References to figures are in italics.
A
ACA, 19–20
mergers and acquisitions of healthcare organizations, 38
premium growth after, 20
access, 295
access and authorization, 143
attribute-based access control (ABAC), 267
context-based access control (CBAC), 267
data encryption, 268–269
discretionary access control (DAC), 50, 266
mandatory access control (MAC), 50, 266
role-based access control (RBAC), 50, 266–267
rule-based access control (RuBAC), 50, 267
access limitation, 288–289
Accountable Care Organizations (ACOs), 25, 30
accounting of disclosures, 211, 295
accreditation, 59
Accreditation Association for Ambulatory Health Care, 60
Accreditation Canada, 60
Act on Promotion of Information and Communications Network Utilization and Data Protection, 106
active scanning, 321
actors, 194
administration, 12–13
administrative controls, 363
administrative safeguards, 223
Advanced Alternative Payment Models (Advanced APMs), 147–148
Affordable Care Act, 19–20
mergers and acquisitions of healthcare organizations, 38
premium growth after, 20
Ambulatory Patient Group (APG), 27
Ambulatory Payment Classification (APC), 27
ambulatory status. See outpatient status
American Health Information Management Association (AHIMA), Retention and Destruction of Health Information brief, 47, 48
American Institute of Certified Public Accountants (AICPA), 100
American Medical Association (AMA), coding, 27–28
American Recovery and Reinvestment Act of 2009 (ARRA), 142, 151
annualized loss expectancy (ALE), 340
annualized rate of occurrence (ARO), 340
anonymization, 304
Anti-Kickback Enforcement Act, 227
architecture, data, 65
Arden Syntax, 77
ASC X12N claim protocol, 32–33
Asia-Pacific Economic Cooperation Cross-Border Privacy Rules, 235
asset valuation, 322–324
Association for Computing Machinery’s (ACM) Committee on Professional Ethics, 119–120
assumption of breach, 329–330
asymmetric cryptography, 269
attribute-based access control (ABAC), 267
audit committee (board of directors), 102
Australia, 1988 Privacy Act, 202
authentication, 264
authentication, authorization, and accounting (AAA), 50–52
authorization, 264
B
storage approaches, 278
storage locations, 279
Bayer, 139
beds, 3
benchmarks, 356
big data, 73–75
biomedical technicians, 11
biomedical telemetry, 156
Blue Cross and Blue Shield plans (BCBS), 17
boards of directors, 92–93, 353
audit committee, 102
bots, 161
breaches, 297–298
breach recognition, 400–401
international breach notification, 404–405
organizational breach notification rules, 403–405
organizational information dissemination policies and standards, 405–406
“break glass” procedures, 265
bring your own device. See BYOD
business associate agreements (BAAs), 54–55, 385, 388
business continuity, 276–277
business partners, 54–56
business process improvement (BPI), 35
business process reengineering (BPR), 34–36
business resiliency professionals, 354
business value, 322
C
Caldicott Guardian Program (United Kingdom), 232–233
California Consumer Privacy Act (CCPA), 107, 190, 282
Cambridge Analytica, 169
Canada
breach notification, 404
healthcare in, 21–22
notice of privacy practices, 114
notification of breaches, 299
Canadian Institute of Chartered Accountants (CICA), 100
Capital One, 138
capitation, 30
case mix, 24
Center for Internet Security (CIS), Critical Security Controls, 350, 393
Centers for Disease Control and Prevention (CDC), 37
guideline ICD-10 for coding patient encounters, 257
Centers for Medicare and Medicaid Services (CMS), 37
coding, 28
determining case mix, 24
HIPAA Eligibility Transaction System Health Care Eligibility Benefit Inquiry and Response (270/271) 5010 Companion Guide, 73
risk management, 338–339
certificate management, 263
certified nurse midwives (CNMs), 6
certified registered nurse anesthetists (CRNAs), 6
certified registered nurses, 6
chain of custody, 64
principles, 407
chain of trust agreements, 63–64
change management, 280
Cheney, Dick, 137
chief data officers, 107
chief information officers (CIOs), 96, 353
chief information security officers (CISOs), 93, 98, 104–105, 353
chief privacy officers (CPOs), 105–107
China, People’s Republic of, breach notification, 404–405
choice, 283–285
CIS controls, 365
CIS controls implementation groups, 365
claims processing, and third-party payers, 29
Clarifying Lawful Overseas Use of Data (CLOUD) Act, 386
classification systems and standards. See coding and classification systems and standards
Clinical Document Architecture (CDA), 77
clinical engineers, 11
clinical research, 41
de-identification of patient information, 43–46
Good Clinical Research Practice (GCP), 41–43
cloud computing
formats, 383
and HIT, 162–164
laws and regulations, 195–196
models, 382
third-party risk, 381–384
threats to, 138–139
cloud service providers, and HIPAA, 142
CMS. See Centers for Medicare and Medicaid Services (CMS)
codes of conduct, 118–121
coding and classification systems and standards, 23–24
Ambulatory Patient Group (APG), 27
Ambulatory Payment Classification (APC), 27
case mix, 24
Current Procedural Terminology (CPT), 27–28
Diagnosis-Related Group (DRG), 24–25
Healthcare Common Procedure Coding System (HCPCS), 28
International Classification of Diseases (ICD), 25
Logical Observation Identifiers Names and Codes (LOINC), 27
Metathesaurus, 26
National Drug Code (NDC), 28
Resource Utilization Groups (RUG), 27
structured/unstructured data, 24
Systematized Nomenclature of Medicine Clinical Terms (SNOMED CT), 26
cold sites, 279
commercial health insurers, 17
Common Criteria (CC), 240–241
Common Criteria Recognition Arrangement (CCRA), 241
Common Vulnerability Scoring System (CVSS), 340–341
compensating controls, 327–329
compliance, 178–179
compliance frameworks, 231
privacy frameworks, 231–236
security frameworks, 237–243
computer ethics, 119–120
Computer Professionals for Social Responsibility (CPSR), 120
confidentiality agreements, 114–115
confidentiality/integrity/availability. See CIA triad
configuration control boards (CCBs), 96
configuration management plans, 117–118, 280
connection agreements, 176–179
Consensus Assessments Initiative Questionnaire (CAIQ), 394
consent, 283
Consolidated CDA (C-CDA), 77
context-based access control (CBAC), 267
continuity of operations plan (COOP), 276–277
continuous monitoring, 343–344, 364–366
contract research organizations (CROs), 42–43, 212
contracts, 64, 178–179, 358–359
controls, 318
cookies, 203
corruption testing, 257
cost value, 322
Current Procedural Terminology (CPT), 27–28
Cyber Supply Chain Risk Management (C-SCRM), 387
cybersecurity
credentialing and certification, 13
patient care and safety, 39–40
Cybersecurity Act of 2015 (CSA), 237
Cybersecurity Framework (NIST CSF), 239–240
Cybersecurity Information Sharing Act (CISA), 39
cybersecurity insurance, 358–359
D
data analytics, 73–75
data at rest, 153
data augmentation, 65
data breach regulations, 196–201
data classification, 71–72
data controllers, 108, 208–209, 210
data disposition, third-party risk, 384
data encryption, 268–269
data governance committee, 101–102
data incident response teams, 97–98
data integration, 65
data interoperability and exchange, 75–77
data lifecycle management (DLM), 70, 166–172
data loss prevention and response, 179
data loss prevention (DLP) technologies, 365
data management, 64–66
disposal of data, 69–70
See also healthcare records management
data mining and analysis, 153
data profiling, 65
Data Protection Directive, 107, 194, 218–219, 256, 378
choice, 284
data protection officers (DPOs), 105
data quality, 65
Data Security and Protection Toolkit, 347
data sets, limited, 211
data sharing, 152
data sharing agreements, 63
data shredding, 69
data stewards, 107–108, 208, 354
data subjects, 206–207
data taxonomy, 72–73
data transfers
international regulations for data transfer to third parties, 386
unauthorized disclosure of data transferred to third parties, 387
data use agreements (DUAs), 46
data wiping, 301
defense-in-depth, 329
“De-Identification Handbook,” 45
de-identification of patient information, 43–46, 211, 305–306
Department of Defense Military Health Systems (MHS), 19
Department of Education, Office for Civil Rights (OCR), 166
Department of Health and Human Services (HHS), 37
business associate agreements (BAAs), 388
dependency, 300
deprovisioning software, 263
designated record sets (DRS), 150
See also electronic health records (EHRs)
destruction of patient health information, 49–50
disposal of data, 69–70
Diagnosis-Related Group (DRG), 24–25
differential backups, 278
Digital Imaging and Communications in Medicine (DICOM), 78–79
disaster recovery, 277
disclosure limitation, 287
unauthorized disclosure of data transferred to third parties, 387
discretionary access control (DAC), 50, 266
disposal of data, 69–70
destruction of patient health information, 49–50
Doctor-Nurse Game, 14
doctors, 4
See also providers
E
economic value, 322
EDI X12 code lists, 73–74
education records of minors, 307
EHR System Functional Model, 77
e-iatrogensis, 139–141
Electronic Data Interchange (EDI) X12, 32, 73–74
electronic health records (EHRs), 26, 50, 378
access management concerns, 151–152
choice, 284
data management concerns, 152–153
electronic prescribing, 150
Health Level 7 (HL7), 77
and HIPAA, 143
and HIT, 148–151
and information flow, 67–68
meaningful use, 76–77
in multitenant cloud environments, 164
security issues, 154
See also designated record sets (DRS); healthcare records management; legal medical records
electronic remittance advice (ERA), 31
Emergency Care Research Institute (ECRI), 136
emergency medical technicians (EMTs), 12
employee training, and HIPAA, 142
employer-based insurance, 16–17
encryption services, and HIPAA, 142
end user license agreements (EULAs), 114–115
end users, 109
environmental services, 13
e-prescribing, 150
Equifax, 93
ERH/PHR System Functional Models, 77
ethical review boards. See institutional review boards (IRBs)
ethics
(ISC)2 Code of Ethics, 122–124
European Union
data authorities, 402
European approach to privacy, 282–283
EU-US Privacy Shield, 216–217
EU-US Safe Harbor, 214–216
healthcare in, 22
notice of privacy practices, 114
notification of breaches, 298
ownership of healthcare information, 302
privacy laws, 106
regulators, 60
sensitive data, 306
See also Data Protection Directive; General Data Protection Regulation (GDPR)
European Union (EU) Data Protection Act (DPA), 22
EU-US Privacy Shield, 216–217
EU-US Safe Harbor, 214–216
evaluation assurance level (EAL), 241
events, 297–298
executive management, 353
Executive Order (EO) 13636, 193
Executive Order (EO) 13800, 193
explanation of benefits (EOB), 31
exposure, 324
exposure factor (EF), 340
F
Facebook, 169
Factor Analysis of Information Risk (FAIR), 241–242
Fair and Accurate Credit Transaction Act (FACTA), 164
Fair Credit Reporting Act (FCRA), 227
Fair Information Practice Principles (FIPPs), 234–235
Family Educational Rights and Privacy Act (FERPA), 307
Fast Health Interoperability Resource (FHIR), 77
Federal Food, Drug, and Cosmetic Act (FD&C Act), 28
Federal Trade Commission (FTC), 106
financial identity theft, 199–200
financial impact, 198–199
See also data breach regulations
Food and Drug Administration (FDA), 28, 37
cybersecurity safety communications, 158–159
and medical devices, 156–159
full backups, 278
fully insured health plans, 16–17
G
gap analysis, 356–357
See also risk assessments
General Data Protection Regulation (GDPR), 22, 38, 106, 219–220
and data lifecycle management, 168, 169, 170
data protection officers (DPOs), 105
and HIT, 143–144
notification, 400–401
ownership of healthcare information, 302
patient’s right to access their own health records, 47
Right to Erasure, 220
Generally Accepted Principles and Practices for Securing Information Technology Systems (NIST 800-15), 111
Generally Accepted Privacy Principles (GAPP), 100–101, 236, 375–376
See also privacy; privacy governance
genetic information, 308
Germany, ownership of healthcare information, 303
Good Clinical Research Practice (GCP), 41–43
governance, data, 65
government-sponsored care, 18–19
Gramm-Leach-Bliley Act (GLBA), 105
H
Health and Human Services (HHS), 115
Health Care Industry Cybersecurity (HCIC) Task Force, 39–40
Health Industry Cybersecurity Practices (HICP), 237
“Health Informatics - Pseudonymization,” 44
health information exchanges (HIE), 165–166, 403
Health Information Management Systems Society (HIMSS), risk assessment toolkit, 346
Health Information Trust Alliance (HITRUST), 395
Common Security Framework (CSF), 242–243
health information use, 385–386
health insurance, 15
Health Insurance Portability and Accountability Act (HIPAA). See HIPAA
health maintenance organizations (HMOs), 17, 18
healthcare clearinghouses, 14
Healthcare Common Procedure Coding System (HCPCS), 28
Healthcare Information and Management Systems Society (HIMSS), 147
Healthcare Information Sharing and Analysis Centers (H-ISACs), 62
healthcare information technology (HIT), 133–134
and cloud computing, 162–164
data lifecycle management (DLM), 166–172
e-iatrogensis, 139–141
fostering privacy and security with, 134–135
and health information exchange (HIE), 165–166
increased exposure affecting the threat landscape, 135–141
Internet of Medical Things (IoMT), 137, 154–155
interoperability, 144–148
medical devices, 155–162
and mobile device management, 164–165
oversight and regulatory challenges, 141–144
third-party connectivity, 172–179
See also electronic health records (EHRs); threats
Healthcare Provider Taxonomy Code Set, 73
healthcare records management, 46–47
access control, 50
authentication, authorization, and accounting (AAA), 50–52
destruction of patient health information, 49–50
disposal of data, 69–70
least privilege, 52
record retention, 47–49
separation of duties, 52
See also data management; electronic health records (EHRs); legal medical records
healthcare spending by government and private sources, 20, 21
hierarchal storage management (HSM), 70
high-deductible health plan with savings option (HDHP/SO), 18
and the California Consumer Privacy Act (CCPA), 190
and cloud computing, 195
data breach regulations, 196–201
and HIT, 141–143
HITECH, 76, 105, 142, 194, 220, 225–226
notice of privacy practices, 114
Omnibus Rule, 56, 142, 206, 226, 390
ownership of healthcare information, 302
patient’s right to access their own health records, 47
Privacy Rule, 40–41, 43–46, 141, 220–222, 284, 378
summary of amendments, 221
HIPAA Eligibility Transaction System (HETS), Health Care Eligibility Benefit Inquiry and Response (270/271) 5010 Companion Guide, 73
HIPAA Transaction and Code Sets (TCS), 32
HIT. See healthcare information technology (HIT)
HITECH Act, 76, 105, 142, 194, 220, 225–226
HIV/AIDS, 307
HL7, 77
Hong Kong, privacy laws, 106
hot sites, 279
housekeeping services, 13
human subject protection (HSP), 41
See also Good Clinical Research Practice (GCP)
The Human Use of Human Beings (Wiener), 119
I
identifiability, 239
identifiable information. See personally identifiable information (PII)
identification, 264
identity and access management (IAM), 262–264
identity theft, 199–200
See also data breach regulations
incident reporting policy, 115–116
incident response, 280–281
incidents, 297–298
incremental backups, 278
indemnity insurance, 16
independent ethics committees. See institutional review boards (IRBs)
India, privacy laws, 106
Indian Health Service (IHS), 19
individual mandate, 20
See also Patient Protection and Affordable Care Act (PPACA)
individual participation, 296
information accountability, 194–195
information flow, 66–70
information gathering, 355–356
information governance
overview, 89–90
privacy governance, 98–103
roles and responsibilities, 103–109
security governance, 91–98
information lifecycle management (ILM), 68–70
and continuous monitoring, 343–344
data analytics, 73–75
data classification, 71–72
data interoperability and exchange, 75–77
data lifecycle management (DLM), 70
information management councils (IMCs), 96–97
information owners, 354
information protection programs, 112–113
information security, policies and procedures, 109–117
information security continuous monitoring (ISCM), 272
information security management systems (ISMSs), 94–95
information security officers (ISOs), 104
information security programs, 93–95
information security steering committees, 95–96
Information Sharing and Analysis Centers (ISACs), 61–62
information system owners, 107
Information Technology Act, 106
information technology auditors, 354
Information Technology Infrastructure Library (ITIL), 280
inpatient status, 3
Institute of Electrical and Electronics Engineers (IEEE), 156
institutional review boards (IRBs), 41–42, 102–103, 210–211, 302
insurance. See health insurance
intangible assets, measuring the value of, 323–324
integrated delivery systems, 4
Integrating the Healthcare Enterprise (IHE), 77–78
“De-Identification Handbook,” 45
integration, 300–301
interconnection security agreements (ISAs), 177, 178
Internal Control - Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission. See COSO model
International Classification of Diseases (ICD), 25
International Organization for Standardization. See ISO
Internet of Medical Things (IoMT), 137, 154–155
interoperability, 144–145
levels of, 147
software and system development, 145–147
See also Medicare Access and CHIP Reauthorization Act (MACRA)
intrinsic value, 322
(ISC)2, Code of Ethics, 122–124
ISO, 238
certification, 395
ISO 25237:2017, 44
ISO 27001 questionnaire, 394
ISO 27799:2016, 95
ISO/IEC 18033-x, 269
ISO/IEC 27001: Information Security Management, 238, 336–337, 351
ISO/IEC 27001:2013, 94–95
ISO/IEC 27002: Information Technology - Security Techniques - Code of Practice for Information Security Controls, 95, 351
ISO/IEC 27005: Information Technology - Security Techniques - Information Security Risk Management, 337
ISO/IEC 27014: Information Technology - Security Techniques - Governance of Information Security, 349
ISO/IEC 27799: Health Informatics, 238
ISO/IEC 29100: Privacy Framework, 238–239
ISO/IEC 29101: Privacy Reference Architecture, 239
ISO/IEC 29190: Privacy Capability Assessment Model, 239
Israel, breach notification, 405
J
janitorial services, 13
Japan, healthcare in, 23
Joint Commission (JC), 37, 59–60
Joint Commission on Accreditation of Healthcare Organizations (JCAHO). See Joint Commission (JC)
jurisdiction, 205–206
K
Kennedy-Kassebaum Act. See HIPAA
L
laws and regulations
overview of US privacy and security laws, 191
regarding medical devices and critical infrastructure issues, 192–194
See also specific laws and regulations
least privilege, 275–276
legal contracts, 64
legal medical records, 79–80, 150
See also electronic health records (EHRs)
licensed practical nurses (LPNs), 7
licensed vocational nurses (LVNs), 7
likelihood, 324–325
limits to liability, 179
linkability, 239
logging, 258
logical controls, 176
Logical Observation Identifiers Names and Codes (LOINC), 27
M
malpractice, 59
managed care, 18–21
managed security service providers (MSSPs), 380
mandatory access control (MAC), 50, 266
Maner, Walter, 120
market value, 322
media destruction, 172
Medicaid, 19
Medical Device Innovation, Safety, and Security Consortium (MDISS), 62
medical devices
adverse events resulting from medical device software issues, 140
classification of, 161–162
General Controls, 161–162
and HIT, 155–162
laws and regulations, 192–194
Manufacturer Disclosure Statement for Medical Device Security (MDS), 193
medical device law and FDA guidance on privacy and security, 157
Special Controls, 162
threats to, 137–138
types of, 155–156
vulnerability management for, 274
medical identity theft, 199–200
medical technicians, 11
Medicare, 19
Medicare Access and CHIP Reauthorization Act (MACRA), 77, 147–148
Medicare EHR Incentive Program, 77
MedWatch web site, 156
memoranda of understanding (MOU), 177
mental health, 307–308
Merit-Based Incentive Payment System (MIPS), 77, 147–148
Metathesaurus, 26
metrics
base, 341
environmental, 341
exploitability, 342
impact, 342–343
temporal, 341
MITRE ATT$K, 365
mobile device management, 164–165
multifactor authentication (MFA), 263, 265
N
National Association of Corporate Directors (NACD), 92
National Commission for the Protection of Human Subjects of Biomedical and Behavioral Research, 42
National Drug Code (NDC), 28
National Initiative for Cybersecurity Education (NICE), 13
National Institute of Standards and Technology (NIST), 239–240, 241
Assessing Security and Privacy Controls in Federal Information Systems and Organizations (NIST SP 800-53A), 349
Assessing Security Requirements for Controlled Unclassified Information (NIST SP 800-171A), 394
Cloud Computing Program (NCCP), 163
Computer Security Incident Handling Guide (NIST SP 800-61 Rev. 2), 280
confidentiality, 255–256
Contingency Planning Guide for Federal Information Systems (NIST SP 800-34), 193
Cybersecurity for IoT Program, 155
Cybersecurity Framework (NIST CSF), 92, 335
Data Integrity: Recovering from Ransomware and Other Destructive Events (NIST SP 1800-11), 257
FIPS 140-2 Security Requirements for Cryptographic Modules, 268
Framework for Improving Critical Infrastructure Cybersecurity, 137, 276
Generally Accepted Principles and Practices for Securing Information Technology Systems (NIST 800-15), 111
Guide for Conducting Risk Assessments (NIST SP 800-30 Rev. 1), 324, 339, 345
Guide for Mapping Types of Information and Information Systems to Security Categories (NIST SP 800-60 Vol. 1 Rev. 1), 331
guidelines for encryption, 269
Guidelines for Media Sanitization (NIST SP 800-88), 172
Guidelines on Security and Privacy in Public Cloud Computing (NIST SP 800-144), 164, 382
Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (NIST SP 800-137), 272
Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (NIST SP 800-66 Rev. 1), 224
Managing Information Security Risk (NIST SP 800-37 Rev. 2), 335
NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management, 231
NIST risk management framework (RMF), 334–336
NIST SP 800-122, 202–203
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (NIST SP 800-171 Rev. 2), 394
Risk Management Framework for Information Systems and Organizations (NIST SP 800-37 Rev. 2), 335
Security and Privacy Controls in Federal Information Systems and Organization (NIST SP 800-53 Rev. 4), 333, 349, 394
Security Risk: Organization, Mission and Information System View (NIST SP 800-39), 334
Special Publication (SP) 800-122, 43–44
National Library of Medicine (NLM), 26
National Provider Identifier (NPI) standard, 10, 73
National Research Act of 1974, 42
National Uniform Billing Committee (NUBC), 33
National Vulnerability Database (NVD), 341
need to know, 275–276
network access control (NAC), 165
network connectivity controls, 176
NIST. See National Institute of Standards and Technology (NIST)
nongovernment regulators, 59–60
nonmedical devices, third-party risk, 384–385
nonrepudiation, 264
notice of privacy practices, 114
notification, 298
nurse practitioners (NPs), 6–7
nurses, 5–7
nurses’ aides, 6
O
Obamacare. See Patient Protection and Affordable Care Act (PPACA)
observability, 239
observation status, 3
Office of the Comptroller of the Currency (OCC), 389–390
Office of the National Coordinator for Health Information Technology (ONC), 76
and health information exchange (HIE), 166
and HIT, 143
Shared Nationwide Interoperability Roadmap and Interoperability Standards Advisory, 144
ONC-OCR HIPAA Security Toolkit, 345–346
“onward transfer” principle, 287
Open Web Application Security Project (OWASP), 319, 320
openness, 293
opt in/opt out, 285
Organisation for Economic Co-operation and Development (OECD), 100, 114, 218
privacy principles, 233–235, 293
organization reputation, 198
See also data breach regulations
organizational codes of conduct, 120–121
See also codes of conduct
organizational codes of ethics, 121
(ISC)2 Code of Ethics, 122–124
See also ethics
outpatient status, 3
outside legal counsel, 381
outsourcing, 379–381
oversight and regulatory challenges, 141–144
See also regulators; regulatory environment
overwriting, 69
ownership of healthcare information, 301–303
P
Parker, Donn B., 119–120
passive scanning, 321
password-management tools, 263
patient care and safety, 39–40
healthcare information protection as a patient care issue, 201
patient embarrassment, 200–201
See also data breach regulations
patient portals. See personal health records (PHRs)
Patient Protection and Affordable Care Act (PPACA), 19–20
mergers and acquisitions of healthcare organizations, 38
premium growth after, 20
patient record numbers, 65
patient rights, 38–39
right to access patient’s own health records, 47
patient-centered medical homes (PCMHs), 30
patients, 2–4
pay cash, 15
Payment Card Industry Data Security Standard (PCI DSS), 105, 190
questionnaires, 394
payment models, 29–31
performance value, 322
personal accountability documents, 114–115
Personal Data (Privacy) Ordinance (PDPO), 106
Personal Health Information Protection Act (PHIPA), 114
personal health records (PHRs), 150–151
See also electronic health records (EHRs)
Personal Information Protection and Electronic Documents Act (PIPEDA), 105, 195, 229–230
Personal Privacy Protection Law, 106
personally identifiable information (PII), 3–4, 100, 201–203
de-identification of patient information, 43–46
pharmacists, 12
PHI. See protected health information (PHI)
physical controls, 175–176, 363
physical safeguards, 223
physical security personnel, 355
physician assistants (PAs), 10–11
Physician Self-Referral Law, 226–227
list of specialists, 8–9
See also providers
PII. See personally identifiable information (PII)
PKI certificates, 174
point-of-service (POS), 18
policies, information security and privacy, 110–111
preferred provider organizations (PPOs), 18
European approach to, 282–283
policies and procedures, 109–117
and security, 299
US approach to, 282
Privacy Act (Canada), 228, 256
Privacy Act of 1974 (United States), 227
See also institutional review boards (IRBs)
privacy by default, 219
privacy by design, 219
privacy concepts, 281–282
access control, 295
access limitation, 288–289
accountability, 292
accuracy, 289
choice, 283–285
completeness, 289
consent, 283
disclosure limitation, 287
events, incidents, and breaches, 297–298
individual participation, 296
legitimate purpose, 286
limited collection, 285–286
management, 290
notice, 296–297
openness and transparency, 293–294
privacy officers, 290–291
processing authorization, 292
proportionality, 294
purpose specification, 286–287
quality, 289–290
supervisory authority, 291
training and awareness, 292–293
transborder concerns, 288
use and disclosure, 294–295
use limitation, 295
privacy frameworks, 231–236
privacy governance
audit committee (board of directors), 102
chief privacy officers (CPOs), 105–107
data governance committee, 101–102
Generally Accepted Privacy Principles (GAPP), 100–101
institutional review boards (IRBs), 102–103
international privacy laws, 106–107
overview, 98–100
privacy officers, 290–291, 353–354
privacy regulations, 218
Anti-Kickback Enforcement Act, 227
EU Data Protection Directive, 107, 194, 218–219, 256
EU-US Privacy Shield, 216–217
Personal Information Protection and Electronic Documents Act (PIPEDA), 105, 195, 229–230
Privacy Act (Canada), 228
Privacy Act of 1974 (United States), 227
Stark Law, 226–227
See also General Data Protection Regulation (GDPR); HIPAA
private-key cryptography, 269
privileged account management systems, 263
probabilities, 318
procedures, information security and privacy, 111–112
processing authorization, 292
proportionality, 294
Prospective Payment System (PPS), 24–25
See also Diagnosis-Related Group (DRG)
protected health information (PHI), 4, 201–202, 203–205
authentication, authorization, and accounting (AAA), 50–52
and cloud computing, 195
de-identification of patient information, 43–46
destruction of patient health information, 49–50
record retention, 47–49
protection of human subjects, 212–213
providers, 4–5
provisioning software, 263
pseudonymization, 44–45
See also privacy
psychiatrists, 12
psychologists, 12
public health reporting. See reporting
public key cryptography, 269
public key infrastructure (PKI), 269
purpose specification, 286–287
Q
Quality Payment Program (QPP), 147–148
R
record retention, 47–49
destruction of patient health information, 49–50
See also healthcare records management
Red Flags Rule, 164
Reference Information Model (RIM), 77
referrals, 10
registered nurses (RNs), 6
regulations and controls of other countries, 213
EU-US Privacy Shield, 216–217
EU-US Safe Harbor, 214–216
treaties, 213–217
See also specific countries
law enforcement, 58
nongovernment regulators, 59–60
state and local government, 56–58
tort law and malpractice, 58–59
regulatory environment, 37–38
oversight and regulatory challenges, 141–144
patient care and safety, 39–40
patient rights, 38–39
regulatory requirements, 189–190
data breach regulations, 196–201
data controllers, 208–209, 210
data custodians, 209
data owners, 207–208
data processors, 209–210
data stewards, 208
data subjects, 206–207
international regulations for data transfer to third parties, 386
jurisdiction implications, 205–206
legal issues regarding information security and privacy, 190–196
protected personal and health information, 201–205
research, 210–212
reimbursement, 33
release of information, 113
reporting, 40–41
research, 210–212
protection of human subjects, 212–213
residual risk, assessing, 331–333
Resource Utilization Groups (RUG), 27
retention and recovery, 153
revenue cycle, 28–29
claims processing and third-party payers, 29
medical billing, 31
payment models, 29–31
reimbursement, 33
transaction standards, 32–33
right to be forgotten, 220
risk acceptance, 333–334, 359–360
risk appetite, 331
risk assessments
assessing residual risk, 331–333
automated scanning tools, 356
communications and reporting, 360–361
desired outcomes, 347
document reviews, 356
estimated timelines, 356
gap analysis, 356–357
information gathering, 355–356
onsite interviews, 356
procedures, 349–352
questionnaires, 355
role of internal and external audit and assessment, 347–348
roles, 352–355
tools, resources, and techniques, 344–347
risk avoidance, 358
risk components, 324–326
risk management, 318
and HIPAA, 142
hybrid or semi-options, 320
identifying information assets, 321
information lifecycle and continuous monitoring, 343–344
measuring and expressing information risk, 318–321
mitigating actions, 358–360
mitigation and controls, 318
probabilities, 318
qualitative approach, 320, 321
quantitative approach, 320, 321
See also third-party risk management
risk management framework (RMF), 334
ISO, 336–338
NIST RMF, 334–336
risk management process
intent, 343
overview, 339–340
quantitative vs. qualitative approaches, 340–343
risk management steering committees, 97
risk remediation, 362–364
risk response, 361–362
risk tolerance, 331
risk transfer, 358–359
role-based access control (RBAC), 50, 266–267
rule-based access control (RuBAC), 50, 267
Rules of Ethics in Information Processing, 119–120
S
SABSA (Sherwood Applied Business Security Architecture), 176
Safe Harbor, 214–216
safe harbor method, 43
See also HIPAA; privacy
sanitizing, 69
SecDevOps, 329–330
secure overwriting, 172
Secure Sockets Layer (SSL), 174
security
data, 66
and privacy, 299
sanction policy, 272
training and awareness, 270
security concepts, 260
defense-in-depth, 260
identity and access management (IAM), 262–264
security categorization, 260–262, 330–331
security controls, 260, 326–331
security control owners, 354
security frameworks, 237–243
security governance, 91–92
boards of directors, 92–93
configuration control boards (CCBs), 96
data incident response teams, 97–98
information management councils (IMCs), 96–97
information security programs, 93–95
information security steering committees, 95–96
logging and monitoring, 271–272
risk management steering committees, 97
segregation of duties, 275
self-funded employee health benefits plans, 17
self-pay, 15
sensitive data, 303–304
categories of, 306–308
mitigation, 304–306
and third-party risk management, 409
sentinel events, 140
service level agreements (SLAs), 63, 177–178
Service Organization Controls (SOC) report, 395
signal reception, 167
single loss expectancy (SLE), 340
single-sign on (SSO) applications, 263, 264
Smith, Richard, 93
SNOMED CT. See Systematized Nomenclature of Medicine Clinical Terms (SNOMED CT)
social workers, 12
software and system development, 145–147
software-initiated threats, 139
South Korea, privacy laws, 106
staff augmentation, 380–381
stakeholders, 23
standard operating procedures (SOPs), 111–112
Standardized Information Gathering (SIG) Questionnaire, 394
standards, data, 66
Stark Law, 226–227
state and local government regulators, 56–58
Stein, Leonard, 14
Steinhafel, Gregg, 93
stewardship, data, 65
storage, secure, 258
Stroz Friedberg (Aon), 280
Structured Threat Information Expression (STIX), 61–62
structured/unstructured data, 24
subcontractors, 377–378
substance abuse, 306–307
supervisory authority, 291
symmetric cryptography, 269
system hardening, 273
Systematized Nomenclature of Medicine Clinical Terms (SNOMED CT), 26
T
tangible assets, measuring the value of, 323
Target, 93
technical controls, 364
technical safeguards, 223–224
third parties, defined, 376–377
third-party connectivity, 172–173
connection agreements, 176–179
technical standards, 175–176
trust models for third-party interconnections, 174–175
third-party payers, claims processing and, 29
third-party relationships in healthcare, 2, 52, 377–378
administering third parties, 62–64
administration, 12–13
assessing, 390–396
emergency medical technicians (EMTs), 12
environmental services, 13
health insurance, 15
healthcare clearinghouses, 14
Healthcare Information Sharing and Analysis Centers (H-ISACs), 62
Information Sharing and Analysis Centers (ISACs), 61–62
managed security service providers (MSSPs), 380
Medical Device Innovation, Safety, and Security Consortium (MDISS), 62
medical technicians, 11
nurses, 5–7
organizational behavior, 14–15
outside legal counsel, 381
outsourcing, 379–381
overview, 378–379
patients, 2–4
pharmacists, 12
physician assistants (PAs), 10–11
providers, 4–5
psychiatrists, 12
psychologists, 12
regulators, 56–60
social workers, 12
staff augmentation, 380–381
subcontractors, 377–378
vendors, 53–56
third-party remediation, 396–397
third-party risk management
assessments and audits, 392–393
business associate agreements (BAAs), 385
communication of assessment results, 396
compliance with information asset protection controls, 394–395
data sensitivity and classification, 409
determining when to assess, 390–392
information asset protection controls, 393–394
information flow mapping and scope, 408–409
international regulations for data transfer to third parties, 386
management standards and practices for engaging third parties, 387–388
organizational standards, 391
privacy and security requirements, 409–410
promoting awareness of third-party requirements, 407–408
relationship management, 388–390
risk assessment activities, 406–407
risk in data disposition, 384
risk in nonmedical devices, 384–385
risk in the cloud, 381–384
risks associated with third parties, 410–411
triggers of a third-party assessment, 391–392
unauthorized disclosure of data transferred to third parties, 387
third-party security/privacy events, 397
affected individuals, 402–403
breach recognition, 400–401
EU data authorities, 402
health information exchanges, 403
initial response, 400–401
internal processes for incident response, 397–400
international breach notification, 404–405
law enforcement, 402
media, 403
notification, 400–401
organizational breach notification rules, 403–405
organizational information dissemination policies and standards, 405–406
public relations, 403
relationship between organization and third-party incident response, 400
responding to requests, 401–407
third-party transfers, 287
CIA triad, 135
external threats to HIT privacy and security, 136–141
increased exposure affecting the threat landscape, 135–136
internal threats to HIT privacy and security, 136
to medical devices, 137–138
See also healthcare information technology (HIT)
three lines of defense model, 98–100
tokenization, 268
tort law, 58–59
trading partners, 73
transaction standards, 32–33
transborder concerns, 288
transparency, 293–294
Transport Layer Security (TLS), 174
treaties, 213–217
Trusted Automated Exchange of Intelligence Information (TAXII), 61–62
two-factor authentication (2FA), 263, 265
U
Unified Medical Language System (UMLS), Metathesaurus, 26
United Kingdom
healthcare in, 22
ownership of healthcare information, 303
United States, healthcare in, 16
distribution of expenditures by payer, 17
employer-based insurance, 16–17
fully insured health plans, 16–17
indemnity insurance, 16
managed care, 18–21
privacy laws, 106–107
self-funded employee health benefits plans, 17
unlinkability, 239
use and disclosure, 294–295
use limitation, 295
user agreements, 114–115
V
valuation methods, 322–324
value stream mapping (VSM), 36–37
value-based payment modifier (VBPM) model, 31
vendors, 53–56
Veterans Health Administration (VHA), 19
virtual desktop interface (VDI), 175
virtual private networking (VPN), 174
vulnerability management, 272–274
W
WannaCry ransomware attack, 139
warm sites, 279
Wiener, Norbert, 119
Windows baselines, 273
workflow management, 33–34
business process reengineering (BPR), 34–36
value stream mapping (VSM), 36–37
workflow management systems (WMS), 34
World Health Organization (WHO), 25, 60
write once read many (WORM), 168
Z
zeroing, 69