HealthCare Information Security and Privacy Practitioners (HCISPPSM) are the frontline defense for protecting patient information. These are the practitioners whose foundational knowledge and experience unite healthcare information security and privacy best practices and techniques under one credential to protect organizations and sensitive patient data against emerging threats and breaches.
The Official (ISC)2® Guide to the HCISPPSM CBK® is a comprehensive resource that provides an in-depth look at the six domains of the HCISPP Common Body of Knowledge (CBK). This guide covers the diversity of the healthcare industry, the types of technologies and information flows that require various levels of protection, and the exchange of healthcare information within the industry, including relevant regulatory, compliance, and legal requirements.
Numerous illustrated examples and tables are included that illustrate key concepts, frameworks, and real-life scenarios. Endorsed by the (ISC)² and compiled and reviewed by HCISPPs and (ISC)² members, this book brings together a global and thorough perspective on healthcare information security and privacy. Utilize this book as your fundamental study tool in preparation for the HCISPP certification exam.
Table of Contents
Domain 1–Healthcare Industry
The Healthcare Industry
Understand the Healthcare Environment
Understand External Third Parties
Foundational Health Data Management Processes
Domain 1 – Review Questions
Domain 2–Regulatory Environment
Identify Applicable Regulations
Understand International Regulations and Controls
Compare Internal Practices against New Policies and Procedures
Understand Compliance Frameworks
Understand Response for Risk-Based Decision
Understand and Comply with Code of Ethics/Conduct in a Health Information Environment
Domain 2 – Review Questions
Domain 3–Privacy and Security in Health Care
Understand Security Objectives/Attributes
Understand General Security Definitions and Concepts
General Privacy Principles
The Relationship between Privacy and Security
The Nature of Sensitive Data and Handling Implications
Security and Privacy Terminology Specific to Healthcare
Domain 3 – Review Questions
Domain 4–Information Governance andRisk Management
Understand Security and Privacy Governance
Basic Risk Management Methodology
Understand Information Risk Management Lifecycles
Participate in Risk Management Activities
Domain 4 – Review Questions
Domain 5–Information Risk Assessment
Information Lifecycle and Continuous Monitoring
Tools, Resources, and Techniques
Role of Internal and External Audit/Assessment
Control Assessment Procedures from within Organizational Risk Frameworks
Risk Assessment Consistent with Roles within an Organization
Participate in Efforts to Remediate Gaps
Domain 5 – Review Questions
Domain 6–Third-Party Risk Management
What is a Third Party in Healthcare?
Maintain a List of Third-Party Organizations
Third-Party Management Standards and Practices
Determine When Third-Party Assessment is Required
Third-Party Assessments and Audits
Notifications of Security/Privacy Events
Support Establishment of Third-Party Connectivity
Third-Party Program Requirements (Internal and External)
Third Party Requests regarding Privacy/Security Events
Domain 6 – Review Questions
Appendix A – Answers to Domain Review Questions
Steven Hernandez MBA, HCISPP, CISSP, CSSLP, SSCP, CAP, CISA, is a Chief Information Security Officer practicing in the U.S. Federal Government in Washington DC. Hernandez has over seventeen years of information assurance experience in a variety of fields including international healthcare, international heavy manufacturing, large finance organizations, educational institutions, and government agencies. Steven is an Honorary Professor at California State University San Bernardino and affiliate faculty at the National Information Assurance Training and Education Center located at Idaho State University. Through his academic outreach, he has lectured over the past decade on numerous information assurance topics including risk management, information security investment, and the implications of privacy decisions to graduate and postgraduate audiences.
In addition to his credentials from (ISC)2, Hernandez also holds six U.S. Committee for National Security Systems certifications ranging from systems security to organizational risk management. Steven also volunteers service to (ISC)2’s Government Advisory Board and Executive Writers Bureau. Steven enjoys relaxing and traveling with his wife, whose patience and support have been indispensable in his numerous information assurance pursuits.
As the rapidly evolving healthcare industry faces challenges to keep personal health information protected—including growing volumes of electronic health records, new government regulations, and a complex IT security landscape—there is an increasing need to ensure knowledgeable security and privacy practitioners are in place to protect this sensitive information. ... This Official (ISC)2® Guide to the HCISPPSM CBK® textbook covers the diversity of the healthcare industry, the types of technologies and information flows that require various levels of protection, and the exchange of healthcare information within the industry, including relevant regulatory, compliance, and legal requirements.
—W. Hord Tipton, Executive Director, (ISC)2