LOS ANGELES COUNTY
DEPARTMENT OF MENTAL HEALTH
  Information Technology and Security Glossary
 
Disclaimer: The Information Technology and Security Glossary is a living document. All terms are defined uniquely and used within DMH-CIOB Policies only, and they may be revised from time to time to add more terms or modify the existing terms to serve their meanings while being used in DMH-CIOB Policies.

Due to the fact that this glossary is a living document, policies developed for bureaus other than DMH-CIOB should have their own definitions instead of referencing solely to this glossary.

Access: The permission and an ability or the means necessary to read, write, modify, or communicate data/information governed by Access Control or otherwise use any system resource.
 
Access Control: An act of limiting a user's Selective privileges and restrictions of access to certain data/information assigned to workforce members based on roles or job functions.
 
Accident/Incident Investigative Report (AIIR): A Service Catalog reporting tool that must be completed by the a workforce member’s management immediately following any incident involving Information Technology (IT) equipment, including, but not limited to, intentional or accidental damage done to a LACDMH- issued Computing/Portable Electronic Devices, such as damage, loss, or theft of a notebook, cellular device, or any portable electronic device (PED).
 
Account Creation: A process of creating a user account on a computer system or specific program/application and granting a user/authorized workforce member permission to access or use some subset of files or data on file system or running specific program. .accounts are comprised of the following components: User Name/User ID /Logon ID, Password, and Role.
 
AirCard®: A high-speed wireless broadband card that gives users to connect mobile computing/portable electronic devices to the high speed internet access on their laptops using a through cellular data service networks.

Application: An application is any program designed to perform a specific function directly for the user or, in some cases, for another application program. Examples of application programs include word processors; database programs; Web browsers; development tools; drawing, paint, and image editing programs; and communication programs.
 
Audit Trail:  A data security system that maintains detailed audit logs to identify attempted security violations.  Audit logs provide information that allows the system auditor to determine who initiated the activity, time and date of activity,  type of action taken,  affected fields, location and information about the device used.
 
Authentication: The process corroboration of verifying the identity of a user such as biometric authentication that a person is the one claimed.
 
IBHIS Authorized Workforce Member: A workforce member who has completed the required forms and processes and given authorization to access data/information from an LACDMH-issued device or program in accordance with the roles and responsibilities of the position. Completed successfully the online HIPAA Compliance Training;
Received the minimal required operational preparation in the use of LACDMH IBHIS with the expectation to complete the official comprehensive training conducted by Super Users within 90 days of authorization;
Signed the following forms/documents:
  • County of Los Angeles Agreement for Acceptable Use and Confidentiality of County Information Technology Resources (Attachment 1 of Policy 550.04);
  • Confidentiality Oath (Attachment 2 of Policy 550.04);
  • IBHIS User Security Agreement (Attachment 3 of Policy 550.04); and
  • Signed Electronic Signature Agreement (Attachment 4 of Policy 550.04).
Availability: The state of property that data /or information is being accessible and useable upon demand by an authorized person workforce member .
Biometric Authentication: Verification by which a person can be uniquely identified by evaluating one or more distinguishing biological traits.  Unique identifiers include fingerprints, hand geometry, earlobe geometry, retina and iris patterns, voice waves, DNA, and signatures. A security process that uses the analysis of one or more distinguishing biological traits (e.g., fingerprints, facial geometry, retina patterns) to verify the identity of a user.
 
Breach: An unauthorized acquisition, access, use, or disclosure of protected health information (PHI) which compromises the security or privacy of PHI under HIPAA Rule/HITECH Act, except it was made in good faith and within the scope of authority of a covered entity and does not result in further use or disclosure in violation of the Privacy Rule.  The Final Breach Rules provide three (3) exceptions: (i) any unintentional acquisition, access, or use of PHI, (ii) any inadvertent disclosure of PHI from an authorized person to another authorized person at the same covered entity, and (iii) a disclosure of PHI to an unauthorized person to whom the disclosure would not reasonably have been able to retain such information. (45 CFR 164.402 and HITECH Act §13400(1)).an unauthorized person to whom the disclosure of PHI was made would not reasonably have been able to retain such information.

Breach excludes:
  • Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in an unpermitted manner.
  • Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in an unpermitted manner.
  • A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
Except as provided in paragraph (a) of this definition, an acquisition, access, use, or disclosure of protected health information in an unpermitted manner is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed; and;
  • The extent to which the risk to the protected health information has been mitigated.
Burning (CD/DVD): To Data or software written a software or document distribution on a CDRonto a recordable disk (i.e., CD, DVD) with a laser. Coined from the fact that a laser is used to inscribe the information by burning small pits in the medium, and from the fact that disk comes out of the drive warm to the touch.
 
Business Associate: An individual or covered entity, other than a LACDMH workforce member, that who performs certain functions, activities, or services involved to the use and disclosure of protected health information on behalf of LACDMH LACDMH other than a member of the Department’s workforce and requires the use and/or disclosure of access to PHI.  (45 CFR 160.103)These functions include, but are not limited to:
Accounting
Data Analysis
Accreditation
Document Destruction
Actuarial
Financial Services
Administration Support
IT Services
Benefits Management
Legal
Billing
Management Support
Claims Administration
Practice Management
Claims Processing
Quality Assurance (QA)
Consulting
Training
Data Aggregation
Transcription
Business Associate Agreement (BAA): Under the U.S. Health Insurance Portability and Accountability Act of 1996, a HIPAA business associate agreement (BAA) is Aa contract between a HIPAA-covered entity and a HIPAA business associate (BA).  The contract protects personal protected health information. (PHI) in accordance with HIPAA guidelines. (HIPAA Act of 1996)
 
C3PO: See CIOB Change Control Process Owner.
 
Cable Lock: A security cable with a combination or key lock system designed to anchor a computing device to something immovable or heavy furniture that to discourages prevent the theft of portable computers and other devices and is designed to anchor a device to heavy furniture.
 
Care Coordination: Care coordination in the primary care practice involves deliberately An organization of patient care activities to facilitate communication among those involved for the purpose of achieving safe, appropriate, and effective care services and sharing information among all of the participants concerned with a patient's care to achieve safer and more effective care. The main goal of care coordination is to meet patients' needs and preferences in the delivery of high-quality, high-value health care. This means that the patient's needs and preferences are known and communicated at the right time to the right people, and that this information is used to guide the delivery of safe, appropriate, and effective care.
 
Cellular Device: A portable, transportable, and mobile communication Any hand-held, portable, or vehicle-mounted, two-way communication device with multi-functional capabilities used to process, store, transmit, and receive voice and/or data/ information over a cellular network (e.g., .  This generally includes cellular phones, smartphones, pagers, broadband connection devices (data cards, air cards, or hotspots used with notebook, laptop, or tablet computers), or other cellular communication devices for which).  There is typically a service charge on per-message, per-line, per- minute,per message, and/or a per-monthly service charge for usage.
 
CERT: Computer Emergency Response Team (CERT) has responsibility for response and reporting of information technology (IT) computer security incidents within an organization.
 
CCERT: Los Angeles County's Computer Emergency Response Team (CCERT) has responsibility for response and reporting of IT computer security incidents within the County.
 
DCERT: Departmental Computer Emergency Response Team (DCERT) has responsibility for response and reporting of IT computer security incidents within a department.
 
Change: The addition, modification or removal of anything that could have an effect on IT Services, including IT Systems/Services, Configuration Items (CIs), Processes, Documentation, etc. At CIOB, changes to all IT Production Systems/Services are required to go through the CIOB Change Control Process (C3P). See also Change Approval Timeline.  IT Change types defined for DMH CIOB include the three ITIL defined changes: Standard Change, Normal (Non-Standard), and Emergency Change.  CIOB also includes a fourth type called Late Change to encourage adequate planning and to distinguish from Emergency Changes. In addition, at times, an Information Only Change is documented.  An Unauthorized Change is documented when the Change Control process is not followed. There is zero tolerance for unauthorized changes. See separate definitions for each change type.
 
Change Advisory Board (CAB): The change review team. Includes Primary and Secondary members from each DMH CIOB Division (and Sections within if appropriate).  The CAB should include relevant stakeholders of each critical IT service. These stakeholders are the people who can best make decisions about changes because of their understanding of the business goals, as well as technical and operational risks. Project or other subject matter experts will attend CAB meetings when appropriate.
 
Change Approval Timeline: Normal Requests for Change (RFC) should be submitted (placed on calendar in our case) prior to two Change Control Meetings before date change is to occur.  This provides enough time for the CAB to review changes and request more information or preparation work if needed. If an RFC is not submitted prior to two Change Control Meetings before the date of the change (event), it is considered a Late Change (even though there is no system outage or urgent business problem). Rather is it not planned enough in advance and still must go through the Emergency Change Approval process.
 
The term Change Control as used by CIOB is distinguished from the term Change Management. Change Management might be the same as demand and portfolio management. Change Control is the process by which CIOB systematically assesses all proposed IT system/service initiatives for impacts and gains buy-in from all stakeholders.
 
Change Authority: The governing authority for the CAB.
 
Change Control (or Change Management): The Process responsible for controlling the Lifecycle of all Changes. The primary objective of Change Control (or Change Management) is to enable beneficial Changes to be made, with minimum disruption to IT Services.
 
Change Control Process Manager: A role in CIOB responsible for operational (day to day) management of the Change Control Process. This Manager ensures change control procedures are followed and facilitates Change Control Meetings. Also, s/he helps with change control continual process improvement,
 
Change Success Rate: Defined as # Successful Changes / Total # of Changes executed in a given time period. CIOB measures Change Success Rate monthly.
 
CIOB Change Control Process Owner (C3PO): A role in CIOB responsible for ensuring that the Change Control Process is fit for purpose. Responsibilities include Championship/Sponsorship, Design, Change Management and Continual Improvement of the Process and its Metrics. This role is part time in CIOB.
 
CIOB Change Control Process Sponsor (C3PS): As with Project Management, the role of the CIOB sponsor for the Change Control Process rarely gets involved in the running of the process. Rather, the sponsor role centers around advocating the process, championing the process, obtaining budgets for the process, and accepting responsibility for problems escalated from the process owner or manager.
 
Configuration Item: One discrete build that is tracked. It may be a base component that cannot be further divided or an assembly made up of other configuration items. CIs can be hardware, software, documentation or a combination thereof.
 
Configuration Management Database (CMDB): System(s) used to track configuration items, requests for change, work orders, errors, relationships, etc. The definition is often nebulous as the exact implementation various across organizations. Fundamentally, it is the core system(s) that tracks all activities including service levels.
 
Change Record: A record containing the details of a Change. At CIOB, that record is the RFC event entered into the Change Control SharePoint site.  Each Change Record documents the Lifecycle of a single Change. A Change Record is created for every Request for Change that is received, even those that are subsequently rejected. Change Records should reference the Configuration Items that are affected by the Change. Change Records are stored in the Configuration Management System.
 
Change Request: Synonym for Request for Change.
 
Change Window: A regular, agreed on time when Changes or Releases may be implemented with minimal impact on Services. Change Windows are usually documented in Service Level Agreements.
 
Computer Security Incident:  According to Health Insurance Portability and Accountability Act of 1996, Security Rule, 164.304, a computer security incident means "the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system."
 
Computer Security Incident Report: Is a comprehensive report completed by LACDMH Department Information Security Officer (DISO) or designee for notifying the County Chief Information Security Officer (CISO), following a security incident involving IT equipment; including but not limited to, intentional or accidental damage done to a computing device, a loss or theft of a notebook or cellular device or any portable electronic device (PED), as described by Security Rule, 164.304.  At minimum, it must include (1) Identification, (2) Isolation, (3) Notification, (4) Evaluation, (5) Mitigation, (6) Assessment, (7) Reporting, and (8) Follow-Up.  This report must be consistent with BOS Policy 6.109, Security Incident Reporting.
 
Computer Security Incident Response Matrix: A measuring tool completed by the DCERT to recommend an appropriate response based on the type of computer security threat and the potential impact to LACDMH. 
 
Cloud: Third-party, Internet-based software or service that offers computing and storage solutions that and the ability to access files on demand from anywhere. provides shared computer processing resources and data to computers and other devices on demand.  It is a model for enabling ubiquitous, on-demand access to a shared pool of configurable computing resources (e.g., computer networks, servers, storage, applications, and services).  Cloud computing and storage solutions provide users and enterprises with various capabilities to store and process their data in third-party data centers that may be located far from the user, ranging in distance from across a city to across the world.
 
Community Standards: Community standards are et policies that outline acceptable conduct and behavior.  They are local norms that bounding acceptable conduct. Sometimes these standards can be itemized in a list that states the community's values and sets guidelines for participation in the community. 
 
Compact Disc (CD):   is a digital optical disc data storage format that was originally developed to store and play only sound recordings but was later adapted for storage of data.
 
Compliance: The act of conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws and regulations.
 
Computer Hardware (Hardware): A Collection of physical components that constitute a computer system., including system unit, input, output, and storage devices. Computer hardware is the physical parts or components of a computer, such as monitor, keyboard, computer data storage, graphic card, sound card, motherboard, etc. and so on, all of which are tangible objects.  By contrast, software is instructions that can be stored and run by hardware.  Hardware is directed by the software to execute any command or instruction.  A combination of hardware and software forms a usable computing device or computing system.
 
Computer Peripheral: Is generally defined as any auxiliary device such as a computer mouse or keyboard that connects to and works with the computer in some way (e.g., mouse, . Other examples of peripherals are image scanners, tape drives, microphones, loudspeakers, webcams, and digital cameras).
 
Computer Software (Software): A collection of computer programs, procedures, and documentation that perform some tasks on a computer system. It is divided into three (3) categories: System, Programming, and Application software. Part of a computer system that consists of data or computer instructions, in contrast to the physical hardware from which the system is built.  In computer science and software engineering, computer software is all information processed by computer systems, programs and data. Computer software includes computer programs, libraries, and related non-executable data, such as online documentation or digital media.
 
Computing Devices: A machine that processes information automatically, including, but are not limited to, the following:
  • Desktop personal computers and Thin Client devices
  • Portable computing devices (e.g., laptops, tablets, and mobile devices connected to County’s IT resources by cable, telephone wire, wireless transmission, or via any internet connection.)
  • Portable electronic devices, (e.g., personal digital assistants (PDAs), digital cameras, smartphones, cell phones, pagers, and audio/video recorders).
  • Portable storage media device, (e.g., diskettes, tapes, DVDs, CDs, USB flash drives, memory cards, and external hard drives)
  • Printing and scanning devices, (e.g., printers, copiers, scanners, and fax)
  • Network devices, (e.g., firewalls, routers, and switches)
  • Multiple user and application computers, (e.g., servers)
Confidential/Sensitive Data or Information/Confidentiality: Personal or proprietary information (e.g., protected health information, personally identifiable information) to which access must be restricted to prevent unauthorized disclosure, theft, or improper use that can result in harm to a person, process, or organization. The property that data or information is not made available or disclosed to unauthorized persons or processes. Confidential data includes, but is not limited to, PHI and is sensitive, proprietary, or personal information that access must be restricted and whose unauthorized disclosure, theft, or improper use could be harmful to a person, process, or the organization.  Data or information that is regarded as sensitive must be disseminated only to individuals or organizations authorized to access it.
 
Contingency Plan: A plan for emergency response, backup procedures, and post-disaster recovery.  Synonymous with disaster plan and emergency plan.
 
Contract: A written or verbal agreement between the County of Los Angeles and another party (contractor and/or vendor) to provide goods or services to LACDMH under terms specified in a written or verbal agreement.
 
Contract Provider: Any private agency, institution, public agency, or vendor which that has executed an agreement with the Department to furnish services for monetary reimbursement.
 
Copyright: A legal right created by the law of a country that grants the creator of an original work exclusive right for its use and distribution.
 
County IT Resources: Includes, without limitation, the following items, which are owned, leased, managed, operated, or maintained by, or in the custody of, County or non-County entities for County purposes:
  • Computing devices, including, without limitation, the following:
  • Desktop personal computers, including, without limitation, desktop computers and thin client devices;
  • Portable computing devices, including, without limitation, the following:
Portable computers, including, without limitation, laptops and tablet computers, and mobile computers that can connect by cable, telephone wire, wireless transmission, or via any Internet connection to County IT resources;
 
Portable devices, including, without limitation, personal digital assistants (PDAs), digital cameras, smartphones, cell phones, pagers, wearable computers (also known as body-borne computers or wearables), and audio/video recorders; and
 
Portable storage media, including, without limitation, diskettes, tapes, DVDs, CDs, USB flash drives, memory cards, and external hard disk drives; and
  • Multiple user and application computers, including, without limitation, servers and desktop computers;
  • Printing and scanning devices, including, without limitation, printers, copiers, scanners, and fax machines;
  • Network devices, including, without limitation, firewalls, routers, and switches.
  • Telecommunications (e.g., wired and wireless), including, without limitation, voice and data networks, voicemail, voice over Internet Protocol (VoIP), and videoconferencing;
  • Software, including, without limitation, application software, operating systems software, and stored instructions;
  • Information, including, without limitation, the following:
  1. Data
  2. Documentation
  3. Electronic communications (e.g., email, text message)
  4. Personal information
  5. Confidential information
  6. Voice recordings
  7. Photographs
  8. Electronically stored information (data that is created, altered, communicated and stored in digital form)
 Services, including, without limitation, hosted services and County Internet services;
 
Systems, which are an integration and/or interrelation of various components of County IT resources to provide a business solution (e.g., eCAPS).
 
For a more complete definition of terms used in this policy and/or procedure, see the DMH Information Security Glossary, Attachment I of DMH Policy 555.02 Information and Technology Security Policy.
 
County IT User: Includes any user (e.g., County employees, contractors, subcontractors, and volunteers; and other governmental staff and private agency staff) of any County IT resources, except that the Chief Information Security Officer (CISO) and the Chief Information Officer (CIO) may mutually determine, in writing, at any time that certain persons and/or entities (e.g., general public) shall be excluded from the definition of “County IT user”.
 
County Network:  A group of County computers and associated County devices that are connected by communications facilities. A County network can involve permanent connections, such as cables or temporary connections made through telephone or other communications links. A County network can be as small as a LAN consisting of a few computers, printers, and other devices, or it can consist of many small and large computers distributed over a vast geographic area. Small or large, a County computer network exists to provide computer users with a means of communicating and transferring information electronically.
Covered Entity: A health plan, health care clearinghouse, or health care provider permitted to use and disclose protected health information. (45 CFR 164.314160.103 and 164.502)
 
Data "Browsing": An act of intentionally viewing of data or records not directly within the scope of one's job functions at the time; (e.g., for example, a health care provider viewing records of patients not under his or her care).
 
Data Classification: A process of sorting and categorizing data into various types or classes. In LACDMH, data is classified into three (3) categories: Protected Health Information, Internal Data, and Public Data.
 
Data Integrity: As related to data, integrity is a fundamental component of information security.  Data integrity is the method of ensuring property that overall completeness, the accuracy, and consistency of data stored in a database, data warehouse, data mart, or other types of media construct is maintained over its entire life-cycle and  safeguarded ensure .  The property that data or information have not been from being altered or destroyed in an unauthorized manner. Data integrity is the maintenance of and the assurance of the accuracy and consistency of data over its entire life-cycle and a critical aspect to the design, implementation, and usage of any system which stores, processes, or retrieves data.
 
Device: Any equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information.
 
Device Component: A functional independent part or element of a larger whole, especially a part of a device or system.
 
Disaster Recovery: A plan for the restoration of lost data or reconciliation of conflicting or erroneous data after a system failure due to natural or manmade disaster.
 
Digital Audio Recorder:  A digital, handheld device that is used to record short reminders or conversations.  Very lightweight and typically using batteries, such devices use flash memory to hold up the recordings.  Messages can be retrieved sequentially or by direct access by message number.
 
Digital Camera: A digital camera is a camera that encodes digital images and videos digitally and stores them for later reproduction.
 
Digital Video Recorder: A device that records video to formats including solid-state flash memory.
 
Digital Versatile Disc (DVD): A type of optical media used for storing large amounts of data, especially high-resolution audiovisual material.  Some may contain computer files, software programs, or applications.
Docking Station: A device in which a laptop computer, smartphone, or other mobile device may be placed for charging, and providing access to a power supply and to peripheral devices or auxiliary features.
 
Documentation: Material that describes and instructs users about software, whether printed or in electronic form.
Domain: A group of users, workstations, printers, computers, and devices on a network that are administered as a unit with common rules and procedures.  Domain is also used to assign specific privileges and manage user account. Within the Internet, domains are defined by the IP address.  All devices sharing a common part of the IP address are said to be in the same domain.
Emergency Non-Business Call:  For the purpose of policy 1201.01, Assignment, Use and  Management of Cellular Devices, situations in which An instance when a workforce member must make emergency, non-business use of a LACDMH-issued cellular device when he or she lacks access to a personal cellular device.  Total emergency usage is limited to sixty (60) voice minutes or 60 text messages or less per month if texting is permitted and made available on device.
 
Emergency Change: A change that:
  • Must be implemented as soon as possible because of critical systems outage or
  • Must be implemented as soon as possible because not doing the change will cause a highly negative impact to the business.
  • Must be approved by the Emergency Change Advisory Board (ECAB). See also Change Approval Timeline.
Electronic Signature: For purposes of this policy, the authorized LACDMH workforce member’s electronic signature will be individual’s unique identification and password for accessing LACDMH IBHIS EHR System. Note: Electronic Signature is not intended to be used as electronically signed document online.
Emergency Change Advisory Board (ECAB): Reviews emergency changes. Includes LACDMH CIO, Associate CIO, Primary and Secondary member from each DMH CIOB Division (and Sections within if appropriate). Project or other subject matter experts will participate when appropriate.

Encryption: The process of using an algorithm to transform making converting information into indecipherable code to protect eavesdropping it from unauthorized users access viewing or use, especially during data transmission or when it is stored on a transportable magnetic medium.
 
Event: A change of state which has significance for the management of a Configuration Item or IT Service. The term Event is also used to mean an Alert or notification created by any IT Service, Configuration Item or Monitoring tool. Events typically require IT Operations personnel to take actions, and often lead to Incidents being logged.
 
Freeware/Open Source Software:  Is proprietary software that is available for use at no monetary cost. In other words, freeware may be used without payment but usually may not be modified, re-distributed or reverse-engineered without the author's permission. Note that many freeware cannot be used for business purposes (limited to personal use) without charge. Freeware are not to be used at LACDMH unless preapproved and authorized by the CIOB.
Health Care Provider: A provider of services (Section 1861(u) of the Act, 42 U.S.C. 1395x(u)), a provider of medical or health services (Section 1861(s) of the Act, 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. (45 CFR 160.103)
Health Information: means any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse and relates to the past, present, or future physical or mental health or condition of any individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.
Health Insurance Portability and Accountability Act (HIPAA): A set of standards for the privacy and security of PHI required of health plans, health care clearinghouses, and certain health care providers. United States Legislation that provides data privacy standard and security provisions for safeguarding health information or protected health information.
HotSpot: For users of portable computers equipped for wireless, a hot spot (or hotspot) is Aa wireless local area network (WLAN) node that provides internet connection and virtual private network (VPN) access from a given location. There are 2 types of hotspots: Free Wi-Fi hotspot - Password requirement has been removed and Commercial hotspots - User is redirected to a screen requesting login credential or payment detail before internet access is granted.
IBHIS Local User Administrator (LUA): A trained, designated, and authorized LACDMH workforce member whose roles and responsibilities include disseminating, managing, and maintaining all IBHIS user accounts and practitioner enrollments, for both LACDMH and Non-LACDMH users within a specified LACDMH program, program group, or administrative unit.  Where applicable, the LUA also establishes and maintains staff’s hours and schedule exceptions within IBHIS scheduling calendar set up for the associated service delivery site(s).
 
Incident: An occurrence or event that interrupts normal procedure or precipitates a crisis.
 
Information Technology (IT) Resources: Any equipment or interconnected system or subsystems of equipment used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information - including computers; ancillary equipment: software, firmware, and similar materials; services, including support services; and related resources.
 
Integrity: Assurance that data is protected against unauthorized, unanticipated, or unintentional modification and/or destruction.
 
Integrity Controls: The mechanism or procedure that preserves the property that has data or information from being altered or destroyed in an unauthorized manner.
iMessage: Apple's native text messaging application that uses the internet to send and receive text, picture, audio, and video messages .  iMessages can be sent between Apple devices that have this application installed.
Individually identifiable health information: is information that is a subset of health information, including demographic information collected from an individual, and:
  • Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
  • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
  • That identifies the individual; or
  • With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Integrated Behavioral Health Information System (IBHIS ) Super User : A LACDMH workforce members who is are Subject Matter Experts (SME) in their areas of responsibility which Areas of responsibility are defined based on LACDMH’s business processes within its use of IBHIS.  The IBHIS Super users are available for ongoing support and mentoring of the personnel in their areas and new hires.
 
Information Risk: The potential that a given threat will exploit vulnerabilities of an information asset, thereby causing resulting in loss or harm to the information asset.  It is measured in terms of a combination of the probability of an event and its impact to LACDMH or the County of Los Angeles if should the confidentiality, integrity, or availability of an asset is be compromised.  A risk can be financial, operational, regulatory, and/or reputational in nature.
Information System: An interconnected set of information resources under the same direct management control that shares common functionality.  A system normally includes hardware, software, information, data, applications, communications, and people.
Integrated Behavioral Health Information System (IBHIS): LACDMH’s comprehensive behavioral health clinical, administrative, and financial information system through which LACDMH coordinates behavioral health services for a county with a population of nearly 10 million. This evidence-based, groundbreaking methodology is a modular complete suite of solutions and services that further extends the connectivity, interoperability and functionality of technology to better serve our community. IBHIS modules are as follow:
  • IBHIS uses Avatar™: as its foundation Comprehensive, web-based electronic health record (EHR) management system used by IBHIS, which to interfaces with contracted provider EHRs and with other Los Angeles County information systems for the purpose of providing efficient access to clinical information and to improving overall client care coordination. This web-based comprehensive EHR management system is used by LACDMH to provide efficient access to the clinical information in support of IBHIS services to LACDMH clients. Avatar™ components are as follow:
  • InterSystems Cache Multi-server: is the database engine component used with the Avatar™ EHR System.
  • Avatar™ RADplus:  is the foundation tool that to configures user-defined tables, fields, dictionaries, screen layouts (Avatar™ Forms Designer) and control screen workflow as part of the configuration of the product.  This module includes all modeling/development, site-specific-modeling, forms designer, etc.
  • Avatar™ Clinical Workstation System (CWS):  is the integrated clinical documentation component that provides assessments, treatment plans, and progress notes for the Avatar™ EHR System.  This module contains “all” the clinical notes.
  • Avatar™ Image Now: is the document imaging module that provides the scanning and imaging capabilities for the electronic capture, storage, and retrieval of paper documents and allows adding them to be added to the client record.
  • Avatar™ Managed Service Organization (MSO): is the integrated managed care and claims administration component that provides enrollment, provider management, authorization management, case closure, and claims administration and adjudication, and claims functions.
  • Avatar™ California Practice Management (Cal-PM): is the integrated clinical case management and financial component that provides referral, intake, service delivery, closure, billing, and account receivable functions for Avatar™ EHR System.  This module includes inpatient/outpatient Admissions, Client Demographics, and Billing/Claims.
  • Provider Connect: is the interoperability Data exchange module of IBHIS that allows LACDMH and referral network/partners, including acute and primary care providers, laboratories, and public health reporting agencies, to securely connect via a web portal and by interacting with Avatar™ MSO, to exchange health information and other supporting materials for coordination of care.  This module also provides the contract provider authorization and claims functionality.
  • Order Connect: is IBHIS medication management module in inpatient and outpatient settings and that ensures that clients receive optimal prescriptions and care for both episodic and chronic circumstances.
  • My Health Pointe: Portal that supports consumer-driven care by securely connecting individuals to their treatment information through a user-friendly web portal.  This module integrates with Avatar™ EHR System so consumers can easily access their latest clinical and personal information, and stay invested in their health and recovery.
  • Care Pathways: module that calculates clinical quality measures and produces benchmarking, analytics, and dashboard reports.
  • Care View Portal: is a web-based Internet site that provides a secure and authenticated selective read only access to all DMH clients found in the Avatar EHR application.  In this portal, users can do client look-ups to view a client’s summary that contains a core data set of the most relevant administrative, demographic, and clinical information facts about a client’s healthcare.
Internal Data: Internal data is confidential information that may or may does not contain protected health information PHI. and only authorized LACDMH and Contract Agency users workforce members may access internal data.
 
LACDMH CIO: Los Angeles County Department of Mental Health Chief Information Officer.
 
LACDMH Secure Email Messaging System:  An electronic solution utilized by LACDMH to encrypt email and its attachments during transmission to intended recipients.
Laptop: A portable computer, usually battery-powered, small enough to rest on the user's lap and having a screen that closes over the keyboard like a lid.
 
Late Change: When the requester or requesting group did not plan timely to obtain approval from CAB within the designated time period (prior to two CAB meetings before change event date), the change is considered late. Late Changes must also be approved by the Emergency Change Advisory Board (ECAB). See also Change Approval Timeline.
Least Privilege: Giving every user, task, and process the minimal set of privileges and access given to users required to fulfill their roles or functions.  This includes access to information systems and facilities.
Legal Entity: An association, corporation, partnership, proprietorship, trust, or individual that has with legal standing in the eyes of law. A legal entity has legal capacity to enter into agreements or contracts, assume obligations, incur and pay debts, sue and be sued in its own right, and to be held responsible for its actions.
 
Local Area Network (LAN):  A group of computers and other devices dispersed over a relatively limited area and connected by a communications link (physical, virtual, or wireless) that enables any device to interact with any other on the network. Local Area Networks commonly include microcomputers and shared (often expensive) resources such as laser printers and large hard disks. Most modem LANs can support a wide variety of computers and other devices. Separate LANs can be connected to form larger networks.
Malicious software (Malware): Software or code (i.e., such as a viruses, worm, Trojans, spyware, adware, and rootkits) that is designed to steal protected data, delete documents, or add a piece of software not knowing by the user causing damage or disrupt a system.
 
Media:  Hard copy (including paper), personal computer (PC) workstation diskettes, and other electronic forms by which LACDMH data is stored, transported, and exchanged.  The range of media formats (from paper to electronic) carries a range of security issues.  Risk exposure is considerably greater when data is in an electronically readable or transmittable form compared to when the same data is in paper or other hard copy form.
Mobile Computing Device: A portable electronic `device (PED) capable of operating, executing, and providing services and applications like a typical computing device, including, but not limited to, laptops, tablets (iPad, Microsoft’s Surface, Android tablets, etc.), smartphones (Android, iOS, Windows Phone, etc.), and mobile broadband hotspots and wireless cards (also known as AirCards® and connect cards).
Modular application: A modular application is an application that is divided into a set of loosely coupled functional units (named modules) that can be integrated into a larger application.
Network: A group of devices interconnected (via cable and/or wireless) computers and peripherals that is  and capable of exchanging information or sharing software and hardware resources between many users.
 
Network-attached storage (NAS): A file-level computer data storage server connected to a computer network providing data access to a heterogeneous group of clients.  NAS is specialized for serving files either by its hardware, software, or configuration.
Networked Devices: Computing devices connected together within LACDMH network physically, virtually, or wirelessly for the purpose of sharing or accessing LACDMH networking resources.  Computing devices include, but are not limited to, workstations, laptops, tablets, and smartphones.  This also includes all other County or LACDMH issued devices that are disconnected from the LACDMH network.
Non-LACDMH Devices: Non-LACDMH issued devices equipment includes, but not limited to, personally owned and non-LACDMH issued devices and peripherals such as printers, scanners, trackballs, mice, keyboards (wired and wireless), external storage devices (USB Flash drives, laptops, iPads, photography/videography equipment, audio recorders, external hard drives), and other network devices.
Non-Standard Change: Previous term used at CIOB for normal change.
 
Normal Change: A normal change refers to changes that must follow the complete CIOB Change Control process. By definition a normal change will proceed through all steps of the CIOB Change Control process and will eventually be reviewed by the CAB. The CAB will decide whether to approve or reject normal changes. Contrast with Standard Change definition.
 
Notebook: A battery or AC-powered portable computer, generally smaller than a briefcase, that can easily be transported and conveniently used in temporary spaces, such as on airplanes, in libraries, in temporary offices, and at meetings.
Password: A secret combination of characters either assigned to a user or chosen by a user to gain full or partial access to a computer or network.
Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. (2 CFR 200.79)Any data that can potentially identify a specific individual.  Any information that can be used to distinguish one person from another and can be used for de-anonymizing data is considered PII.
Portable Computing Device (PCD): Also known as mobile computing devices, portable devices capable of operating, executing, and providing services and applications like a typical computing device (Example:, Laptops, and Notebooks).
Portable Electronic Device (PED): Aa device that is capable of storing, processing, or transmitting information. These devices including portable computing devices, portable wireless devices, portable storage devices, portable recording devices, and portable internet connectivity devices.
Portable Internet Connectivity Device (PICD): A device that provides broadband wireless connectivity when devices are on the move.  (Example: Hotspots, AirCards)
 
Portable Media:  Portable media include CDs, hard disks, USB memory sticks, micro cards, tablets and smartphones capable of Storage, etc.
Portable Recording Device (PRD): A device that records and stores media.  Audio signals picked up by a microphone or other transducer are converted into a stream of discrete numbers representing changes over time in air pressure; video signals picked up by a camera or similar device are converted into  Chroma and luminance values for video.  To play back a digital sound recording, numbers are retrieved and converted back into their original analog waveforms so that they can be heard through a loudspeaker.  To play back a digital video recording, numbers are retrieved and converted back into their original analog waveforms so that they can be viewed on a video monitor, television or other display.  (Example: Digital Audio recorder, Digital Camcorder, Digital Camera)
Portable Storage Device (PSD): A small device that is capable of storing electronic files and data, which makes it convenient to physically transport information . (Example: USB/flash drives/thumb drives, external hard drives, tapes, CDs, DVDs).
Portable Wireless Device (PWD): It is a mobile computing device, typically small enough to be handheld (and hence also commonly known as a handheld computer or simply handheld), with a display screen, miniature keyboard (either alphabetic, numeric, or alphanumeric) or, in some models, a touchscreen which enables the user to use a "virtual keyboard" that is displayed on screen along with other icons and "buttons" that can be pressed.  (Example: smart phones, tablets, iPhones, Android Phones, iPads, Surface tablets).
Protected Health Information (PHI): Individually identifiable health information (45 CFR 160.103) held or transmitted by LACDMH or its business associate(s) in any form or medium, whether electronic, paper, or oral, relating to the past, present, or future physical or mental health condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. The information identifies the individual or, with respect to which there is reasonable basis to believe, can be used to identify the individual. (45 CFR 160.103)
Probability: The likelihood of occurrence.
Public Data: Public data is information that can be accessed by the public.
Remote Access: An ability to gain access to LACDMH network from outside the network perimeter.  Remote access to LACDMH IBHIS EHR System is a privilege granted through the user provisioning process to authorized workforce members and restricted to the minimum necessary information required to carry out job responsibilities as defined and approved by LACDMH management.  Remote access privileges granted to users of IBHIS will be restricted to the minimum necessary information required to carry out job responsibilities, terms of contracts, agreements, or as further defined by LACDMH management. 
Remote Device Recovery: Also called Remote Find my Device, an application and service provided by Apple Inc. that allows remote location tracking of iOS devices and Mac computers.
Remote Device Wipe: Remote wipe is a security feature that allows a network administrator or device owner to send a command to a computing device and to delete data.
Removable Media: A storage device that can be removed from a computer while the system is running, including, but not limited to, CDs, DVDs, BDs, storage tapes, flash devices (e.g., CompactFlash, and SD cards, USB flash drives), and portable hard drives.
 
Risk:  A potential for harm or loss.  Risk is best expressed as the answers to these four (4) questions:
  • What could happen?  (What is the threat?)
  • How bad could it be?  (What is the impact or consequence?)
  • How often might it happen?  (What is the frequency?)
  • How certain are the answers to the first three questions?  (What is the degree of confidence?)
The key element among these is the issue of uncertainty captured in the fourth question.  If there is no uncertainty, there is no "risk" per se.
 
Risk Assessment:  An identification and study of the vulnerability of a system and the possible threats to its security.
 
Risk Management:  A process of identifying, controlling, and eliminating or minimizing the probability and/or impact of uncertain events that may affect system resources.  It includes risk analysis, cost benefit analysis, selection, implementation and test, security evaluation of safeguards, and overall security review.
Roles: A Job functions that dictate the degree to which a workforce member is authorized to pre-defined set of privileges enables access to selective protected health information, personally identifiable information, or other confidential or sensitive data/information using LACDMH networks and data bases in IBHIS database based on the user’s assigned duties and responsibilities.
Safeguards: Administrative, physical, and technical actions or measures, and policies, and procedures to secure protect protected health information, personally identifiable information, and other confidential/sensitive information.
  • Administrative Safeguards: Manage the selection, development, implementation, and maintenance of security measures and the conduct of workforce members in relation to the protection of that information.
  • Physical Safeguards: protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
  • Technical safeguards: protect electronic protected health information and control access to it.
Security Compliance Documentation: Documents pertaining to security policies, procedures, actions taken, risk assessments, and safeguards implemented in Information Technology systems (i.e., System Security Documentation).
 
Security Incident Report: A form for reporting incidents involving any act of violence completed by the person involved in the incident or their manager, supervisor, or designee. (LACDMH Policy No. 552.01).
Security Incident: An occurrence or event that interrupts normal procedure or precipitates a crisis.  (LACDMH Policy No. 552.01) The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.
Sensitive Data: Data that requires protection due to the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the data.  The term includes data whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary data, records about individuals requiring protection under the Privacy Act, and data not releasable under the Freedom of Information Act.
Short Message Service (SMS): Synonymous with texting, it is a text messaging service component of phone, web, or mobile communication devices that utilizes standardized communications protocols (voice lines) to allow mobile phones and smart devices to exchange short text-based messages.  This method is insecure and not HIPAA compliant.
 
Software: Is a collection of instructions that enable the user to interact with a computer, its hardware, or perform tasks (e.g. all applications for personal computers, mobile devices apps, and web-based applications).
 
Software Librarian – The Departmental Software Librarian is the workforce member charged with tracking and storing software.
Standards: Mandatory activities, actions, rules, or regulations designed to provide policies with the support structure and specific direction they require to be meaningful and effective.
 
Storage area network (SAN): A network which provides access to consolidated, block level data storage.  SANs are primarily used to enhance storage devices, such as disk arrays, tape libraries, and optical jukeboxes, accessible to servers so that the devices appear to the operating system as locally attached devices.
System Managers/Owners: The person who is responsible for the operation and the use of a system.
System Security Documentation:  The system security documentation describes the strategy for security and addresses the security measures and program safeguards which will ensure that information systems and resources:
  • Operate effectively and accurately;
  • Are protected from unauthorized alteration, disclosure, or misuse of information processed, stored, or transmitted;
  • Can maintain the continuity of automated information support for the entity missions, programs, and function;
  • Incorporate management, general, and application controls sufficient to provide cost-effective assurance of the system's integrity and accuracy; and
  • Have appropriate technical, personnel, administrative, environmental, and access safeguards.
System security documentation is a system and component level documentation.  The documentation describes the system security requirement and its implementation process.  At the component level, documentation includes operating system documentation, the security system documentation, and application documentation.  At the system level, security documentation includes interrelationships among applications and with the operating system and utilities in its environment.
 
The system security documentation includes, but is not limited to, creation and maintenance of the following documents:
  • Design Documentation Report: This report provides a description of the developer or integrator's philosophy of protection and an explanation of how the system translates this philosophy.  The report describes the security strategy implementation.  This can also include description of a security policy model and an explanation of how the system enforces the security policy.
  • Test Documentation Report: A report that describes the test plan, test procedures that show how the security mechanisms were tested, and results of the security mechanisms' functional testing.
  • Security Features User's Guide: A system and product level documentation that describes the protection mechanisms provided by the system, guidelines on their use, and how they interact with one another.
  • System Administrator Manual: A system and component level manual that provides guidance to the system administrator and presents cautions about functions and privileges that should be controlled when running the system or facility in a secure manner.  This guidance includes procedures for examining and maintaining security features (such as audit record structures).  The manual should describe the operator and administrator functions related to security, including changing the security characteristics of a user.  It should provide guidelines in order to operate the system or facility in a secure manner, such as the consistent and effective use of the protection features of the system, the features interactions, the warnings, and the privileges that need to be controlled.
Texting/Text Messaging: The act of sending short written messages between cell phones or other handheld devices.
Thin Client Device: A lightweight computer or a computer program that connects to a server from a remote location.  depends heavily on some other computer (its server) to fulfill its computational roles.  This is different from the traditional workstation which is a computer designed to take on these roles by itself.  Thin Clients occur as components of a broader computer infrastructure where many clients share their computations with the same server and depend heavily on the server to fulfill its computational roles.
 
Threat:  An entity or event with the potential to harm the system.  Typical threats are errors, fraud, fires, water damage, disgruntled employees, hackers, and viruses.
Unauthorized Access, Use, or Disclosure: For purposes of this policy, An intentional or unintentional viewing or release of sensitive information to others by a workforce member in the absence of a legally permissible business need or the absence of a “need to know” by a workforce member.
Unsecured protected health information: Protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology.
Universal Serial Bus (USB): A common interface that enables communication between devices and a host controller such as a personal computer (PC).  It connects peripheral devices such as digital cameras, mice, keyboards, printers, scanners, media devices, external hard drives, and flash drives.
 
USB Flash Drive: Also known as a USB drive, USB stick, USB key, and USB, it is Aa portable data storage device that includes flash memory with an integrated USB interface.  USB flash drives are typically removable,  and rewritable, and physically much smaller than an optical disc and are also known as a USB drive, USB stick, USB key, and USB.
User Account Name / User ID:  A unique identifier assigned to an individual’s/ authorized workforce member’s account that .  This typically contains the last name, first initial, or employee number.
User: A person or entity with authorized access.  All workforce members and any other persons who represent LACDMH in the course of their duties.
 
Vulnerability:  A condition or weakness in (or absence of) security procedures, technical controls, physical controls, or other controls that could be exploited by a threat.
Web-Based Application: Any program that is accessed over a network connection using HTTP, rather than existing within a device’s memory.  Web-based applications often run inside a web browser . However, web-based applications also but may also be client-based, where a small part of the program is downloaded to a user’s desktop, but processing is done over the internet on an external server.
 
Wide Area Network (WAN):
  • A group of computers and other devices dispersed over a wide geographical area that is connected (physically, virtually, or wirelessly) by communication links.
  • A WAN is a communications network that connects geographically separated areas.
Wi-Fi: The name of a popular wireless networking technology that uses radio waves to provide wireless high-speed internet and network connections.
Wireless Access Point (WAP): In computer networking, WAP is Aa networking hardware device that allows a Wi-Fi compliant device to connect to a wired network.
Workforce Member: Employees, business associates, contracted employees, consultants, volunteers, other County departments and/or individual whose conduct in the performance of work for LACDMH, its offices, programs, or facilities is under the direct control of the Department, office, program, or facility regardless of whether the person is paid or unpaid.
  • LACDMH Workforce Member: A workforce member directly employed by LACDMH, such as employees and any individual who is processed through LACDMH Human Resources.
  • Non-LACDMH Workforce Member: A workforce member not employed by LACDMH, such as a business associate, contracted employee, consultant, volunteer, intern, locum tenen, or another County department’s employee.
Workstation: An are an equipped with LACDMH-issued electronic computing device connected to a local area network (LAN) or standalone , for example, a laptop or desktop computer, or any other device that performs similar functions, designed for technical or scientific applications. They are usually and dedicated to a user or group of users engaged in business or professional County businesses work and intended primarily to be used by one person at a time.  They run multi-user operating systems and can be operated by themselves (standalone) but are commonly found connected to a local area network (LAN).  Workstations may share network resources with one or more large client computers and network servers.  In LACDMH, Workstations are referred to as County issued computing equipment (such as desktop devices, mobile devices, tablets, laptops, notebooks, portable electronic devices (PED)s, computer carts, printers, and fax machines, etc.) that used for County business, connected either wirelessly or wired to the LACDMH Network or simply disconnected, isolated and stand alone.