SNHP 4680 Test 1 Study Guide
SNHP 4680 Test 1 Study Guide SNHP 4680
Popular in Security Privacy Healthcare
Popular in Nursing and Health Sciences
This 8 page Study Guide was uploaded by Alexis Collier on Saturday October 15, 2016. The Study Guide belongs to SNHP 4680 at Georgia State University taught by in Fall 2016. Since its upload, it has received 7 views. For similar materials see Security Privacy Healthcare in Nursing and Health Sciences at Georgia State University.
Reviews for SNHP 4680 Test 1 Study Guide
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 10/15/16
Healthcare Information Security and Privacy Test 1 Study Guide Definitions: Evidence - Result of the forensic phases IRB - Regulates and protects patient data that is utilized for patient research o Formal, chartered committees that approve, monitor, and review biomedical and behavioral research involving humans o Primary purpose is to protect human subjects from physical or psychological harm o Guiding principles Respect for people Beneficence Justice Joint Commission - Most notable regulator An independent, not-for-profit organization located in the US. Accredits healthcare organizations against standards of practice Have recently built international presence Threat - Specific source of information loss or damage relevant to your organization Risk - Risk = likelihood x impact, Risk = threat x vulnerability x expected loss, Risk = probability x consequence Vulnerability - Weakness that may expose the organization unnecessarily to the threat Technical Asset Controls - Hardware and software solutions that provide safeguards across the entire activity and phases of information protection Physical Asset Controls – Structural or visible security measures Administrative Asset Controls – o Human factors o Policies and procedures that guide personnel and their actions when handling sensitive information o Establish levels of access and responsibilities relative to information resources Healthcare Organization, Technology, and Data Understand the roles of different pieces of the electronic health record o Information Security Positions Chief information security officer (CISO) o Top information security officer; frequently reports to chief information officer (CIO) o Manages the overall information security program o Drafts or approves information security policies o Works with the CIO on strategic plans o Develops information security budgets o Sets priorities for purchase/implementation of information security projects and technology Chief information security officer (CISO) (cont’d) o Makes recruiting, hiring and firing decisions or recommendations o Acts as spokesperson for information security team o Typical qualifications: accreditation, graduate degree, experience Chief security officer (CSO) o CISO’s position may be combined with physical security responsibilities o Knowledgeable in both IS requirements and “guards, gates, and guns” approach to security Security manager o Accountable for day-to-day operation of information security program o Accomplishes objectives as identified by CISO, resolves issues identified by technicians o Typical qualifications: often have accreditation; ability to draft middle- and lower-level policies, standards, and guidelines; budgeting, project management, and hiring and firing; ability to manage technicians Security technician o Technically qualified employees tasked to configure security hardware and software o Tend to be specialized o Typical qualifications: o Varied; organizations prefer expert, certified, proficient technician o Some experience with a particular hardware and software package o Actual experience in using a technology usually required Understand the centerpiece of the health information system o Electronic Health Record Individual patient’s medical record in digital format Centerpiece of the health information system Replacing traditional paper-based process and increasing record keeping and analysis capabilities Reduce medical errors Includes but not limited to: Patient demographics Medical history such as medicine and allergy lists Progress reports and provider note Laboratory test results Procedure and test appointments Radiology images and clinical photographs Prescribed and administered medications Healthcare Information Regulation Understand the difference between government regulation and non- government regulation o Government Serves as a 3 party regulator Principle payor through Medicare and Medicaid Serves in the regulator role as well but not as heavily as in some other developed countries o Local Government Must approved the addition of new facilities or the offering of new services under the “certificate of need”. Partners on issues of community health o Federal Government Has had a larger impact over the last few years than in previous years o Joint Commission Most notable regulator An independent, not-for-profit organization located in the US. Accredits healthcare organizations against standards of practice Have recently built international presence o Accreditation Association for Ambulatory Health Care Nongovernment 3 party in the US Develops standards with regard to patient safety, quality, value, and measurement of performance o Clinical Research Institutional Review Board Regulates and protects patient data that is utilized for patient research o Government works through Tort Law and Malpractice Tort law Civil acts that provide patients with a remedy against wrongful acts committed against them Ex. Negligence, intentional torts, infliction of mental distress It is within Tort Law that invasion of privacy is covered Malpractice Law Still Tort Law that is based upon negligence or carelessness by a healthcare provider Can be civil or criminal based on the nature of the offense o Health Records Management Organization Responsibility for protecting information cannot be outsourced Generally, this org handles management of their health records Understand the initial intent of HIPAA o Information around HIPAA including the year of inception o Know the definition behind the privacy rule Privacy Rule (HIPAA) Applies to Healthcare Providers that transmit health information electronically Health plans Health care clearinghouses o For insurance verifications Business associates (due to the HITECH amendments) Deals with the use and disclosure of “PHI” Excludes demographic information Info that relates to past, present or future physical or mental health or condition of an individual Info that identifies an individual, or that there is a reasonable basis to believe the information can be used to identify the individual o Know the definition behind the security rule The Security Rule (HIPAA) o Requires each covered entity and business associate to; Ensure the confidentiality, integrity and availability of all ePHI that the covered entity creates, receives, maintains or transmits Protect against any reasonably anticipated threats or hazards to the security or integrity of such information Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule Ensure compliance with the security rule by its workforce o Allows a flexible approach to compliance Entities are permitted to use “any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications” set forth in the Security Rule Understand the concepts introduced by HITECH HITECH Act Passed in 2009 as part of the American Recovery and Economic Reinvestment Act. Title XIII Contains amendments to the HIPAA statute Most changes did not take effect until 2010 Dramatically increased civil penalties for HIPAA violations Took effect immediately Understand the differences between policies and procedures o Procedures Referred to as Standard Operating Procedures (SOP’s) Describe how each policy will be put into action Can be written instructions, illustrated flowcharts or checklists covering a routine or repetitive activity Should supplement policies o Policies Information Risk Decision Making and Third Party Management NOTE: Remember in class discussion about movie reference for example of risk management. Know the definition of RISK. o The potential harm caused by a purposeful or accidental event that negatively impacts the confidentiality, integrity, or availability of the information o Great example of risk measurement and management would be: o –Insurance Underwriters o –ALONG CAME POLLY!!! Know the Publications of the National Institute of Standards and Technology o Publication numbers on which to focus (should know by title and publication number) 800-39 Security Risk: Organization, Mission, and Information System Build risk management framework around the activities of a risk management program o Framing risk What is the organizations risk tolerance and how does it make decisions about risk o Assessing risk What are the values for the risk equation and what are the results o Responding to risk Based on the organizations risk tolerance, what alternatives will be chosen to address risk o Monitoring risk This is a continuous process. How will the org oversee changes and respond to any impacts of risk mitigation activities? 800-37, Revision 1 Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (NIST RMF) A disciplined, organized, and repeatable process for achieving information protection of information systems. Purpose is to provide leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions. Know the purpose of HITRUST and which industry it seeks to standardize o Health Information Trust Alliance Common Security Framework Framework that is specific to the US Healthcare market Integrates federal and state regulations, standards, and frameworks such as HIPAA, NIST, and ISO to give broad and adaptable tool for assessing healthcare risk o Much variation in the area of risk management compliance in healthcare Due to lack of standard risk management framework And the stipulations in HIPAA of “reasonable and appropriate” protection of information Factors include org size, purpose, etc. Understand the International Organization for Standardization o ISO 27001: Security Management Risk Management Systems ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes. According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system." Understand Common Criteria o Common Criteria Applicable standards and controls that are used to assess the effectiveness of various hardware and software tools Allows users to be more confident in what they currently use International standard that is honored by many countries Output is the evaluation assurance level (EAL) Numerical value that corresponds to the level of security requirements a product has been tested against (EAL 1-7) Understand the security policies surrounding antivirus software on healthcare systems o Healthcare is slightly different from other organization types in this respect Most companies can load antivirus software Healthcare cannot due to medical devices such as X-ray machines All software such as this must be signed off by the vendor Understand the different configurations for disaster recovery o Disaster Recovery and Continuity of Operations Downtime and non-availability of information is critical in healthcare Several DR and Continuity of operations platforms Hot site o Highest cost option o Complete redundant setup o Can be switched over instantaneously Warm site Provides basic infrastructure Mid-range costs (less expensive than hot site o Cold site Least expensive Power and physical security provided, but equipment must be brought in and configured Information Security and Privacy Events Management Understand the Timeline of Incident Activities There are several distinct phases for handling data incidents Preparation Detection and Analysis Containment, Eradication, and Recovery Post-Incident Activity o Chronological order of different phases Triage Actions Prioritization of the incident once it has occurred Considerations Functional impact to the organization Informational impact (PHI data loss) Recoverability from the incident (contingent operations) o Management of each phase for a third party vendor Methodology Inventory 3 party vendors that handle PHI o Keep list accurate and up-to-date o Identify the risks Perform risk assessmrdt using one or combination of RMF’s Make sure 3 party is compliant with privacy and security regulations rd Conduct due diligence in selecting a 3 party Justify choices by evaluating the 3 party against alternative vendors Be familiar with financial position of the 3 party Select connection controls or a trust model for the interconnection Structure contract and review it as appropriate to the nature of the work performed Assess compliance with contract terms Implement oversight by the healthcare organization information protection program Healthcare organization must continuously monitor 3 rd party Understand Triage Actions and their purpose o Triage Actions Prioritization of the incident once it has occurred Considerations Functional impact to the organization Informational impact (PHI data loss) Recoverability from the incident (contingent operations) Understand NIST Publications for Events Management o 800-86: Guide to Integrating Forensic Techniques into Incident Response Collection Identifying, labeling, recording, and acquiring data from the possible sources of relevant data, following procedures that preserve the integrity of the data Examination Forensically processing collected data using both automated and manual methods of assessing and extracting data of particular interest, while preserving the integrity of the data. Analysis Analyzing the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination Reporting Reporting the results of the analysis
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'