You are previewing Healthcare Information Security and Privacy.
O'Reilly logo
Healthcare Information Security and Privacy

Book Description

Operational, tested information security and privacy practices for the healthcare environment

Written by an expert in the field with multiple industry certifications, this definitive resource fully addresses information security and privacy considerations and their implications within the business of patient care. The book begins with an overview of the organization, financing, and delivery of healthcare and discusses technology, terminology, and data management principles. The topic coverage continues across all aspects of information security and privacy, with a special emphasis on real-life scenarios in clinical practices and business operations in healthcare.

Learn best practices for healthcare information security and privacy with detailed coverage of essential topics such as information governance, roles and occupations, risk assessment and management, incident response, patient rights, and cybersecurity. Written for a global audience, this comprehensive guide addresses U.S. laws and regulations as well as those within the European Union, the United Kingdom, and Canada.

Healthcare Information Security and Privacy covers:

  • Healthcare organizations and industry
  • Regulatory environment
  • Risk-based decision making
  • Notifications of security and privacy events
  • Patient rights and healthcare responsibilities
  • Anatomy of a cyber attack
  • Protecting digital health information
  • Privacy and security impact on healthcare information technology
  • Information governance
  • Risk assessment and management

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. About the Author
  5. Dedication
  6. Contents
  7. Acknowledgments
  8. Introduction
  9. Part I: A Healthcare Organization and Information Risk Overview
    1. Chapter 1: Healthcare: Organization, Technology, and Data
      1. The Organization and Financing of Healthcare Delivery
        1. Patients
        2. Payers
        3. Providers
        4. Stakeholders
        5. Healthcare Across the Globe
      2. The Financial Components of Healthcare
        1. Claims Processing
        2. Payment Models
        3. Medical Billing
        4. Reimbursement
      3. Technology Specific to Healthcare
        1. Medical Devices
        2. Information Technology Networks
        3. Health Information Exchanges
        4. Electronic Health Record
        5. Personal Health Record
      4. Terminology and Data Standards
        1. Clinical Workflow
        2. Coding
        3. Data Interoperability and Exchange
      5. The Foundation of Health Data Management
        1. Information Flow and Life Cycle in the Healthcare Environments
        2. Health Data Characterization
        3. Legal Medical Record
      6. Chapter Review
        1. Review Questions
        2. Answers
      7. References
    2. Chapter 2: Healthcare: People, Roles, and Third-Party Partners
      1. Identifying Workforce Dynamics: Personnel, Professions, and Proficiency
        1. Nurses
        2. Physicians
        3. Physician Assistants
        4. Medical Technicians
        5. Administration
        6. Environmental Services
        7. Healthcare Organizational Behavior
      2. Third-Party Relationships
        1. Vendors
        2. Government as Third Party
        3. Nongovernment Regulators
        4. Public Health Reporting
        5. Clinical Research
        6. Health Records Management
        7. Administering Third Parties
      3. Chapter Review
        1. Review Questions
        2. Answers
      4. References
    3. Chapter 3: Healthcare Information Regulation
      1. Applicable Regulations
        1. Legal Issues
        2. Cross-Jurisdictional Impact
      2. Conforming Policies and Procedures with Regulatory Guidance
        1. Policies
        2. Procedures
        3. Notable Policies and Procedures
      3. Governance Frameworks to Manage Policies
        1. Configuration Control Board
        2. Information Management Council
        3. Data Incident Response Team
        4. Institutional Review Board
      4. International Regulations and Controls
        1. Organization for Economic Cooperation and Development Privacy Principles
        2. Safe Harbor Agreement
        3. EU Data Protection Directive
        4. International Organization for Standardization
        5. Generally Accepted Privacy Principles
      5. Chapter Review
        1. Review Questions
        2. Answers
      6. References
    4. Chapter 4: Information Risk Decision Making
      1. Using Risk Management to Make Decisions
      2. Information Risk Compliance Frameworks
        1. Measuring and Expressing Information Risk
        2. National Institute of Standards and Technology
        3. HITRUST
        4. International Organization for Standardization
        5. Common Criteria
        6. Factor Analysis of Information Risk
      3. Responses for Risk-Based Decision Making
        1. Residual Risk Tolerance
        2. Information Asset Protection Controls
        3. Corrective Action Plans
        4. Compensating Controls
        5. Control Variance Documentation
      4. Communication of Findings
      5. Provisioning Third-Party Connectivity
      6. Documenting Compliance
        1. NIST HIPAA Security Toolkit Application
        2. HIMSS Risk Assessment Toolkit
        3. The Information Governance Toolkit
      7. Chapter Review
        1. Review Questions
        2. Answers
      8. References
    5. Chapter 5: Third-Party Risk Management and Promoting Awareness
      1. Managing the Risk of Third-Party Relationships
        1. Purpose
        2. Methodology
        3. Types of Third-Party Arrangements
        4. Third Parties in the Healthcare Operations Context
        5. Tools to Manage Third-Party Risk
        6. Service Level Agreements
        7. Determining When Third-Party Assessment Is Required
        8. Support of Third-Party Assessments and Audits
      2. Promoting Information Protection Including Risk Management
        1. Training
        2. Internal Marketing
        3. Security Awareness Program Essentials
      3. Chapter Review
        1. Review Questions
        2. Answers
      4. References
    6. Chapter 6: Information Security and Privacy Events Management
      1. Definitions
      2. Timeline of Incident Activities
        1. Preparation
        2. Detection and Analysis
        3. Containment, Eradication, and Recovery
        4. Post-incident Activity
      3. Incident Notification and Remediation Efforts
        1. Preparation Phase
        2. Detection and Analysis Phase
        3. Containment, Eradication, and Recovery Phase
        4. Post-incident Activity
      4. Incidents Caused by Third Parties
        1. Preparation Phase
        2. Detection and Analysis Phase
        3. Containment, Eradication, and Recovery Phase
        4. Post-incident Activity
      5. External Reporting Requirements
        1. Law Enforcement
        2. Data Authorities (EU)
        3. Affected Individuals (Patients)
        4. Media
        5. Public Relations
        6. Secretary Health and Human Services
        7. Health Information Exchanges
      6. International Breach Notification
      7. Chapter Review
        1. Review Questions
        2. Answers
      8. References
  10. Part II: Healthcare Information Privacy and Security Management
    1. Chapter 7: Information Privacy: Patient Rights and Healthcare Responsibilities
      1. U.S. Approach to Privacy
      2. European Approach to Privacy
      3. Information Privacy Concepts and Terms
        1. Consent
        2. Choice
        3. Notice
        4. Collection Limitation
        5. Disclosure Limitation
        6. Retention of Data
        7. Legitimate Purpose
        8. Individual Participation
        9. Complaints and Enforcement
        10. Quality of Data
        11. Accountability
        12. Openness and Transparency
      4. Designation of Privacy Officer
      5. Promises and Obligations
      6. Data Protection Governing Authority
      7. Breach Notification
        1. United States
        2. European Union
        3. Canada
      8. Chapter Review
        1. Questions
        2. Answers
      9. References
    2. Chapter 8: Protecting Digital Health Information: Cybersecurity Fundamentals
      1. Evolving Information Security to Cybersecurity
        1. Information Security
        2. Cybersecurity
      2. The Guiding Principles of Security: Confidentiality, Integrity, Availability, and Accountability
        1. Confidentiality
        2. Integrity
        3. Availability
        4. Accountability
      3. Shaping Information Security
        1. Security Controls
        2. Security Categorization
        3. Defense-in-Depth
      4. General Security Definitions
        1. Access Control
        2. Data Encryption
        3. Training and Awareness
        4. Logging and Monitoring
        5. Vulnerability Management
        6. Segregation of Duties
        7. Least Privilege
        8. Business Continuity
        9. Data Retention and Destruction
        10. Configuration or Change Management
        11. Incident Response
      5. Chapter Review
        1. Questions
        2. Answers
      6. References
    3. Chapter 9: Impact of Information Privacy and Security on Health IT
      1. Ownership of Healthcare Information
        1. United States (HIPAA)
        2. European Union (DPD)
        3. United Kingdom
        4. Germany
      2. The Relationship Between Privacy and Security
        1. Dependency
        2. Integration
      3. Information Protection and Healthcare Technologies and Initiatives
        1. Medical Devices
        2. Cloud Computing
        3. Mobile Device Management
        4. Health Information Exchange
        5. Implementation of Electronic Health Records
      4. Data Breach Impact
        1. Organization Reputation
        2. Financial Impact
        3. Medical and Financial Identity Theft
        4. Patient Embarrassment
        5. Special Categories of Sensitive Health Data
      5. Chapter Review
        1. Questions
        2. Answers
      6. References
    4. Chapter 10: Workforce Competency in Healthcare
      1. Cybersecurity Workforce
        1. Global
        2. United States
        3. Healthcare Cybersecurity Workforce
        4. Convergence of Skill Sets
        5. Clinical Professions with New Cybersecurity Concerns
      2. Government Initiatives
        1. NICE
        2. NHS Cyber Initiative
        3. NH-ISAC
      3. Competency Measures
        1. Formal Education
        2. Training
        3. Credentials and Certifications
        4. Professional Organizations
        5. Internships
      4. Chapter Review
        1. Review Questions
        2. Answers
      5. References
    5. Chapter 11: Administering Risk Management and Cybersecurity
      1. The Attack
        1. The Anatomy of a Cyberattack
        2. Summary of the Attacks
      2. Defense Against the Attacks: Art and Science
        1. A Framework for the Process
        2. Cybersecurity Framework (CSF)
      3. Cyber Threat Vectors
        1. External
        2. Internal
        3. Penetration Testing
        4. Who Should Perform a Risk Assessment?
      4. Controlling for Cyberattack
      5. Protect
        1. Access Control
        2. Awareness and Training
        3. Data Security
        4. Information Protection Processes and Procedures
        5. Maintenance
        6. Protective Technology
      6. Chapter Review
        1. Questions
        2. Answers
      7. References
  11. Index