Index
A
discretionary access control (DAC),
63
mandatory access control (MAC),
63
role-based access control (RBAC),
63
Accredited Standards Committee (ASC)
X12 transactions standards,
15
Administrative controls,
64
Advanced persistent threats (APTs),
146
Affordable care act,
Ambulatory patient groups (APGs),
15
Ambulatory payment classifications (APCs),
15
American Health Information Management Association (AHIMA),
19
American Hospital Association (AHA),
16
American institute of certified public accountants (AICPA),
48
American Medical Association (AMA),
14
American national standards institute (ANSI),
15
American recovery and reinvestment act (ARRA) of 2009 included,
35
data breach regulations,
37
international standards,
36
organizational-level privacy and security requirements,
37
privacy and security, culture of,
37
stimulus and recovery mechanisms,
35
Asset classification, example of,
111
Assumptions and constraints, identification,
143–146
risk tolerance and uncertainty,
145
vulnerabilities and predisposing conditions,
144
Authorization
elements and statements,
17
Availability, definition of,
62
B
Backup strategy
advantages and disadvantages,
72
Business associates, ,
168
C
Canada’s Office of the Privacy Commissioner,
76
Canada’s personal information protection and electronic documents act (PIPEDA),
36
Candidates, rest prior to examination,
Centers for Medicare & Medicaid Services (CMS), ,
112
Chief information security officer (CISO),
97
Chief security officer (CSO),
97
Clinical decision support systems (CDSS),
cannons,
preamble,
Common control provider,
98
certified product categories,
47–48
for information technology security evaluation,
47
Common methodology for information technology security evaluation,
47
Common security framework (CSF),
48
Comprehensive risk management methodology,
103
Computer-based (CBT) exam,
Computerized physician order entry (CPOE),
Computer security
incident handling guide,
175
Confidentiality, integrity, and availability (CIA) triad,
61,
62,
91
of information systems,
108
Connection agreements,
177
Connectivity, type of,
177
Contractual agreements,
176
Covered entity
Cryptographic algorithm, one-way,
66
Current procedural terminology (CPT) codes,
14
D
Data analytics,
Data anonymization,
81–82
Data classification schemas,
78
Data criticality analysis,
70
public key encryption,
66
secret key encryption,
65
Data handling procedures,
79
Data interoperability and exchange,
Data privacy standards,
76
economic co-operation and development privacy principles, organization for,
76
generally accepted privacy principles,
76
personal information protection and electronic documents act,
76
UK data protection act 1998,
77
Data retention and destruction policies,
74
Data use and reciprocal support agreement (DURSA),
40
industry-specific laws,
43
International Standards Organization (ISO),
46
legislative and regulatory updates,
41
security and privacy compliance frameworks,
45
international safe harbor principles,
42–43
Decision-making power,
101
Designated Standards Maintenance Organizations (DSMOs),
15
Diagnosis-related groups (DRGs),
14
Digital imaging and communications in medicine (DICOM),
23
Disaster recovery plan,
71
critical application assessment,
72
implementation procedures,
72
E
Electronic data interchange (EDI),
diagnoses and procedures
specific code sets for,
services for,
standard transactions, ,
13
Electronic health information exchanges,
40
Electronic health record (EHR),
10,
14
adoption of,
Electronic medical records (EMR),
Electronic personal health information,
179
Electronic protected health information (EPHI),
70
European Commission Data Protection Legislation,
36
European Data Protection Directive,
170
European economic area (EEA),
42
External third-party relationships, understanding of,
19
F
Federal information security management act (FISMA) of 2002,
35
Federal information systems, risk assessments of,
133
Food and Drug Administration (FDA),
G
Generally accepted privacy principles (GAPP),
48,
74
General practice organizations,
102
minimum requirements for,
103
General privacy principles,
74
data privacy standards,
76
12 privacy principles,
75
Good clinical research practice (GCP),
17
Governance structures,
100
national health service structure,
102
H
Health and human services (HHS),
134
Healthcare
authorization and informed consent,
17
environments, information flow and life cycle in,
20
information-based
balance of risk
vs. reward when delivering,
50
organized physician services,
privacy and security in,
61–83
security fundamentals,
61–62
providers,
regulatory environment,
16
services, information-driven,
52
systems,
medical coding systems,
14
Healthcare industry,
5–24
authorization and informed consent,
17
business associates,
data analytics,
data interoperability and exchange,
digital imaging and communications in medicine (DICOM),
23
electronic data interchange (EDI),
electronic health record (EHR),
10
environments, information flow and life cycle in,
20
health data characterization,
20
health information technology (HIT),
exchanges,
health level seven international,
10
HIPAA transaction and code sets,
15
Institutional Review Boards,
18
integrating enterprise,
10
legal medical records,
23
meaningful use regulations,
medical devices,
national provider identifier (NPI),
National Uniform Billing Committee (NUBC),
16
organizations,
organized physician services,
payer,
personal health record (PHR),
10
pharmaceutical industry,
provider,
insurance exchange code lists,
21
public health reporting,
17
records management,
18–19
regulatory environment,
16
systematized nomenclature of medicine (SNOMED),
14
systems,
understanding external third-party relationships,
19
value-added networks (VANs),
Healthcare Information and Management Systems Society (HIMSS),
10
Healthcare information security and privacy practitioner (HCISPP)
information bulletin,
certification,
classification of
for-profit,
not-for-profit,
importance of information to,
91
Health data characterization,
20
Health information
disclosure authorization,
169
unauthorized disclosure,
169
Health information technology (HIT),
interoperability
use of,
Health information technology for economic and clinical health (HITECH) act,
35,
36,
134
Health information trust alliance (HITRUST),
48
exchanges,
Health insurance portability and accountability act of 1996 (HIPAA),
61
breach notification rule,
33,
38,
176
compliance
business support functions’ relationship with,
82
contingency plan standard,
70
covered entity,
relationship with HITECH,
36
secretary of health and human services (HHS),
13
transaction and code sets,
15
violation and corresponding penaltie,
39
vulnerability program elements,
70
Health level seven international (HL7),
10
Human services office for civil rights,
37
I
Implementation, types relationship with control categories,
51
Incident response
Industry resources
International Organization for Standardization,
93
National Health Service,
94
national institute of standards and technology,
92
Industry-specific laws,
43
occupational safety and health act of 1970 (OSH Act),
43
payment card industry data security standards (PCI–DSS),
43
Sarbanes–Oxley act (SOX),
43
Information access management,
173
Information governance (IG),
94
designated representative,
98
chief information officer (CIO),
96
common control provider,
98
risk executive (function),
96
security control assessor,
100
senior information security officer,
97
system security engineer,
100
system security officer,
99
Information risk assessment,
131–162
Information risk management life cycle and activities,
112,
113
assess security controls,
116
authorize information system,
118
categorize information systems,
113
implement security controls,
116
monitoring security controls,
119
reporting and metrics,
121
select security controls,
114
Information risk management program
information life cycle,
132
key terms associated with,
132
Information security architect,
99
Information security program,
93,
96
Information Sharing and Analysis Centers (ISACs),
147
Information systems
owner, responsible for,
98
Institutional review boards (IRBs),
18
Integrating enterprise,
10
Integrating the healthcare enterprise (IHE),
23
Integrity, definition of,
61
International classification of disease (ICD),
14
clinical modification of,
14
International Health Terminology Standards Development Organization (IHTSDO),
14
International safe harbor principles,
42–43
International Standards Organization (ISO),
46,
92
ISC,
(ISC)
2 Code of Ethics,
53
K
Key performance indicators (KPIs),
121
Key risk indicators (KRIs),
121
L
Least privilege
NIST Special Publication 800-12, definition of,
71
Legal and information management,
Legal medical records,
23
Logical access controls,
62
M
Measurement program structure,
121
Medical coding systems,
14
Medical devices,
class and regulatory controls,
Medicare and medicaid electronic health record (EHR),
N
National Health Service (NHS) organizations,
48
general practice
information governance life cycle,
102
National institute of standards and technology (NIST),
46,
92
federal information processing standards (FIPS),
92
assessment scale
likelihood of threat event initiation,
153
likelihood of threat event occurrence,
154
likelihood of threat event resulting in adverse impacts,
154
example assessment procedure,
136,
137
example contingency plan security control,
136
incident response life cycle,
175,
information technology laboratory (ITL) bulletins,
92
interagency/internal reports,
46,
92
key activities
assessment preparation,
149
communicating risk assessment information,
157
conducting the assessment,
157
for HIPAA security rule, sample of,
171
maintaining the assessment,
159
likelihood and impact relationship,
155
risk assessment process,
137
risk management hierarchy,
138
special publications 800 series examples,
34,
35
special publication 800-16,
67
special publication 800-30,
105
assessment maintenance,
106
assessment preparation,
105
special publication 800-39,
148
special publication 800-66,
177
special publication 800-53A revision 1,
134
special publication 800-53 rev. 4,
68
special publication 800-61 revision 2,
175
special publication 800-66 revision 1,
171
centralized governance structures,
101
decentralized information security governance structures,
101
hybrid information security governance structures,
101
National plan and provider enumeration system (NPPES),
National provider identifier (NPI),
National Uniform Billing Committee (NUBC),
16
National Uniform Claim Committee (NUCC),
21
O
Occupational safety and health act of 1970 (OSH Act),
43
Office for Civil Rights,
36
Organizational Code of Ethics,
53
Organization for economic co-operation and development (OECD),
76
Organization’s healthcare security program,
67
Organization-specific risk models,
148
P
Paper-based exams,
Payer,
definition of,
Payment card industry data security standards (PCI–DSS),
43
comprehensive care/total cost of care payment,
13
episode/bundled payments,
13
Personal health information (PHI), , ,
37,
91,
178
Personal health records (PHRs), ,
10
vs. electronic health records (EHR),
10
Personal information protection and electronic documents act (PIPEDA),
74
Personally identifiable information (PII),
91
Pharmaceutical industry,
Physical safeguards
Physician services,
Primary healthcare organization,
179
Privacy
governance, understanding,
94
governance structures,
100
information governance,
94
importance of,
12 Privacy principles,
75
access
individual participation,
75
accuracy, completeness, quality,
75
additional measures for breach notification,
76
disclosure limitation/transfer to third parties/trans-border concerns,
75
limited collection/legitimate purpose/purpose specification,
75
management, designation of privacy officer, supervisor re-authority, processing authorization, accountability,
75
notice, purpose specification,
76
proportionality, use and retention, use limitation,
75
transparency, openness,
75
45 CFR 164.514
information flow mapping,
39
jurisdictional implications,
40
monitoring PHI information flows,
40
Private health insurance,
11
Protected health information,
35
Provider taxonomy codes,
21
insurance exchange code lists,
21
Public health insurance,
11
Public health reporting,
17
Q
Qualitative analysis,
106
asset identification and valuation,
108
based on media coverage,
107
leveraging likelihood and impact,
107
association between likelihood and frequency,
110
Quantitative analysis,
106
asset identification and valuation,
108
association between likelihood and frequency,
110
Quantitative assessments
annual loss expectancy (ALE),
106
annual rate of occurrence (ARO),
106
single loss expectancy (SLE),
106
R
Regulatory environment,
33–54
healthcare organizations
legal issues that to information security and privacy for,
33
health insurance portability and accountability act of 1996 (HIPAA),
33
Resource utilization groups (RUGs),
14
Risk assessment conduction,
149
identify threat events,
150
identify threat sources,
150
identify vulnerabilities and conditions,
151
Risk assessment information, communication,
156
Risk assessment maintenance,
156
monitor risk factors,
158
update risk assessment,
158
Risk assessment preparation,
140
identify assumptions and constraints,
143–146
identify information sources,
146–147
identify risk model and analytic approach,
148–149
Risk assessment procedures,
134
Risk assessment process,
105
enable organizations to,
100
mission/business process,
139
information security risk,
135
NIST guide for conduction,
133
role of internal and external audit,
134
Risk assessment, understanding,
131
life cycle and continuous monitoring,
132
tools, resources, and techniques,
133
Risk management methodology,
108
risk assessment approach,
105
Risk response and remediation,
159
controls
evaluation of alternatives,
160
risk response decision,
161
risk response identification,
160
risk response implementation,
161
S
Safeguard healthcare information,
68
Safe harbor privacy principles,
42
Safety and welfare of society,
SANS critical security controls,
49
compensating controls,
50–51
control variance documentation,
52
residual risk tolerance,
52
Risk-based decision making,
50
Sarbanes–Oxley act (SOX),
43
architectural/technology considerations,
143
effectiveness time frame,
142
organizational applicability,
142
Security
assigned responsibilities,
172
authorization process,
97
categorization process,
113
governance, understanding,
94
governance structures,
100
information governance,
94
importance of,
business continuity and disaster recovery,
71
data retention and destruction,
74
segregation of duties,
71
application and data criticality analysis,
71,
disaster recovery plan,
71
emergency mode operation plan,
71
testing and revision procedures,
71
training and awareness,
67–68
logging and monitoring,
68
vulnerability management,
68–70
Sensitive data
and handling implications, disparate nature of,
78–79
protected health information (PHI),
79
Sensitive healthcare information,
61,
62
Social security number (SSN),
106,
178
Systematic vulnerability management program,
69
Systematized nomenclature of medicine (SNOMED),
14
T
Third party
information, asset protection controls,
171
Third-party risk management,
167–180
assessment and audit support,
171–174
communication of findings,
174
establishing connectivity,
177
connection agreements,
177
incident notification and response,
174–175
breach identification, notification, and initial response,
176
relationship between covered entity and third party,
176
management standards and practices,
169
promoting awareness of requirements,
178
data sensitivity and classification,
178
information flow mapping and scope,
178
privacy requirements,
178
risks associated with third parties,
179
security requirements,
179
Trading partner agreement,
19
technical requirements for communications protocols,
20
U
UK data protection act 1998 (DPA),
36,
74,
77
United Kingdom’s Information Commissioner’s Office (ICO),
77
United Kingdom’s national health service (NHS),
92
US computer emergency readiness team (US-CERT),
147
US Department of Commerce,
92
U.S. Department of Health and Human Services (HHS),
U.S. healthcare system,
V
Value-added networks (VANs),
management
NIST Special Publication 800-53 Rev. 4, definition of,
68
W
World health assembly,
14
World Health Organization (WHO),