The HIPAA Security Rule defines certain safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.” Which of the following best describes the category or type of the safeguard mentioned above?
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Technical.
I design this question as a reminder for the importance of the context and glossary. This question sets the context in the HIPAA Security Rule, so you should have some background knowledge of the HIPAA Security Rule to build the glossary for this context.
Even so, if you merely know the three categories of safeguards: administrative, physical, and technical, you can still rule out answer options, A, B, and D, and identify the answer, C.
According to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), it defines three categories of safeguard: administrative, physical, and technical.
The Centers for Medicare & Medicaid Services (CMS) issues regulations, known as the Privacy Rule and Security Rule, to define and specify safeguards applicable to those entities covered by HIPAA.
The Privacy Rule, primarily, addresses how PHI (Protected Health Information) can be used and disclosed, while the Security Rule, as a subset of the Privacy Rule, applies specifically to electronic PHI or ePHI.
The Security Rule defines technical safeguards as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Does the definition surprise you? It conflicts the common understanding of CISSP aspirants. Most people think of the policy and procedures as administrative controls. However, the Security Rule defines them from the perspective of assets to be protected. Generally speaking, technical safeguards protect “information” while physical safeguards protect “systems and facilities,” and administrative safeguards influence “people.” please refer to the post, HIPAA Safeguards, for details.
As a CISSP aspirant, you must be aware of the following:
- Security controls or controls for short, safeguards, or countermeasures are used interchangeably.
- There are three categories/types of (access) controls: administrative (directive/management), technical (logical), and physical if you have read the official boot camp student guide, the CBK, or official study guide (Sybex).
If someone asks you the following questions:
- “Administrative controls” or “Administrative access controls”
- “Control categories” or “Control types”
- Why are technical controls also known as “logical” controls?
- How do you define technical controls and physical controls?
What’s your answer?