New User Special Price Expires in

Let's log you in.

Sign in with Facebook


Don't have a StudySoup account? Create one here!


Create a StudySoup account

Be part of our community, it's free to join!

Sign up with Facebook


Create your account
By creating an account you agree to StudySoup's terms and conditions and privacy policy

Already have a StudySoup account? Login here

SNHP 4680 Test 1 Study Guide

by: Alexis Collier

SNHP 4680 Test 1 Study Guide SNHP 4680

Alexis Collier

Preview These Notes for FREE

Get a free preview of these Notes, just enter your email below.

Unlock Preview
Unlock Preview

Preview these materials now for free

Why put in your email? Get access to more of this material and other relevant free materials for your school

View Preview

About this Document

Healthcare Information Security and Privacy
Security Privacy Healthcare
Study Guide
Security, Privacy, Healthcare I.T
50 ?




Popular in Security Privacy Healthcare

Popular in Nursing and Health Sciences

This 8 page Study Guide was uploaded by Alexis Collier on Saturday October 15, 2016. The Study Guide belongs to SNHP 4680 at Georgia State University taught by in Fall 2016. Since its upload, it has received 7 views. For similar materials see Security Privacy Healthcare in Nursing and Health Sciences at Georgia State University.

Popular in Nursing and Health Sciences


Reviews for SNHP 4680 Test 1 Study Guide


Report this Material


What is Karma?


Karma is the currency of StudySoup.

You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!

Date Created: 10/15/16
 Healthcare Information Security and Privacy Test 1 Study Guide  Definitions:  Evidence - Result of the forensic phases IRB - Regulates and protects patient data that is utilized for patient research o Formal, chartered committees that approve, monitor, and review biomedical and behavioral research involving humans o Primary purpose is to protect human subjects from physical or psychological harm o Guiding principles  Respect for people  Beneficence  Justice  Joint Commission - Most notable regulator  An independent, not-for-profit organization located in the US.  Accredits healthcare organizations against standards of practice  Have recently built international presence  Threat - Specific source of information loss or damage relevant to your organization  Risk - Risk = likelihood x impact, Risk = threat x vulnerability x expected loss, Risk = probability x consequence  Vulnerability - Weakness that may expose the organization unnecessarily to the threat  Technical Asset Controls - Hardware and software solutions that provide safeguards across the entire activity and phases of information protection  Physical Asset Controls – Structural or visible security measures  Administrative Asset Controls – o Human factors o Policies and procedures that guide personnel and their actions when handling sensitive information o Establish levels of access and responsibilities relative to information resources  Healthcare Organization, Technology, and Data  Understand the roles of different pieces of the electronic health record o Information Security Positions  Chief information security officer (CISO) o Top information security officer; frequently reports to chief information officer (CIO) o Manages the overall information security program o Drafts or approves information security policies o Works with the CIO on strategic plans o Develops information security budgets o Sets priorities for purchase/implementation of information security projects and technology  Chief information security officer (CISO) (cont’d) o Makes recruiting, hiring and firing decisions or recommendations o Acts as spokesperson for information security team o Typical qualifications: accreditation, graduate degree, experience  Chief security officer (CSO) o CISO’s position may be combined with physical security responsibilities o Knowledgeable in both IS requirements and “guards, gates, and guns” approach to security  Security manager o Accountable for day-to-day operation of information security program o Accomplishes objectives as identified by CISO, resolves issues identified by technicians o Typical qualifications: often have accreditation; ability to draft middle- and lower-level policies, standards, and guidelines; budgeting, project management, and hiring and firing; ability to manage technicians  Security technician o Technically qualified employees tasked to configure security hardware and software o Tend to be specialized o Typical qualifications: o Varied; organizations prefer expert, certified, proficient technician o Some experience with a particular hardware and software package o Actual experience in using a technology usually required  Understand the centerpiece of the health information system o Electronic Health Record  Individual patient’s medical record in digital format  Centerpiece of the health information system  Replacing traditional paper-based process and increasing record keeping and analysis capabilities  Reduce medical errors  Includes but not limited to:  Patient demographics  Medical history such as medicine and allergy lists  Progress reports and provider note  Laboratory test results  Procedure and test appointments  Radiology images and clinical photographs  Prescribed and administered medications  Healthcare Information Regulation  Understand the difference between government regulation and non- government regulation o Government  Serves as a 3 party regulator  Principle payor through Medicare and Medicaid  Serves in the regulator role as well but not as heavily as in some other developed countries o Local Government  Must approved the addition of new facilities or the offering of new services under the “certificate of need”.  Partners on issues of community health o Federal Government  Has had a larger impact over the last few years than in previous years o Joint Commission  Most notable regulator  An independent, not-for-profit organization located in the US.  Accredits healthcare organizations against standards of practice  Have recently built international presence o Accreditation Association for Ambulatory Health Care  Nongovernment 3 party in the US  Develops standards with regard to patient safety, quality, value, and measurement of performance o Clinical Research  Institutional Review Board  Regulates and protects patient data that is utilized for patient research o Government works through Tort Law and Malpractice  Tort law  Civil acts that provide patients with a remedy against wrongful acts committed against them  Ex. Negligence, intentional torts, infliction of mental distress  It is within Tort Law that invasion of privacy is covered  Malpractice Law  Still Tort Law that is based upon negligence or carelessness by a healthcare provider  Can be civil or criminal based on the nature of the offense o Health Records Management Organization  Responsibility for protecting information cannot be outsourced  Generally, this org handles management of their health records  Understand the initial intent of HIPAA o Information around HIPAA including the year of inception o Know the definition behind the privacy rule  Privacy Rule (HIPAA)  Applies to  Healthcare Providers that transmit health information electronically  Health plans  Health care clearinghouses o For insurance verifications  Business associates (due to the HITECH amendments)  Deals with the use and disclosure of “PHI”  Excludes demographic information  Info that relates to past, present or future physical or mental health or condition of an individual  Info that identifies an individual, or that there is a reasonable basis to believe the information can be used to identify the individual o Know the definition behind the security rule  The Security Rule (HIPAA) o Requires each covered entity and business associate to;  Ensure the confidentiality, integrity and availability of all ePHI that the covered entity creates, receives, maintains or transmits  Protect against any reasonably anticipated threats or hazards to the security or integrity of such information  Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule  Ensure compliance with the security rule by its workforce o Allows a flexible approach to compliance  Entities are permitted to use “any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications” set forth in the Security Rule  Understand the concepts introduced by HITECH  HITECH Act  Passed in 2009 as part of the American Recovery and Economic Reinvestment Act. Title XIII  Contains amendments to the HIPAA statute  Most changes did not take effect until 2010  Dramatically increased civil penalties for HIPAA violations  Took effect immediately  Understand the differences between policies and procedures o Procedures  Referred to as Standard Operating Procedures (SOP’s)  Describe how each policy will be put into action  Can be written instructions, illustrated flowcharts or checklists covering a routine or repetitive activity  Should supplement policies o Policies  Information Risk Decision Making and Third Party Management  NOTE: Remember in class discussion about movie reference for example of risk management.  Know the definition of RISK. o The potential harm caused by a purposeful or accidental event that negatively impacts the confidentiality, integrity, or availability of the information o Great example of risk measurement and management would be: o –Insurance Underwriters o –ALONG CAME POLLY!!!  Know the Publications of the National Institute of Standards and Technology o Publication numbers on which to focus (should know by title and publication number)  800-39 Security Risk: Organization, Mission, and Information System  Build risk management framework around the activities of a risk management program o Framing risk  What is the organizations risk tolerance and how does it make decisions about risk o Assessing risk  What are the values for the risk equation and what are the results o Responding to risk  Based on the organizations risk tolerance, what alternatives will be chosen to address risk o Monitoring risk  This is a continuous process. How will the org oversee changes and respond to any impacts of risk mitigation activities?  800-37, Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach  Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST RMF)  A disciplined, organized, and repeatable process for achieving information protection of information systems.  Purpose is to provide leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions.  Know the purpose of HITRUST and which industry it seeks to standardize o Health Information Trust Alliance Common Security Framework  Framework that is specific to the US Healthcare market  Integrates federal and state regulations, standards, and frameworks such as HIPAA, NIST, and ISO to give broad and adaptable tool for assessing healthcare risk o Much variation in the area of risk management compliance in healthcare  Due to lack of standard risk management framework  And the stipulations in HIPAA of “reasonable and appropriate” protection of information  Factors include org size, purpose, etc.  Understand the International Organization for Standardization o ISO 27001: Security Management Risk Management Systems  ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.  According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."  Understand Common Criteria o Common Criteria  Applicable standards and controls that are used to assess the effectiveness of various hardware and software tools  Allows users to be more confident in what they currently use  International standard that is honored by many countries  Output is the evaluation assurance level (EAL)  Numerical value that corresponds to the level of security requirements a product has been tested against (EAL 1-7)  Understand the security policies surrounding antivirus software on healthcare systems o Healthcare is slightly different from other organization types in this respect  Most companies can load antivirus software  Healthcare cannot due to medical devices such as X-ray machines  All software such as this must be signed off by the vendor  Understand the different configurations for disaster recovery o Disaster Recovery and Continuity of Operations  Downtime and non-availability of information is critical in healthcare  Several DR and Continuity of operations platforms  Hot site o Highest cost option o Complete redundant setup o Can be switched over instantaneously  Warm site  Provides basic infrastructure  Mid-range costs (less expensive than hot site o Cold site  Least expensive  Power and physical security provided, but equipment must be brought in and configured  Information Security and Privacy Events Management  Understand the Timeline of Incident Activities  There are several distinct phases for handling data incidents  Preparation  Detection and Analysis  Containment, Eradication, and Recovery  Post-Incident Activity o Chronological order of different phases  Triage Actions  Prioritization of the incident once it has occurred  Considerations  Functional impact to the organization  Informational impact (PHI data loss)  Recoverability from the incident (contingent operations) o Management of each phase for a third party vendor  Methodology  Inventory 3 party vendors that handle PHI o Keep list accurate and up-to-date o Identify the risks  Perform risk assessmrdt using one or combination of RMF’s  Make sure 3 party is compliant with privacy and security regulations rd  Conduct due diligence in selecting a 3 party  Justify choices by evaluating the 3 party against alternative vendors  Be familiar with financial position of the 3 party  Select connection controls or a trust model for the interconnection  Structure contract and review it as appropriate to the nature of the work performed  Assess compliance with contract terms  Implement oversight by the healthcare organization information protection program  Healthcare organization must continuously monitor 3 rd party  Understand Triage Actions and their purpose o Triage Actions  Prioritization of the incident once it has occurred  Considerations  Functional impact to the organization  Informational impact (PHI data loss)  Recoverability from the incident (contingent operations)  Understand NIST Publications for Events Management o 800-86: Guide to Integrating Forensic Techniques into Incident Response  Collection  Identifying, labeling, recording, and acquiring data from the possible sources of relevant data, following procedures that preserve the integrity of the data  Examination  Forensically processing collected data using both automated and manual methods of assessing and extracting data of particular interest, while preserving the integrity of the data.  Analysis  Analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination  Reporting  Reporting the results of the analysis


Buy Material

Are you sure you want to buy this material for

50 Karma

Buy Material

BOOM! Enjoy Your Free Notes!

We've added these Notes to your profile, click here to view them now.


You're already Subscribed!

Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'

Why people love StudySoup

Bentley McCaw University of Florida

"I was shooting for a perfect 4.0 GPA this semester. Having StudySoup as a study aid was critical to helping me achieve my goal...and I nailed it!"

Anthony Lee UC Santa Barbara

"I bought an awesome study guide, which helped me get an A in my Math 34B class this quarter!"

Jim McGreen Ohio University

"Knowing I can count on the Elite Notetaker in my class allows me to focus on what the professor is saying instead of just scribbling notes the whole time and falling behind."

Parker Thompson 500 Startups

"It's a great way for students to improve their educational experience and it seemed like a product that everybody wants, so all the people participating are winning."

Become an Elite Notetaker and start selling your notes online!

Refund Policy


All subscriptions to StudySoup are paid in full at the time of subscribing. To change your credit card information or to cancel your subscription, go to "Edit Settings". All credit card information will be available there. If you should decide to cancel your subscription, it will continue to be valid until the next payment period, as all payments for the current period were made in advance. For special circumstances, please email


StudySoup has more than 1 million course-specific study resources to help students study smarter. If you’re having trouble finding what you’re looking for, our customer support team can help you find what you need! Feel free to contact them here:

Recurring Subscriptions: If you have canceled your recurring subscription on the day of renewal and have not downloaded any documents, you may request a refund by submitting an email to

Satisfaction Guarantee: If you’re not satisfied with your subscription, you can contact us for further help. Contact must be made within 3 business days of your subscription purchase and your refund request will be subject for review.

Please Note: Refunds can never be provided more than 30 days after the initial purchase date regardless of your activity on the site.