Security Definitions and Concepts Part 3
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hello again, and welcome to
00:00
the HCISPP Certification course with Cybrary.
00:00
I'm so happy you're here,
00:00
for Security Definitions and Concepts Part 3.
00:00
My name is Charlene Hutchins and I'm your instructor.
00:00
In this video, we're going to
00:00
talk about segregation of duties,
00:00
least privilege, more about business continuity,
00:00
and data retention and destruction.
00:00
Segregation of duties is a method of reducing
00:00
the risk of accidental
00:00
or deliberate misuse of the system.
00:00
How? You're saying, let's talk it out.
00:00
Separating the management or execution of
00:00
certain duties or areas of responsibility is key
00:00
in reducing the potential opportunities for
00:00
misuse or unauthorized modification
00:00
of information or services.
00:00
Care must be taken so that
00:00
no single person can perpetrate
00:00
fraud in areas of
00:00
single responsibility without being detected.
00:00
The easiest scenario to consider this concept
00:00
is within banking or finance.
00:00
To have one person responsible for collecting, storing,
00:00
and reconciling finances is
00:00
a recipe for fraud and misuse.
00:00
Segregating duties between multiple people
00:00
reduces the risk of collusion and fraud.
00:00
When it comes to information technology,
00:00
those systems that maintain finances or purchase orders
00:00
or any sensitive data creates
00:00
an opportunity for misuse and collusion.
00:00
Segregation of duties is
00:00
a security concept and a control to mitigate that.
00:00
Let's talk about least privilege.
00:00
It's just as it sounds,
00:00
only allowing someone to have just the privilege they
00:00
need to do the job they're
00:00
responsible to do, no more than that.
00:00
The minimum necessary standard requires
00:00
covered entities to evaluate their practices and
00:00
enhance safeguards as needed to limit
00:00
unnecessary or inappropriate access
00:00
to and disclosure of personal health information.
00:00
The privacy rules requirements for
00:00
minimum necessary are designed to be
00:00
sufficiently flexible to accommodate
00:00
the various circumstances of any covered entity.
00:00
The privacy rule generally requires covered entities to
00:00
take responsible steps and reasonable steps to
00:00
limit the use or disclosure of and requests for
00:00
protected health information to the minimum
00:00
necessary to accomplish the intended purpose.
00:00
However, the minimum necessary standard
00:00
does not apply to the following;
00:00
does not apply to disclosures to or requests
00:00
by a health care provider for treatment purposes.
00:00
If a doctor needs the information to provide treatment,
00:00
the minimum necessary does not apply.
00:00
Disclosures to the individual
00:00
who is the subject of the information,
00:00
so patients have access to all the information.
00:00
Uses or disclosures made
00:00
pursuant to an individual's authorization.
00:00
If a patient has not provided
00:00
authorization or has given authorization,
00:00
minimum necessary does not apply.
00:00
Uses or disclosures required for compliance with
00:00
HIPAA administrative simplification rules,
00:00
and it does not apply to disclosures to
00:00
the HHS when disclosure is required
00:00
for enforcement purposes and uses or
00:00
disclosures that are required by other laws.
00:00
Business continuity is very closely related
00:00
to business contingency and disaster recovery.
00:00
Sometimes the terms are used interchangeably.
00:00
However, the one key distinction of
00:00
business continuity is the continuity.
00:00
How a business continues,
00:00
during and after a significant disruption.
00:00
Once again, we are currently experiencing
00:00
a worldwide pandemic with COVID-19.
00:00
Business continuity is
00:00
how covered entities, critical systems,
00:00
and processes are able to continue,
00:00
during this sustained disruption.
00:00
On a national level within the United States,
00:00
we suffered a shortage of
00:00
personal protective equipment for
00:00
our front-line workers due to
00:00
the initial spike in the COVID-19 virus.
00:00
Hospital systems were at or above
00:00
their limit to handle the large number of patients,
00:00
and states began to issue stay at
00:00
home orders to help slow down the spread of the virus.
00:00
As social distancing began to
00:00
have the effect of slowing down
00:00
the spread so that
00:00
hospital systems can manage the number of patients.
00:00
As businesses begin to reopen,
00:00
hospitals are still tasked with being prepared
00:00
for another spike with newly infected patients.
00:00
Many covered entities began to
00:00
leverage their business continuity plans.
00:00
The pandemic situation will not be over
00:00
anytime soon and will likely last a year or
00:00
more until a vaccine is created and
00:00
administered broadly enough to
00:00
slow down the effects of the virus.
00:00
Business continuity should be a part of
00:00
the security policy and program.
00:00
The main reason to have a BCP is
00:00
to reduce the risk of financial loss by improving
00:00
the hospital's ability to
00:00
recover and restore operations and
00:00
mitigate the effects of
00:00
the disaster or emergency situation.
00:00
Make sure to review the information around
00:00
disaster recovery plans and business continuity plans
00:00
within the supplemental materials to gain
00:00
an understanding of the various backup methods.
00:00
Data retention and destruction is
00:00
the act of storing and destroying data in
00:00
accordance with a records management framework
00:00
that meets legal and business data storage requirements.
00:00
The HIPAA security rule requires that
00:00
covered entities implement policies and
00:00
procedures to address the final disposition of
00:00
electronic PHI and or
00:00
the hardware or electronic media that it is stored on,
00:00
as well as having procedures for removal of
00:00
data from media before reuse.
00:00
In general, examples of
00:00
proper disposal methods may include
00:00
but are not limited to
00:00
PHI and paper records by shredding,
00:00
burning, pulping or polarizing the records,
00:00
so the PHI is rendered unreadable,
00:00
indecipherable, and cannot be reconstructed.
00:00
Maintaining labeled prescription bottles and
00:00
other PHI in opaque bags in
00:00
a secure area and using a disposal vendor as
00:00
a business associate to pick
00:00
up and shred or destroy the PHI.
00:00
E-PHI on electronic media by
00:00
clearing or using software to override it,
00:00
purging or degaussing destroying the magnetic domains,
00:00
or destroying the media via shredding,
00:00
melting, polarizing, or incinerating.
00:00
Those are examples of proper disposal methods that may be
00:00
included in your data retention and destruction program.
00:00
Well, that's it friends.
00:00
We've covered segregation of duties, least privilege,
00:00
business continuity, and data retention and destruction.
00:00
Stay tuned for the next video on privacy principles.
Up Next
