Upcoming Webinars

Site Updates


The analysis of any legal or medical billing is dependent on numerous specific facts — including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.

Log in

Log in

Cybersecurity Definitions 

Asset - A major application, general support system, high impact program, physical plant, mission critical system, personnel, equipment, or a logically related group of systems.

Breach - A breach constitutes a "major incident" when it involves PII that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people. An unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to 100,000 or more individuals’ PII constitutes a “major incident.” OMB M-18-02 and subsequent OMB Guidance: The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where

    • A person other than an authorized user accesses or potentially accesses personally identifiable information or
    • An authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose.

Business Continuity Plan - The documentation of a predetermined set of instructions or procedures that describe how an organization’s mission/business processes will be sustained during and after a significant disruption.

Capacity Planning - Systematic determination of resource requirements for the projected output, over a specific period.

Category - The subdivision of a Function into groups of cybersecurity outcomes, closely tied to programmatic needs and particular activities. Examples of Categories include “Asset Management,” “Identity Management and Access Control,” and “Detection Processes.”

Client-Side Attacks - Client-side attacks occur when vulnerabilities within the 190 endpoint are exploited.

Controls - The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.

Critical Infrastructure - Essential services and related assets that underpin American society and serve as the backbone of the nation's economy, security, and health.

Cyber Risk - Risk of financial loss, operational disruption, or damage, from the failure of the digital technologies employed for informational and/or operational functions introduced to a system via electronic means from the unauthorized access, use, disclosure, disruption, modification, or destruction of the system.

Cybersecurity - The process of protecting information by preventing, detecting, and responding to attacks.

Cybersecurity Threat - An action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system. The term ``cybersecurity threat'' does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.

Cyber Threat Indicator - Information that is necessary to describe or identify:

    • Malicious reconnaissance, including anomalous patterns of communications that appear to be transmitted for the purpose of gathering technical information related to a cybersecurity threat or security vulnerability;
    • A method of defeating a security control or exploitation of a security vulnerability;
    • A security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability;
    • A method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system to unwittingly enable the defeat of a security control or exploitation of a security vulnerability;
    • Malicious cyber command and control;
    • The actual or potential harm caused by an incident, including a description of the information exfiltrated as a result of a particular cybersecurity threat;
    • Any other attribute of a cybersecurity threat, if disclosure of such attribute is not otherwise prohibited by law; or
    • Any combination thereof.

Defense-in-Depth - Information Security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.

Defensive Measure - An action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability. The term ``defensive measure'' does not include a measure that destroys, renders unusable, provides unauthorized access to, or substantially harms an information system or information stored on, processed by, or transiting such information system not owned by:

    • The private entity operating the measure; or
    • Another entity or Federal entity that is authorized to provide consent and has provided consent to that private entity for operation of such measure.

Denial of Service Attack (DOS) - Actions that prevent the system from functioning in accordance with its intended purpose. A piece of equipment or entity may be rendered inoperable or forced to operate in a degraded state; operations that depend on timeliness may be delayed.

Disaster Recovery - A written plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities. Management policy and procedures used to guide an enterprise response to a major loss of enterprise capability or damage to its facilities. The DRP is the second plan needed by the enterprise risk managers and is used when the enterprise must recover (at its original facilities) from a loss of capability over a period of hours or days. See Continuity of Operations Plan and Contingency Plan.

Disaster Recovery Plan (DRP) - A written plan for recovering one or more information systems at an alternate facility in response to a major hardware or software failure or destruction of facilities.

Endpoint Protection Platform (or End-Point Protection Platform) - Safeguards implemented through software to protect end-user machines such as workstations and laptops against attack (e.g., antivirus, antispyware, anti-adware, personal firewalls, host-based intrusion detection and prevention systems, etc.).

Event - Any observable occurrence on a system. Events can include cybersecurity changes that may have an impact on manufacturing operations (including mission, capabilities, or reputation).

Federal Entity - A department or agency of the United States or any component of such department or agency.

Firmware - Software program or set of instructions programmed on the flash ROM of a hardware device. It provides the necessary instructions for how the device communicates with the other computer hardware.

Framework - A risk-based approach to reducing cybersecurity risk composed of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers.

Impact - Consequence; to have direct effect on. In cybersecurity, the effect of a loss of confidentiality, integrity or availability of information or an information system on an organization's operations, its assets, on individuals, other organizations, or on national interests.

Incident - An occurrence that jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.

Information System - Has the meaning given the term in section 3502 of title 44, United States Code; and includes industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.

Internet of Things (IoT) - In this context, the term IoT refers to the connection of systems and devices with primarily physical purposes (e.g. sensing, heating/cooling, lighting, motor actuation, transportation) to information networks (including the Internet) via interoperable protocols, often built into embedded systems.

Local Government - Any borough, city, county, parish, town, township, village, or other political subdivision of a State.

Malicious Cyber Command and Control - A method for unauthorized remote identification of, access to, or use of, an information system or information that is stored on, processed by, or transiting an information system.

Malicious Reconnaissance - A method for actively probing or passively monitoring an information system for the purpose of discerning security vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat.

Mobile Device - A portable computing device that:

    • Has a small form factor such that it can easily be carried by a single individual;
    • Is designed to operate without a physical connection (e.g., wirelessly transmit or receive information);
    • Possesses local, non-removable or removable data storage; and
    • Includes a self-contained power source.

Mobile devices may also include voice communication capabilities, onboard sensors that allow the devices to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and E-readers. Note: If the device only has storage capability and is not capable of processing or transmitting/receiving information, then it is considered a portable storage device, not a mobile device. See portable storage device.

Monitor - To acquire, identify, or scan, or to possess, information that is stored on, processed by, or transiting an information system.

Multi-factor Authentication - MFA, sometimes referred to as two-factor authentication or 2FA, is a security enhancement that allows you to present two pieces of evidence – your credentials – when logging in to an account.

Network Access - Access to an information system by a user (or a process acting on behalf of a user) communicating through a network (e.g., local area network, wide area network, Internet).

Non-Federal Entity - Any private entity, non-Federal government agency or department, or State, tribal, or local government (including a political subdivision, department, or component thereof). The term ``non-Federal entity'' includes a government agency or department of the District of Columbia, the Commonwealth of Puerto Rico, the United States Virgin Islands, Guam, American Samoa, the Northern Mariana Islands, and any other territory or possession of the United States. The term ``non-Federal entity'' does not include a foreign power as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).

Overlay - A fully specified set of security controls, control enhancements, and supplemental guidance derived from tailoring a security baseline to fit the user’s specific environment and mission.

Patch - A software update comprised code inserted into the code of an executable program. Patches may do things such as fix a software bug or install new drivers.

Port - The entry or exit point from a computer for connecting communications or peripheral devices.

Private Entity - Any person or private group, organization, proprietorship, partnership, trust, cooperative, corporation, or other commercial or nonprofit entity, including an officer, employee, or agent thereof. The term ``private entity'' includes a State, tribal, or local government performing utility services, such as electric, natural gas, or water services. The term ``private entity'' does not include a foreign power as defined in section 101 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. 1801).

Profile - A representation of the outcomes that a particular system or organization has selected from the Framework Categories and Subcategories.

Protocol - A set of rules (i.e., formats and procedures) to implement and control some type of association (e.g., communication) between systems.

Remote Access - Access by users (or information systems) communicating external to an information system security perimeter. Network access is any access across a network connection in lieu of local access (i.e., user being physically present at the device).

Risk Assessment - The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis. Incorporates threat and vulnerability analyses.

Risk Management - The process of managing risks to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system and includes: (i) the conduct of a risk assessment; (ii) the implementation of a risk mitigation strategy; and (iii) employment of techniques and procedures for the continuous monitoring of the security state of the information system.

Risk Tolerance - The level of risk that the organization is willing to accept in pursuit of strategic goals and objectives.

Router - A computer that is a gateway between two networks at OSI layer 3 and that relays and directs data packets through that inter-network. The most common form of router operates on IP packets.

Security Control - The management, operational, and technical controls used to protect against an unauthorized effort to adversely affect the confidentiality, integrity, and availability of an information system or its information.

Security Vulnerability - Any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control.

Supporting Services - Providers of external system services to the organization through a variety of consumer-producer relationships including but not limited to: joint ventures; business partnerships; outsourcing arrangements (i.e., through contracts, interagency agreements, lines of business arrangements); licensing agreements; and/or supply chain exchanges. Supporting services include, for example, Telecommunications, engineering services, power, water, software, tech support, and security.

Switch - A network device that filters and forwards packets between LAN segments.

Third-Party Relationships - Relationships with external entities. External entities may include, for example, service providers, vendors, supply-side partners, demand-side partners, alliances, consortiums, and investors, and may include both contractual and non-contractual parties.

Third-party Providers - Third-party providers include, for example, service bureaus, contractors, and other organizations providing information system development, information technology services, outsourced applications, and network and security management. Organizations explicitly include personnel security requirements in acquisition-related documents. Third-party providers may have personnel working at organizational facilities with credentials, badges, or information system privileges issued by organizations.

Threat - A possible danger to a computer system.

Thresholds - A value that sets the limit between normal and abnormal behavior.

Tribal - The term ``tribal'' has the meaning given the term ``Indian tribe'' in section 4 of the Indian Self-Determination and Education Assistance Act (25 U.S.C. 450b).

Vulnerability - A security weakness in a computer.


Department of Health and Human Services

Health Industry Cybersecurity Practices:

Managing Threats and Protecting Patients

About Us

Therapy Comply is a healthcare compliance firm that seeks to bring high quality web-based compliance guidance and one-on-one consulting services to small and medium size physical, occupational, and speech therapy practices.

Learn More 

Join Us

Join today as either a monthly or a yearly member and enjoy full access to the site and a significant discount to our live and recorded webinars.  Members also have access to compliance and billing support.

Join Today 

Find Us

Powered by Wild Apricot Membership Software