Quiz For IT: Electronic Documents Management ,20 Questions Multiple Choice
1-The HIPAA Security Rule protects:
verbal data
electronic data
written data
All of the above
2-According to HIPAA, PHI does NOT include:
IP addresses
Patient's past medical treatment information
Payments for health care provision
Health information with the identifiers removed
3-Which of the following access control mechanisms used to prevent employees from copying a document labeled with high security to another document labeled with 'public'?
Firewall
Zones
Encryption
Archive
4-It would be appropriate to release patient information to:
the patient's (non-attending) physician brother
personnel from the hospital the patient transferred from 2 days ago, who is calling to check on the patient
the respiratory therapy personnel doing an ordered procedure
retired physician who is a friend of the family
5-Healthcare providers must ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI) that the covered entity creates, receives, maintains, or transmits under:
HIPAA
EHR
FCRA
FERPA
6-The mission of the law is to protect consumers’ personal financial information held by financial institutions
PCAOB
PHR
HIPAA
GLB
7-Which of the following statements about retention principles is true?
Organizations should keep business records as long as possible.
We only need to manage the records that are in use.
How long the records should be kept depends on the legal requirements and business needs.
Due to the security consideration, organizations should retain records longer than required.
8-Red flag rule requires that financial institutions:
must implement a written Identity Theft prevention Program
must comply with PCI standards
notify the customer that they may be a victim of identity theft
All of the above
9-Restricting access to the IT Department office of a hospital would fall under which type of safeguard required by the Security Rule of HIPAA?
electronic
technical
physical
administrative
10-According to Omnibus Final Rule, which of the following statements are correct?
If one EMR software vendor needs access to PHI, it would need to complete a BAA.
Business associates does not include entity that maintain PHI.
A BAA is required for the US Postal Service.
Cloud service providers for EMR storage and backup are not liable for compliance with the HIPAA privacy rule.
11-Which of the following is not part of the PII definition established by GAPP:
Address
Credit card number
Student ID
Medical information
12-This term refers to the security practice where no one has more access than is needed to do their job
Auditing
Least privilege
Authentication
CIA Triangle
13-The law “to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to securities laws, and for other purposes.”
CIA
PCI
SOX
SEC
14-Being able to recover records after a disaster:
Effectiveness
Efficiency
Competency
Continuity
15-Law that requires a free credit report annually
FACTA
Red Flag Rule
FERPA
FCRA
16-Any list, description, or other grouping of consumers (and publicly available information pertaining to them) derived using any personally identifiable financial information that is not publicly available
PII
NPI
FTC
PIN
17-Which of the following is specific to the health care industry?
PII
Non-public financial information
Student academic record
PHI
18-The statutory requirement that public companies submit quarterly and annual reports is promulgated by which agency:
FBI
SEC
CIA
CICA
19-Disposition is not part of the records management lifecycle.
True.
False.
20-In the CIA Triangle, the letters refer to what:
Confidentiality, Integrity, and Availability
Central Intelligence Agency
Confidentiality, Intrusion, and Availability
Cybersecurity In Action
iPhone
Functionality Requirements
3
▪ Policy and Rules ▪ Creating, maintaining, and enforcing information management policies,
whether a result of law and regulation, internal policy and process, or business agreements
▪ Must operate across technology platforms and resources
▪ Examples include policies for retention, disposition, security, privacy, use, and distribution.
▪ Content Management ▪ Creating, templating, capturing, storing, version managing, retaining,
archiving, disposing, collaborating, holding and preserving information
▪ Configuration Management ▪ Establishing ownership and custodial responsibilities and business
application dependencies
▪ Classification ▪ Classification of data, including the ability to distinguish between
business records and non-business information, classified and non- classified in the government sense, personally identifiable information (PII), and classifying information based on policy attributes
▪ Crawling (Gathering) ▪ Locating and gathering unstructured information scattered across the
information management environment
Functionality Requirements (Continued)
4
▪ Information Access and Discovery ▪ Indexing, searching, and discovery across resources
▪ Creation , Transfer and Copy Management ▪ Rules on the creation of information, copies to be maintained, transfer
of information, and de-duplication (single instancing)
▪ Security and Privacy ▪ Policies for identity management, information authentication, access
management, privacy control, use management and auditing
▪ For example, this functionality allows the user to determine the authenticity of business records and to establish and maintain a policy based relationship between users and data
▪ Analytics and Reporting ▪ Monitoring, alerting, and real-time reporting on key information
management events such as policy updates, configuration changes, security anomalies, classification events, and “right-to-know” requests
▪ Compliance and Risk Mitigation ▪ Legal compliance and mitigation of risk resulting from inappropriate use
of the unstructured documents
Security of Electronic Documents
5
▪ Much of computer security also applies to documents: ▪ Network defenses (firewalls, etc)
▪ Access control
▪ Encryption
▪ Journaling and logging
▪ Special techniques: ▪ Digital signatures
▪ Watermarking
▪ Digital Rights Management (DRM)
▪ Preservation
iPhone
iPhone
iPhone
Privacy of Electronic Documents
6
▪ Much of privacy same as other types of data ▪ Privacy policy
▪ Disclosure of personally identifiable information (PII)
▪ Internet access and availability
▪ Breach notification rules
▪ Global variations
▪ Document specific concerns ▪ Classification
▪ Collaboration
▪ Redaction
▪ Proliferation
▪ Source: “Commercial Data Privacy and Innovation in the Internet Economy: a Dynamic Policy Framework” , Department of Commerce, December 2010
Known Problems
7
▪ Need for end-to-end solution ▪ From creation to disposal
▪ Lack of scalability
▪ Integration issues
▪ Escalating storage growth
▪ Inflexible policy management
▪ Inaccurate auto-classification engines
▪ Inadequate search capabilities
▪ Increasing regulatory compliance
▪ Increasing amounts of e-discovery
Electronic Document Management
Roadmap
8
▪ Basic principles and objectives
▪ Inventory of document assets (where are they)
▪ Converting existing paper records
▪ Managing distribution inside and outside the
organization
▪ A methodology to automate data classification
▪ Records management policies and procedures
▪ Educational materials (for communicating 'the why')
▪ Training materials (for transferring knowledge of 'the
how')
▪ Auditing and compliance parameters and metrics
▪ A lifecycle strategy/plan for continuous improvement
Making Priorities
9
▪ Get better understanding of the user’s
information flow needs
▪ Identifying the information flow disconnects and
resulting unintentional non-compliance with
regulatory, legislative, and corporate policies
▪ More effective management of cultural change
and better opportunity for project marketing
▪ Initial focus on education (the why) and save
training (the how) for later on in the process
Selecting Tools
10
▪ No single solution available from a vendor that will meet all requirement ▪ All current single solutions will be overkill in some areas and
lacking in others.
▪ Integration of solutions, therefore, will be necessary ▪ Technologies and vendors that do not facilitate and “play
nice” with other solutions should be avoided
▪ Short-term solutions to fix critical business problems may be necessary ▪ Cost of replacing the solution should be built into the
business case and budget
▪ Solutions can and should be different for different departments/LOBs.
▪ The ability to effectively classify data in line with policy must be included in every tool selected
Electronic Discovery
11
From edrm.net
References
▪ ISO 15489
▪ MoReq2
▪ US DOD 5015.2
▪ Other relevant
sources
12
Definition of Record
▪ “Information created, received, and
maintained as evidence and information by
an organization or person, in pursuance of
legal obligations or in the transaction of
business.”
–Source: ISO 15489
13
Key Points of Record
▪ A record could, in principle, be in any form or
format we can think of, so long as it conveys
information.
▪ Records are not only created within
organizations but also received by them.
▪ The word “maintained” indicates that it is not
enough to ‘capture’ records. They have to
be stored, and managed properly once
stored. ▪ Include disposing of records when they are no
longer needed 14
Key Points of Record, Cont’d
▪ For a record to be good evidence (e.g., in a
court case), there must be no doubt that it is
complete and unchanged. ▪ Place requirements on ERM systems
▪ Records need to be kept for two reasons: ▪ Legal obligations
▪ Transaction of business
15
Records Management
16
▪ In the past, the term used to refer only to the management of
records which were no longer in everyday use but still needed to
be kept
▪ Today, refers to the entire 'lifecycle' of records - from the point of
creation right through until their eventual disposal
▪ The ISO 15489-1: 2001 standard ("ISO 15489-1:2001") defines
records management as "[the] field of management responsible
for the efficient and systematic control of the creation, receipt,
maintenance, use and disposition of records, including the
processes for capturing and maintaining evidence of and
information about business activities and transactions in the
form of records“
▪ The ISO considers management of both physical and electronic
records
Question
▪ What is a document?
17
Definition of Document
18
Recorded information or object which can be
treated as a unit.
Source: ISO15489
Information set down in any physical form or
characteristic. A document may or may not meet
the definition of a record.
Source: DoD 5015.2
Document vs. Record
▪ The definition of “document” does not say
anything about whether, or how, the
documents are kept.
▪ The definition of “record” sets out strictly how
they must be managed.
▪ Some documents become records at some
time in their existence. ▪ Others don’t!
▪ Document can be changed by suitably-
authorized people ▪ By definition, document is not necessarily
controlled. 19
Changes to Documents not Records
20
▪ Documents can change BUT records do not
and MUST not change
▪ The record is a document or set of documents,
all relating to a specific matter that has
happened in the past ▪ A record of history
▪ A document could be a work in progress ▪ Subject to change and therefore not a record
automatically
▪ Documents do become records once they are
finalized
Worldwide Shift
▪ In today’s digital world, the distinction between
records and documents has become vague
▪ Any document can be considered a record and any
piece of its content can be extracted and used in a
context different from the original intention of the
document, making it a separate record
▪ The traditional view of records management as a
discipline has been changed ▪ Not restricted in library catalogue and archive
management any more
▪ How records are created and used in
organizations is also reshaped 213/5/2021
Worldwide Shift, cont’d
22
▪ In recent years there has been a worldwide shift toward electronic transactions, in business and government ▪ Internet ▪ Mobile applications ▪ BYOD
▪ People do not to have to be physically present at an office location
▪ Organizations need to be able to access information quickly, easily, and efficiently
▪ Paper files and folders have been used for years and are an ingrained culture
▪ Need to be replaced by electronic document and record management system
Archive
▪ Files that are selected for permanent or long-
term preservation due to enduring historical
value
▪ Area or media used for long-term storage
▪ Inactive or not as active but required to be
maintained for legal or operational reasons
23
Information Leaking
24
▪ Web-facing documents contain confidential data ▪ Internal server?
▪ Spiders?
▪ Multiple drafts before document is published ▪ History ▪ Properties
▪ Redaction
▪ Lost laptops with no access controls
▪ Storage media that do not show sensitive content
▪ Reuse of electronic media ▪ Deleted files?
▪ Credentials easy to forge ▪ Physical access
▪ Small hard drives and thumb drives that can be easily hidden
Protection Against Information
Leakage
25
▪ Not always intentional
▪ Common problems: ▪ Not understanding the information conveyed in
metadata such as in a Word document
▪ Not employing robust encryption protection
▪ Inadequate monitoring of sensitive data and filtering of data leaving a company
▪ Email
▪ IM
▪ FTP
▪ Inadequate erasure of magnetic media
▪ Delete not enough
Google Hacking
26
▪ Uses Google Search and other Google applications to find confidential information in various places on the Web
▪ Examples of sources: ▪ Naming Web tools on Web site: “Powered by:” ▪ Published paper in a professional journal ▪ Employment Ad. describing systems environment
including Web infrastructure ▪ Posting a newsgroup asking for technical advice on an
issue ▪ Blog posting ▪ Biography of researcher indicating areas of research
▪ Need to develop appropriate search patterns to find the information
Need for Controls
27
▪ Controls result from a security policy put in place to manage the problem
▪ If an organization does not have means to identify its assets, cannot protect them from ▪ Unauthorized access
▪ Theft
▪ Compromise
▪ Based on principle of least privilege ▪ Only have access if needed by my job
▪ Organize into security zones to minimize disclosure of sensitive information
▪ Label according to the zone in which it was created
Use of Zones
28
▪ Example: ▪ Public ▪ Internal ▪ Sensitive ▪ Confidential ▪ High security
▪ Cannot move a document created in one zone to a zone of lesser security without some form of control ▪ Redaction
▪ Only public documents can be used on mobile applications
▪ Security auditing software is used to check that documents are labeled and in the appropriate zone otherwise an alert is raised
Mobile Devices
29
▪ Increasingly mobile and digital society ▪ PDAs
▪ Laptops
▪ Cell phones
▪ Thumb drives
▪ CD/DVDs
▪ Mobile devices become easy target ▪ Small and easy to conceal
▪ Easy to resell device
▪ Information may be valuable for fraud or
blackmail activities
Losing Mobile Devices
30
▪ Nearly every type of organization has reported
a data breach because of a lost mobile devices ▪ Hospital
▪ University
▪ Financial services company/bank
▪ Government agencies
▪ Three preventative measures: ▪ User education: carelessness is major cause
▪ Tracking lost devices
▪ Protecting information
▪ “Bogus” data added
▪ Encryption
Implementing an Organization-
Wide System
31
▪ The vast majority of organizations have not implemented an organization-wide system ▪ Some departments are more automated than others
▪ No central source of documents
▪ Much duplication
▪ Daunting prospect given that: ▪ Existing paper-based culture for review and approval
▪ Many historical records still on paper and no electronic document available
▪ Three aspects: ▪ Technical
▪ Managerial
▪ Cultural change
Document Image Processing (DIP)
32
▪ Earliest systems beginning in 1980s
▪ Electronic equivalent of a filing cabinet ▪ Scanning
▪ Indexing
▪ Storage
▪ Retrieval
▪ Some systems also included elements of
workflow ▪ Routed scanned documents around the
organization for designated staff to process
Electronic Document Management
System (EDMS)
33
▪ Emerged in the 1990s
▪ Generally integrated with systems such as
Microsoft Office
▪ Allowed users to actively manage documents
▪ Documents stored in a document repository ▪ Check documents in and out
▪ Versioning used to track version control
▪ May also include DIP functionality ▪ Scanning
▪ Indexing
▪ Archiving
Electronic Record Management
System (ERMS)
34
▪ First started appearing in the 1990s
▪ Records management is the practice of maintaining the records of an organization from the time they are created up to their eventual disposal. ▪ Classifying
▪ Storing
▪ Securing
▪ Destruction or archival preservation
▪ A record can be either a tangible object or digital information: for example, birth certificates, medical x-rays, office documents, databases, application data, and e-mail
▪ Primarily concerned with the evidence of an organization's activities, and is usually applied according to the value of the records rather than their physical format
Quiz 1 Terms
35
▪ Access control
▪ Analytics
▪ Authenticity
▪ Backup
▪ Classification
▪ Configuration management
▪ Controls
▪ Content management
▪ Crawling
▪ Data at rest
▪ Data integrity
▪ Digital signature
▪ Disposition
▪ Document management
▪ E-discovery
▪ EDMS
▪ Electronic document
▪ Encryption
▪ File management
▪ HIPAA
▪ Indexing
▪ Information redundancy
▪ Media stability
▪ Metadata
▪ Open government
▪ PII
▪ Preservation
▪ Privacy
▪ Records management
▪ Redaction
▪ Retention
▪ Risk mitigation
▪ Scanning
▪ Security
▪ System of record
▪ Transparency
▪ Unstructured data
▪ Vital records