1st Edition

Official (ISC)2 Guide to the HCISPP CBK

Edited By Steven Hernandez Copyright 2015
    392 Pages 74 B/W Illustrations
    by Auerbach Publications

    HealthCare Information Security and Privacy Practitioners (HCISPPSM) are the frontline defense for protecting patient information. These are the practitioners whose foundational knowledge and experience unite healthcare information security and privacy best practices and techniques under one credential to protect organizations and sensitive patient data against emerging threats and breaches.

    The Official (ISC) Guide to the HCISPPSM CBK® is a comprehensive resource that provides an in-depth look at the six domains of the HCISPP Common Body of Knowledge (CBK). This guide covers the diversity of the healthcare industry, the types of technologies and information flows that require various levels of protection, and the exchange of healthcare information within the industry, including relevant regulatory, compliance, and legal requirements.

    Numerous illustrated examples and tables are included that illustrate key concepts, frameworks, and real-life scenarios. Endorsed by the (ISC)² and compiled and reviewed by HCISPPs and (ISC)² members, this book brings together a global and thorough perspective on healthcare information security and privacy. Utilize this book as your fundamental study tool in preparation for the HCISPP certification exam.

    Domain 1–Healthcare Industry
    The Healthcare Industry
    Understand the Healthcare Environment
    Understand External Third Parties
    Foundational Health Data Management Processes
    Domain 1 – Review Questions

    Domain 2–Regulatory Environment
    Identify Applicable Regulations
    Understand International Regulations and Controls
    Compare Internal Practices against New Policies and Procedures
    Understand Compliance Frameworks
    Understand Response for Risk-Based Decision
    Understand and Comply with Code of Ethics/Conduct in a Health Information Environment
    Domain 2 – Review Questions

    Domain 3–Privacy and Security in Health Care
    Understand Security Objectives/Attributes
    Understand General Security Definitions and Concepts
    Case Study
    Case Study
    General Privacy Principles
    The Relationship between Privacy and Security
    The Nature of Sensitive Data and Handling Implications
    Case Study
    Case Study
    Security and Privacy Terminology Specific to Healthcare
    Domain 3 – Review Questions

    Domain 4–Information Governance andRisk Management
    Understand Security and Privacy Governance
    Information Governance
    Governance Structures
    Basic Risk Management Methodology
    Understand Information Risk Management Lifecycles
    Participate in Risk Management Activities
    Domain 4 – Review Questions

    Domain 5–Information Risk Assessment
    Information Lifecycle and Continuous Monitoring
    Tools, Resources, and Techniques
    Role of Internal and External Audit/Assessment
    Control Assessment Procedures from within Organizational Risk Frameworks
    Risk Assessment Consistent with Roles within an Organization
    Participate in Efforts to Remediate Gaps
    Domain 5 – Review Questions

    Domain 6–Third-Party Risk Management
    What is a Third Party in Healthcare?
    Case Study
    Maintain a List of Third-Party Organizations
    Third-Party Management Standards and Practices
    Determine When Third-Party Assessment is Required
    Third-Party Assessments and Audits
    Notifications of Security/Privacy Events
    Support Establishment of Third-Party Connectivity
    Case Study
    Case Study
    Case Study
    Case Study
    Case Study
    Third-Party Program Requirements (Internal and External)
    Remediation Efforts
    Third Party Requests regarding Privacy/Security Events
    Domain 6 – Review Questions

    Appendix A – Answers to Domain Review Questions


    Steven Hernandez MBA, HCISPP, CISSP, CSSLP, SSCP, CAP, CISA, is a Chief Information Security Officer practicing in the U.S. Federal Government in Washington DC. Hernandez has over seventeen years of information assurance experience in a variety of fields including international healthcare, international heavy manufacturing, large finance organizations, educational institutions, and government agencies. Steven is an Honorary Professor at California State University San Bernardino and affiliate faculty at the National Information Assurance Training and Education Center located at Idaho State University. Through his academic outreach, he has lectured over the past decade on numerous information assurance topics including risk management, information security investment, and the implications of privacy decisions to graduate and postgraduate audiences.

    In addition to his credentials from (ISC)2, Hernandez also holds six U.S. Committee for National Security Systems certifications ranging from systems security to organizational risk management. Steven also volunteers service to (ISC)2’s Government Advisory Board and Executive Writers Bureau. Steven enjoys relaxing and traveling with his wife, whose patience and support have been indispensable in his numerous information assurance pursuits.

    As the rapidly evolving healthcare industry faces challenges to keep personal health information protected—including growing volumes of electronic health records, new government regulations, and a complex IT security landscape—there is an increasing need to ensure knowledgeable security and privacy practitioners are in place to protect this sensitive information. ... This Official (ISC) Guide to the HCISPPSM CBK® textbook covers the diversity of the healthcare industry, the types of technologies and information flows that require various levels of protection, and the exchange of healthcare information within the industry, including relevant regulatory, compliance, and legal requirements.
    —W. Hord Tipton, Executive Director, (ISC)2