Index
A
Access control, 62–63
discretionary access control (DAC), 63
mandatory access control (MAC), 63
role-based access control (RBAC), 63
types, 64
Accredited Standards Committee (ASC)
X12 transactions standards, 15
Administrative controls, 64
Advanced persistent threats (APTs), 146
Affordable care act, 8
Ambulatory patient groups (APGs), 15
Ambulatory payment classifications (APCs), 15
American Health Information Management Association (AHIMA), 19
American Hospital Association (AHA), 16
American institute of certified public accountants (AICPA), 48
American Medical Association (AMA), 14
American national standards institute (ANSI), 15
American recovery and reinvestment act (ARRA) of 2009 included, 35
data breach regulations, 37
international standards, 36
organizational-level privacy and security requirements, 37
penalties and fees, 38
privacy and security, culture of, 37
stimulus and recovery mechanisms, 35
Asset classification, example of, 111
Assumptions and constraints, identification, 143–146
analytic approach, 146
impacts, 145
likelihood, 145
risk tolerance and uncertainty, 145
threat events, 144
threat sources, 144
vulnerabilities and predisposing conditions, 144
Authorization
elements and statements, 17
officials, 97
Availability, definition of, 62
Awareness, 67
B
Backup strategy
advantages and disadvantages, 72
cold sites, 74
differential backup, 73
full backup, 73
hot sites, 73
incremental backup, 73
mirrored backup, 73
onsite backups, 73
remote backups, 73
warm sites, 74
Business continuity, 71
C
Canada’s Office of the Privacy Commissioner, 76
Canada’s personal information protection and electronic documents act (PIPEDA), 36
Candidates, rest prior to examination, 3
Chief information security officer (CISO), 97
Chief security officer (CSO), 97
Clinical decision support systems (CDSS), 8
Clinical research, 17
cannons, 4
preamble, 3
Coding systems, 14
Common control provider, 98
responsible for, 98
Common criteria, 47
arrangement, 47
participants in, 47
certified product categories, 47–48
for information technology security evaluation, 47
Common methodology for information technology security evaluation, 47
Common security framework (CSF), 48
Comprehensive risk management methodology, 103
Computer-based (CBT) exam, 3
Computerized physician order entry (CPOE), 8
Computer security
division, 92
incident handling guide, 175
of information systems, 108
Connection agreements, 177
Connectivity, type of, 177
Contractual agreements, 176
execution of, 177
Control, examples, 110
Covered entity
definitions of, 168
level, 177
responsible for, 168
Cryptographic algorithm, one-way, 66
Cryptography, 65
Current procedural terminology (CPT) codes, 14
D
Data analytics, 9
Data anonymization, 81–82
DNA, 82
HIV research data, 82
pregnancy, 82
substance abuse, 82
Data classification schemas, 78
Data criticality analysis, 70
Data encryption, 65–66
Hash functions, 66
public key encryption, 66
secret key encryption, 65
Data handling procedures, 79
access, 79
destruction, 79
use, 79
Data interoperability and exchange, 9
foundational, 22
semantic, 22
structural, 22
Data privacy standards, 76
economic co-operation and development privacy principles, organization for, 76
generally accepted privacy principles, 76
personal information protection and electronic documents act, 76
UK data protection act 1998, 77
Data retention and destruction policies, 74
Data sharing, 19
Data use and reciprocal support agreement (DURSA), 40
data ownership, 41
data subjects, 41
guidelines, 44
industry-specific laws, 43
International Standards Organization (ISO), 46
legislative and regulatory updates, 41
policies, 44
practical example, 45
procedures, 44
security and privacy compliance frameworks, 45
standard, 44
treaties, 42
international safe harbor principles, 42–43
Decision-making power, 101
Designated Standards Maintenance Organizations (DSMOs), 15
Diagnosis-related groups (DRGs), 14
Digital imaging and communications in medicine (DICOM), 23
Disaster recovery plan, 71
backup procedures, 72
critical application assessment, 72
implementation procedures, 72
recovery procedures, 72
test procedures, 72
Disparate data, 79
E
Electronic data interchange (EDI), 7
diagnoses and procedures
specific code sets for, 7
services for, 7
Electronic health information exchanges, 40
adoption of, 9
benefits of, 23
legal elements of, 23
Electronic medical records (EMR), 8
Electronic personal health information, 179
Electronic protected health information (EPHI), 70
Encryption, 65
algorithms, 66
function, 65
definition of, 65
types of, 65
European Commission Data Protection Legislation, 36
European Data Protection Directive, 170
Directive 95/46/EC, 42
European economic area (EEA), 42
Exam registration, 3–4
Code of Ethics, 3–4
External third-party relationships, understanding of, 19
F
Federal information security management act (FISMA) of 2002, 35
Federal information systems, risk assessments of, 133
Food and Drug Administration (FDA), 9
G
General practice organizations, 102
minimum requirements for, 103
General privacy principles, 74
data privacy standards, 76
12 privacy principles, 75
Good clinical research practice (GCP), 17
Governance structures, 100
national health service structure, 102
NIST structure, 101
H
Health and human services (HHS), 134
Healthcare
authorization and informed consent, 17
clearinghouses, 16
delivery of, 82
environments, information flow and life cycle in, 20
information-based
balance of risk vs. reward when delivering, 50
organized physician services, 6
privacy and security in, 61–83
security fundamentals, 61–62
security principles, 62
processes, 16
providers, 5
regulatory environment, 16
services, information-driven, 52
systems, 5
Healthcare coding, 13–14
medical coding systems, 14
Healthcare industry, 5–24
authorization and informed consent, 17
business associates, 8
clearinghouses, 16
clinical research, 17
coding, 13–14
data analytics, 9
data interoperability and exchange, 9
data sharing, 19
digital imaging and communications in medicine (DICOM), 23
electronic data interchange (EDI), 7
electronic health record (EHR), 10
environments, information flow and life cycle in, 20
health data characterization, 20
health information technology (HIT), 8
health insurance, 11–12
exchanges, 8
health level seven international, 10
HIPAA transaction and code sets, 15
Institutional Review Boards, 18
integrating enterprise, 10
legal medical records, 23
meaningful use regulations, 9
medical billing, 15
medical devices, 9
national provider identifier (NPI), 6
National Uniform Billing Committee (NUBC), 16
organizations, 5
organized physician services, 6
payer, 6
payment models, 13
personal health record (PHR), 10
pharmaceutical industry, 6
provider, 5
taxonomy codes, 21
code lists, 21
insurance exchange code lists, 21
public health reporting, 17
records management, 18–19
regulatory environment, 16
systematized nomenclature of medicine (SNOMED), 14
systems, 5
understanding external third-party relationships, 19
value-added networks (VANs), 7
workflow management, 16
Healthcare Information and Management Systems Society (HIMSS), 10
Healthcare information security and privacy practitioner (HCISPP)
information bulletin, 1
certification, 1
requirements, 2–3
classification of
for-profit, 5
not-for-profit, 5
importance of information to, 91
resource for, 46
Health data characterization, 20
analytics, 21
classification, 21
taxonomy, 21
Health information
audit, 170
compliance, 169
disclosure authorization, 169
event notification, 169
permitted use, 169
right to terminate, 170
safeguards, 169
subcontractors, 170
termination, 170
unauthorized disclosure, 169
Health information technology (HIT), 8
interoperability
foundational, 22
semantic, 22
structural, 22
use of, 1
Health information trust alliance (HITRUST), 48
Health insurance, 11–12
exchanges, 8
government-managed, 11
private, See Private health insurance
programs, 12
public, See Public health insurance
in United States, 12
variety of, 12
Health insurance portability and accountability act of 1996 (HIPAA), 61
changes to, 35
compliance
business support functions’ relationship with, 82
contingency plan standard, 70
covered entity, 6
elements of, 34
and covers, 34
and definitions, 34–35
healthcare laws, 33
45 CFR 164.514, 39
public law 104-191, 34
relationship with HITECH, 36
secretary of health and human services (HHS), 13
transaction and code sets, 15
violation and corresponding penaltie, 39
vulnerability program elements, 70
Health level seven international (HL7), 10
website, 23
Human services office for civil rights, 37
Hybrid approach, 101
I
Implementation, types relationship with control categories, 51
Incident response
concept, 174
life cycle, 175
Industry resources
International Organization for Standardization, 93
National Health Service, 94
national institute of standards and technology, 92
Industry-specific laws, 43
occupational safety and health act of 1970 (OSH Act), 43
payment card industry data security standards (PCI–DSS), 43
Sarbanes–Oxley act (SOX), 43
Information access management, 173
Information governance (IG), 94
authorizing official, 97
designated representative, 98
chief information officer (CIO), 96
common control provider, 98
definition of, 94
head of agency (CEO), 95
owner/Steward, 96
risk executive (function), 96
and risk management, 91–122
industry resources, 92
knowledge areas, 92
security architect, 99
security control assessor, 100
senior information security officer, 97
system owner, 98
system security engineer, 100
system security officer, 99
Information risk assessment, 131–162
knowledge areas, 131
assess security controls, 116
assess, 117
prepare, 117
remediate, 117
report, 117
authorize information system, 118
accept, 118
package, 118
plan, 118
risk, 118
categorize information systems, 113
categorize, 113
describe, 114
register, 114
implement security controls, 116
document, 116
implement, 116
monitoring security controls, 119
disposal, 120
exception handling, 120
monitor, 119
remediate, 119
reporting and metrics, 121
risk and accept, 120
status, 120
system change, 119
update, 119
select security controls, 114
identify, 114
monitor, 115
plan, 115
select, 115
Information risk management program
controls, 132
impact, 132
information life cycle, 132
key terms associated with, 132
likelihood, 132
risk, 132
acceptance, 132
assessments, 131
avoidance, 132
mitigation, 132
transfer, 132
threat, 132
vulnerability, 132
Information security architect, 99
measurement program, 121
Information Sharing and Analysis Centers (ISACs), 147
Information systems
categorization of, 113
descriptions, 114
owner, responsible for, 98
Institutional review boards (IRBs), 18
Integrating enterprise, 10
Integrating the healthcare enterprise (IHE), 23
Integrity, definition of, 61
International classification of disease (ICD), 14
clinical modification of, 14
International Health Terminology Standards Development Organization (IHTSDO), 14
International safe harbor principles, 42–43
access, 42
choice, 42
data integrity, 42
enforcement, 42
notice, 42
onward transfer, 42
security, 42
ISO 27799:2008, 93
ISO/IEC 27002:2005, 93
ISC, 1
(ISC)2 Code of Ethics, 53
cannons, 54
code, 53
preamble, 54
sanctions, 54
K
Key performance indicators (KPIs), 121
Key risk indicators (KRIs), 121
L
Least privilege
NIST Special Publication 800-12, definition of, 71
Legal and information management, 3
Legal medical records, 23
Logical access controls, 62
M
Measurement program structure, 121
Medical billing, 15
Medical coding systems, 14
Medical devices, 9
class and regulatory controls, 9
Medical record, 79
Medicare and medicaid electronic health record (EHR), 9
N
National Health Service (NHS) organizations, 48
general practice
information governance life cycle, 102
areas, 92
federal information processing standards (FIPS), 92
assessment scale
likelihood of threat event initiation, 153
likelihood of threat event occurrence, 154
likelihood of threat event resulting in adverse impacts, 154
example contingency plan security control, 136
incident response life cycle, 175,
information technology laboratory (ITL) bulletins, 92
key activities
assessment preparation, 149
communicating risk assessment information, 157
conducting the assessment, 157
for HIPAA security rule, sample of, 171
maintaining the assessment, 159
likelihood and impact relationship, 155
risk assessment process, 137
risk management hierarchy, 138
special publication 800-16, 67
special publication 800-30, 105
assessment maintenance, 106
assessment preparation, 105
communicate results, 106
conduct assessment, 106
special publication 800-39, 148
special publication 800-66, 177
special publication 800-53A revision 1, 134
special publication 800-53 rev. 4, 68
special publication 800-61 revision 2, 175
special publication 800-66 revision 1, 171
step 1 checkpoint, 114
step 2 checkpoint, 116
step 3 checkpoint, 117
step 4 checkpoint, 118
step 5 checkpoint, 119
step 6 checkpoint, 120
structure, 101
centralized governance structures, 101
decentralized information security governance structures, 101
hybrid information security governance structures, 101
National plan and provider enumeration system (NPPES), 6
National provider identifier (NPI), 6
National Uniform Billing Committee (NUBC), 16
National Uniform Claim Committee (NUCC), 21
O
Occupational safety and health act of 1970 (OSH Act), 43
Office for Civil Rights, 36
Organizational Code of Ethics, 53
Organization for economic co-operation and development (OECD), 76
privacy principles, 74
Organization’s healthcare security program, 67
Organization-specific risk models, 148
P
Paper-based exams, 3
Payer, 6
definition of, 6
Payment card industry data security standards (PCI–DSS), 43
Payment models, 13
comprehensive care/total cost of care payment, 13
episode/bundled payments, 13
fee for service, 13
pay for coordination, 13
pay for performance, 13
variety of, 13
Personal data, 77
definition of, 79
possession of, 53
vs. electronic health records (EHR), 10
Personal information protection and electronic documents act (PIPEDA), 74
Personally identifiable information (PII), 91
Pharmaceutical industry, 6
Physical safeguards
definition of, 94
Physician services, 6
Primary healthcare organization, 179
Privacy
governance, understanding, 94
governance structures, 100
information governance, 94
importance of, 1
principles, 37
relationship between, 78
12 Privacy principles, 75
access
individual participation, 75
limitation, 75
accuracy, completeness, quality, 75
additional measures for breach notification, 76
consent/choice, 75
disclosure limitation/transfer to third parties/trans-border concerns, 75
limited collection/legitimate purpose/purpose specification, 75
management, designation of privacy officer, supervisor re-authority, processing authorization, accountability, 75
notice, purpose specification, 76
proportionality, use and retention, use limitation, 75
security, 75
transparency, openness, 75
Privacy rules, 18
45 CFR 164.514
information flow mapping, 39
jurisdictional implications, 40
monitoring PHI information flows, 40
Private health insurance, 11
Protected health information, 35
Providers., See Healthcare providers
Provider taxonomy codes, 21
code lists, 21
insurance exchange code lists, 21
Public health insurance, 11
disadvantage of, 11
Public health reporting, 17
Q
Qualitative analysis, 106
asset identification and valuation, 108
based on media coverage, 107
controls, 110
impact, 111
leveraging likelihood and impact, 107
likelihood, 110
association between likelihood and frequency, 110
risk, 111
treatment, 112
threats, 108
vulnerability, 109
Quantitative analysis, 106
asset identification and valuation, 108
controls, 110
impact, 111
likelihood, 110
association between likelihood and frequency, 110
risk, 111
treatment, 112
threats, 108
vulnerability, 109
Quantitative assessments
annual loss expectancy (ALE), 106
annual rate of occurrence (ARO), 106
single loss expectancy (SLE), 106
R
Reassessments, 106
Regulatory environment, 33–54
definitions, 54
healthcare organizations
legal issues that to information security and privacy for, 33
health insurance portability and accountability act of 1996 (HIPAA), 33
Resource utilization groups (RUGs), 14
Risk assessment conduction, 149
determine impact, 154
determine likelihood, 152–153
determine risk, 155
identify threat events, 150
identify threat sources, 150
identify vulnerabilities and conditions, 151
Risk assessment information, communication, 156
Risk assessment maintenance, 156
monitor risk factors, 158
update risk assessment, 158
Risk assessment preparation, 140
identify assumptions and constraints, 143–146
identify information sources, 146–147
identify purpose, 140–142
identify risk model and analytic approach, 148–149
identify scope, 142–143
Risk assessment procedures, 134
methods, 135
examine method, 135
interview method, 135
test method, 135
NIST example, 135
objective, 134
Risk assessment process, 105
affect on, 139
desired outcomes, 134
enable organizations to, 100
hierarchy, 137
information system, 139
mission/business process, 139
organizational level, 138–139
information security risk, 135
NIST guide for conduction, 133
ISO/IEC 27005:2011, 133
role of internal and external audit, 134
scope of, 139
support, 101
Risk assessment, understanding, 131
key terms, 132
life cycle and continuous monitoring, 132
tools, resources, and techniques, 133
Risk management methodology, 108
understanding, 103
assessment, 104
framing, 104
monitoring, 105
response, 104
risk assessment approach, 105
Risk response and remediation, 159
controls
related to time, 162
corrective, 162
detective, 162
preventative, 162
types of, 161
administrative, 161
physical, 161
technical, 161
evaluation of alternatives, 160
risk response decision, 161
risk response identification, 160
risk response implementation, 161
Risk, types of, 111
acceptance, 112
avoid, 112
inherent, 111
managed, 111
mitigate, 112
residual, 111
transfer, 112
S
Safeguard healthcare information, 68
Safe harbor privacy principles, 42
Safety and welfare of society, 3
SANS critical security controls, 49
compensating controls, 50–51
administrative, 51
corrective, 51
detective, 51
logical, 51
physical, 51
preventative, 51
control variance documentation, 52
residual risk tolerance, 52
Risk-based decision making, 50
Sarbanes–Oxley act (SOX), 43
Scope, identification, 142–143
architectural/technology considerations, 143
effectiveness time frame, 142
organizational applicability, 142
Security
assigned responsibilities, 172
authorization process, 97
categorization process, 113
control assessors, 100
fundamentals, 61–62
availability, 62
confidentiality, 61
integrity, 61
governance, understanding, 94
governance structures, 100
information governance, 94
importance of, 1
management process, 171
resources, 92
rules, 18
Security principles, 62
access control, 62–63
business continuity and disaster recovery, 71
data encryption, 65–66
data retention and destruction, 74
least privilege, 71
segregation of duties, 71
systems recovery, 70–71
application and data criticality analysis, 71,
data backup plan, 71
disaster recovery plan, 71
emergency mode operation plan, 71
testing and revision procedures, 71
training and awareness, 67–68
logging and monitoring, 68
vulnerability management, 68–70
Sensitive data
anonymization, 81–82
de-identification, 81
and handling implications, disparate nature of, 78–79
protected health information (PHI), 79
Systematic vulnerability management program, 69
Systematized nomenclature of medicine (SNOMED), 14
T
TCS rule, 15
Third party
definitions of, 168
information, asset protection controls, 171
service providers, 167
Third-party risk management, 167–180
assessment and audit support, 171–174
communication of findings, 174
definition of, 168
establishing connectivity, 177
connection agreements, 177
safeguards, 177
trust, 177
incident notification and response, 174–175
breach identification, notification, and initial response, 176
internal processes, 175
relationship between covered entity and third party, 176
inventory, 168
knowledge areas, 167
management standards and practices, 169
promoting awareness of requirements, 178
data sensitivity and classification, 178
information flow mapping and scope, 178
privacy requirements, 178
risks associated with third parties, 179
security requirements, 179
risk assessment, 170–171
risk remediation, 179
Trading partner agreement, 19
technical requirements for communications protocols, 20
Transaction rule, 20
U
United Kingdom’s Information Commissioner’s Office (ICO), 77
United Kingdom’s national health service (NHS), 92
US computer emergency readiness team (US-CERT), 147
US Department of Commerce, 92
U.S. Department of Health and Human Services (HHS), 5
U.S.–EU safe harbor, 42
U.S. healthcare system, 9
V
Value-added networks (VANs), 7
Vulnerability, 109
access management, 110
backup, 109
change management, 110
management
cycle, 69
NIST Special Publication 800-53 Rev. 4, definition of, 68
mobile media, 109
system hardening, 109
system patching, 109
types of, 109
W
Workflow management, 16
Workforce security, 173
World health assembly, 14
World Health Organization (WHO), 9
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.