Security Objectives and Attributes
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hello again and welcome back to
00:00
the HCISPP certification course
00:00
with Cybrary, Security Objectives.
00:00
I'm Schlaine Hutchins and I'll be your instructor.
00:00
Today we're going back to the basics.
00:00
We'll be discussing the three components to security,
00:00
confidentiality, integrity and availability.
00:00
Many of you may already know this information,
00:00
but it's a good refresher when
00:00
talking about health care and privacy.
00:00
As I'm sure you've noticed so far,
00:00
security and privacy overlap in several ways.
00:00
It's important to understand
00:00
the foundational concepts when speaking to your peers
00:00
and to help users of technology and
00:00
health care information understand why we do,
00:00
what we do, the way we do it.
00:00
Let's dig in. Well,
00:00
there may be several small and large objectives
00:00
of a security program.
00:00
The main three principles of all programs
00:00
are referred to as the CIA triad.
00:00
They are confidentiality, integrity and availability.
00:00
All security controls, mechanisms and
00:00
safeguards are implemented to
00:00
provide one or more of these principles.
00:00
All risk, threats and vulnerabilities are measured
00:00
in their potential ability to
00:00
compromise one or all of these principles.
00:00
Let's think about it. Let's make it personal.
00:00
If someone was to get access to, say,
00:00
your cell phone, which principle
00:00
or principles will be compromised?
00:00
Confidentiality? Well, yes.
00:00
If you don't have everything under
00:00
a different protective safeguard or use
00:00
your biometrics or something
00:00
else to protect your information,
00:00
your pictures, your text messages,
00:00
will be available to the person who has
00:00
your phone and they can share it with anyone.
00:00
What about integrity? Well,
00:00
this person has access to your phone
00:00
so they can make social media posts impersonating you.
00:00
Your integrity will be shot
00:00
if they post things that create or promote
00:00
violence or negativity and go against
00:00
the code of conduct that we
00:00
discussed in the beginning of the course.
00:00
Then there's availability. Well,
00:00
you no longer have access to your phone,
00:00
so it's [LAUGHTER] no longer available to you.
00:00
You may be able to trace and track your phone with
00:00
a different software and
00:00
even have the mobile company lock it,
00:00
but you still don't have your phone.
00:00
This is just a small example and we'll
00:00
go a little deeper into each principle.
00:00
But I find that when we make things
00:00
personal for the sake of learning,
00:00
it helps us to get clarity around some of
00:00
the security principles. Let's move on.
00:00
Confidentiality, keeping in
00:00
context with our studies here, as patients data,
00:00
private information and
00:00
medical records are increasingly stored,
00:00
processed and transmitted online,
00:00
the ability to effectively maintain
00:00
confidentiality of an individual's data
00:00
is becoming increasingly challenging.
00:00
But it's a must in order to
00:00
earn and maintain a person's trust.
00:00
Confidentiality provides the ability to ensure that
00:00
the necessary level of secrecy is
00:00
forced at each junction of data processing,
00:00
and prevention of unauthorized disclosure.
00:00
This level of confidentiality
00:00
should prevail while data lives on
00:00
systems and devices within the network as
00:00
it's transmitted and once it reaches its destination.
00:00
Users can intentionally or accidentally disclose
00:00
sensitive information by not
00:00
encrypting it before sending to another person,
00:00
or they could fall prey to social engineering attacks,
00:00
sharing a company's trade secrets or not providing
00:00
the extra care of
00:00
protection for
00:00
confidential information when processing it.
00:00
Implementing strong technical controls
00:00
helps to alleviate the potential for human error.
00:00
Confidentiality can be provided
00:00
by encrypting data as it is
00:00
stored and transmitted using strict access controls,
00:00
data classification and
00:00
user training on proper procedures.
00:00
Confidentiality means the data
00:00
in or information has not been
00:00
disclosed to unauthorized persons
00:00
or processes per HIPAA definitions.
00:00
Now, the HIPAA technical safeguards
00:00
defines integrity as the property
00:00
that data or information has not been
00:00
altered or destroyed in an unauthorized manner.
00:00
Electronic PHI that is improperly altered or
00:00
destroyed can result in
00:00
clinical quality problems for a covered entity,
00:00
including patient safety issues.
00:00
Let's stop and think about this for
00:00
a moment from a patient's perspective.
00:00
Let's say you're the patient,
00:00
you've gone into the doctor's office to
00:00
have a routine check-up and a physical.
00:00
You have some blood work done
00:00
and you're awaiting the results.
00:00
Well, your ex whose still holding a grudge,
00:00
works in the lab where your test results are processed.
00:00
They recognize the name and information,
00:00
and decide to get revenge by altering
00:00
your test results to say you have diabetes.
00:00
The integrity of your test results were compromised,
00:00
and when it gets back to the doctor,
00:00
you're now being prescribed medications
00:00
that you don't actually need.
00:00
What does taking medication that you don't
00:00
actually need do to your overall health?
00:00
You see where I'm going here?
00:00
Without the proper quality and
00:00
reconciliation processes in place,
00:00
this could very well happen,
00:00
and unfortunately probably does.
00:00
This is why becoming an HCISPP is so important.
00:00
Let's talk about availability.
00:00
HIPAA defines this principle as
00:00
the property that data or information is
00:00
accessible and useable upon
00:00
demand by an authorized person.
00:00
System availability can be
00:00
affected by device or software failure.
00:00
Backup devices should be used and
00:00
available to quickly replace critical systems,
00:00
or employees should be skilled and available to make
00:00
the necessary adjustments to
00:00
bring the systems back online.
00:00
Systems and networks should be able to recover from
00:00
disruptions in a secure and quick manner,
00:00
so productivity will not be negatively affected.
00:00
Cloud technology is advancing
00:00
this concept with infrastructure as a service models,
00:00
allowing for the quick creation and
00:00
shifting of resources from a failed or
00:00
halted process to new resources
00:00
and process almost instantaneously.
00:00
Keeping with the context,
00:00
availability also means that
00:00
ePHI is not lost according to HIPAA and HITECH,
00:00
not knowing where data is or should
00:00
be means it's not available for it's intended use.
00:00
Let's check our knowledge.
00:00
Which objective ensures data has not been
00:00
altered or destroyed by an unauthorized user?
00:00
[MUSIC] Integrity.
00:00
Awesome.
00:00
Next,
00:00
which objective ensures data has not been
00:00
disclosed to unauthorized persons or processes?
00:00
[MUSIC] You got it, confidentiality.
00:00
Now, which objective ensures
00:00
data is accessible and useable by authorized persons?
00:00
[MUSIC] There you go.
00:00
Availability.
00:00
Congratulations, you're coming along great.
00:00
We've covered the foundational principles
00:00
of a security program,
00:00
confidentiality, integrity and availability.
00:00
Next up is security concepts. See you soon.
Up Next
