▪ Government agencies

▪ Three preventative measures: ▪ User education: carelessness is major cause

▪ Tracking lost devices

▪ Protecting information

▪ “Bogus” data added

▪ Encryption

Implementing an Organization-

Wide System

31

▪ The vast majority of organizations have not implemented an organization-wide system ▪ Some departments are more automated than others

▪ No central source of documents

▪ Much duplication

▪ Daunting prospect given that: ▪ Existing paper-based culture for review and approval

▪ Many historical records still on paper and no electronic document available

▪ Three aspects: ▪ Technical

▪ Managerial

▪ Cultural change

Document Image Processing (DIP)

32

▪ Earliest systems beginning in 1980s

▪ Electronic equivalent of a filing cabinet ▪ Scanning

▪ Indexing

▪ Storage

▪ Retrieval

▪ Some systems also included elements of

workflow ▪ Routed scanned documents around the

organization for designated staff to process

Electronic Document Management

System (EDMS)

33

▪ Emerged in the 1990s

▪ Generally integrated with systems such as

Microsoft Office

▪ Allowed users to actively manage documents

▪ Documents stored in a document repository ▪ Check documents in and out

▪ Versioning used to track version control

▪ May also include DIP functionality ▪ Scanning

▪ Indexing

▪ Archiving

Electronic Record Management

System (ERMS)

34

▪ First started appearing in the 1990s

▪ Records management is the practice of maintaining the records of an organization from the time they are created up to their eventual disposal. ▪ Classifying

▪ Storing

▪ Securing

▪ Destruction or archival preservation

▪ A record can be either a tangible object or digital information: for example, birth certificates, medical x-rays, office documents, databases, application data, and e-mail

▪ Primarily concerned with the evidence of an organization's activities, and is usually applied according to the value of the records rather than their physical format

Quiz 1 Terms

35

▪ Access control

▪ Analytics

▪ Authenticity

▪ Backup

▪ Classification

▪ Configuration management

▪ Controls

▪ Content management

▪ Crawling

▪ Data at rest

▪ Data integrity

▪ Digital signature

▪ Disposition

▪ Document management

▪ E-discovery

▪ EDMS

▪ Electronic document

▪ Encryption

▪ File management

▪ HIPAA

▪ Indexing

▪ Information redundancy

▪ Media stability

▪ Metadata

▪ Open government

▪ PII

▪ Preservation

▪ Privacy

▪ Records management

▪ Redaction

▪ Retention

▪ Risk mitigation

▪ Scanning

▪ Security

▪ System of record

▪ Transparency

▪ Unstructured data

▪ Vital records