The shared vocabulary, defined.
Terms that recur across this site, defined in plain English first and with the precision a HIPAA assessor expects right behind.
ePHI.
Electronic Protected Health Information. The subset of patient information that is created, received, maintained, or transmitted in electronic form. The HIPAA Security Rule applies to ePHI specifically.
BAA — Business Associate Agreement.
A contract that governs how PHI is handled between a covered entity and a business associate, or between two business associates. Required under §164.502(e). CybrIQ offers one on request.
HIPAA Security Rule §164.308(a)(1)(ii)(A) — Risk Analysis.
The HIPAA section that requires "an accurate and thorough" assessment of risks to electronic protected health information. The control that anchors the OCR Risk Analysis Initiative.
HIPAA Security Rule §164.310(d)(1) — Device and Media Controls.
The HIPAA section governing how hardware and electronic media containing ePHI enter and leave a facility. The section most relevant to USB and removable-media policy.
HIPAA Security Rule §164.312(b) — Audit Controls.
"Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information." A continuous change feed is one cleaner answer to this control.
HICP — Health Industry Cybersecurity Practices.
The HHS 405(d) cybersecurity framework for healthcare, 2023 Edition. Technical Volume 1 (small) and Technical Volume 2 (medium and large), each with ten Practices. Following HICP earns mitigation credit if OCR investigates, under the Public Law 116-321 amendments to the HITECH Act.
HIC-MaLTS — Managing Legacy Technology Security.
The Health Sector Coordinating Council publication on compensating controls for medical devices past vendor support. The canonical reference for "the device cannot be patched, so what now."
HHS HPH CPGs.
The Healthcare and Public Health Sector Cybersecurity Performance Goals — voluntary baselines published by HHS, with Essential and Enhanced tiers. Increasingly being written into business-associate contracts.
OCR — Office for Civil Rights.
The HHS division that enforces the HIPAA Privacy, Security, and Breach Notification Rules. The Risk Analysis Initiative is an OCR enforcement focus.
IoMT — Internet of Medical Things.
The category term for networked medical devices: infusion, telemetry, imaging, pharmacy automation, lab analyzers, monitoring. Used in industry literature; in HSCC documents, "medical devices" is the more common phrasing.
Device DNA™.
Our switch-derived device fingerprint. Trademark and patent-protected technique of CybrIQ.
ESE — External Scan Engine.
The CybrIQ appliance form factor deployed at a customer site. Talks to your switches via read-only SNMP. Emits identity events via syslog and REST.
Read-only SNMP.
Simple Network Management Protocol, in read-only mode. The standard, decades-old protocol every enterprise switch supports for being queried by network management tools. "Read-only" means the protocol asks the switch questions; it does not push changes.
Rubber Ducky / Flipper Zero / O.MG cable.
USB attack hardware that pretends to be a keyboard or other Human Interface Device and types pre-programmed scripts into a workstation at machine speed. Sold openly online for under $100. Detection is the focus of our optional workstation agent — see USB protection.
OCR Risk Analysis Initiative.
The formal HHS Office for Civil Rights enforcement initiative announced in late 2024, focused on the §164.308(a)(1)(ii)(A) risk-analysis requirement.