Definitions
MedStack Confidential
Metadata
- responsible officer: CTO
- approved by: CTO
- date
- effective: 2018-06-20
- revised: 2020-08-05
- reviewed: 2022-08-31
Applicability
- Standard
- People: This policy applies to all of our employees, contractors and agents who have access to PHI or who work in proximity to media or devices containing PHI.
- Customer: This policy applies to all customer organizations and their respective agents who may have access to, and use, our information system assets.
- Assets: This policy applies to all of our information system assets including PHI, system administration and security data, hardware, software, communications networks and facilities.
- Activities: This policy applies to all activities associated with the operation of our information systems and our business operations.
BA
- summary: Business Associate
- Refer to
- HIPAA
- Business associates
Backup System
- summary: An automated system developed by us that backs up the database and data on each server.
Breach
- summary: Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.
- Refer to: HIPAA 164.402
Cloud Provider
- summary: A major public cloud infrastructure provider, such as Amazon Web Services or Microsoft Azure.
Customer
- summary: Our direct customer, which could be a Covered Entity, a Business Associate, a Health Information Custodian, or otherwise depending on regulatory framework.
EHRi
- summary: Electronic Health Record Infostructure
- Refer to: CHI
Employee
- Same as Workforce Member
HIPAA
- summary: Health Insurance Portability and Accountability Act of 1996, including those requirements and standards amended by the HITECH Act, the HIPAA “Omnibus” Final Rule.
- Refer to: HIPAA
ISMP
- Information Security Management Program
Maturity level (in _metadata)
- summary: Maturity level for each policy
- Refer to: NICE Cybersecurity Workforce Planning CMM definition (page iii) https://niccs.us-cert.gov/sites/default/files/Capability%20Maturity%20Model%20White%20Paper.pdf?trackDocs=Capability%20Maturity%20Model%20White%20Paper.pdf
- details
- 1. Limited: Limited is the most basic level, portraying a key activity area or segment of an organization’s cybersecurity workforce planning capability that is in its infancy. This level of capability is at its start of development and may be represented by an organization having limited establishment of processes, lacking clear guidance, or having little in terms of data and analysis methods.
- 2. Progressing: The progressing level describes a key activity area of some aspect of cybersecurity workforce planning which an organization has started to perform, commonly represented by an organization establishing some infrastructure to support workforce planning efforts.
- 3. Optimizing: Optimizing, depicts a key activity area or segment of cybersecurity workforce planning capability that has fully developed, such as one that is integrated with other business processes and can support different levels of workforce and workload analysis, the results of which drive short- and long-term decision making for the cybersecurity workforce.
Media
- Media includes
- disks (such as HDDs and SSDs)
- removable media (such as SD cards, memory sticks and CD-ROMs)
Mobile devices
- All portable digital devices, such as phones, tablets and laptops.
Operational systems
- All systems and services that are serving data to the internet or to other internet-connected systems, or are managing those systems. Includes servers. Does not include employee workstations.
Password
- This term also includes passphrases and secret access keys (such as SSH keys).
PCI DSS
- Payment Card Industry Data Security Standard
PHI
- summary
- Individually identifiable health information
- Protected Health Information
- Personal Health Information
| Code | Section | Title |
|---|---|---|
| HIPAA | 160.103 Definitions | Individually identifiable health information |
PII
- summary
- Personally Identifiable Information
- also referred to as Personal Data
| Code | Section | Title |
|---|---|---|
| U.S. Code of Federal Regulations | 2 CFR § 200.79 | Personally Identifiable Information (PII) |
| NIST | Special Publication 800-122 | Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) |
| GDPR | Article 4(1) | personal data |
| PIPEDA | 2(1) | personal information |
PoS
- summary: Point of Service
- Refer to: CHI
Secret Key
- a password, passphrase, or randomly-generated secret.
Server
- Usually a Linux Virtual Machine.
SLA
- Service Level Agreement.
Telework
- Telecommuting or working remotely in a non-owned-office environment, such as
- home
- third-party office (such as a co-working space)
- public environment (such as a coffee shop)
- while travelling
Unsecured protected health information
- summary: Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111-5.
- Refer to: HIPAA 164.402
Vendor
- Service provider to us, which could be a Business Associate or otherwise depending on regulatory framework.
Employees
- Employees, volunteers, trainees, and may also include other persons whose conduct is under our direct control (whether or not they are paid by us).
References
| Code | Section | Title |
|---|---|---|
| HIPAA | 160.103 | Definitions |