INFO 5522 Health Care Information Assurance 3 credits

This course focuses on giving students a broad based understanding of the range of issues that IT professionals entering Health care industry must be aware of. Students will be exposed to the health care industry security environment as it stands today and the larger regulatory environment in which Health institutions operate. This is important in light of the recent move towards cloudbased electronic health records (EHRs) and third party developed health applications. Further, issues relating to privacy/security, information governance and information risk assessment will also be covered. Finally, students will be exposed to interventions that can help mitigate the risks identified. Specific, evaluated graduate-level activities and/or performances are identified in the course syllabus. PREREQ: INFO 3380.

Every healthcare professional is obligated to deal with a broad spectrum of laws and regulations that define how they must deal with the confidentiality, availability and integrity of information. This obligation extends from patient to provider to broader organizations including insurance, electronic health records, personal health records, health information exchanges, medical devices, payers, etc. In a related context are issues such as clinical research, public health reporting. The legal ramifications (both national and international) must be considered due to the outsourcing and personnel matters. To do this, learners must learn about information flow and the lifecycle and how this interacts with health care data characterization and interoperability and data exchange. Once the basics have been established, the regulatory environment will and it legal requirements will be expanded. And its relationship to third part risk management. This will lead to a more thorough explanation of technical issues of Privacy and Security in Healthcare. The close course focuses on both information governance and risk management. It will require understanding of both qualitative and quantitative information to examination of threats, vulnerabilities, and asset valuation. When this higher level thinking is established they will be imbued with critical issues in information ‘risk analysis.

Sample Outline:

Healthcare Industry Security Environment
A. Understand the Healthcare Environment
• Health Information Technology (e.g., computers, medical devices, networks, health information exchanges, Electronic Health Record [EHR], Personal Health Record [PHRJ)
• Health Insurance (e.g., claims processing, payment models)
• Coding (e.g., SNOMED CT, ICD-10)
• Billing, Payment, and Reimbursement
• Workflow Management
• Regulatory Environment (e.g., security, privacy, oversight)
• Public Health Reporting
• Clinical Research (e.g., processes)
• Healthcare Records Management
B. Understand Third-Party Relationships
• Vendors
• Business Partners
• Data Sharing
• Regulators
C. Understand Foundational Health Data Management Concepts
• Information Flow and Life Cycle in the Healthcare Environments
• Health Data Characterization (e.g., classification, taxonomy, analytics)
• Data Interoperability and Exchange (e.g., HL7, IHE, DICOM)
• Legal Medical Records

Regulatory Environment
A. Identify Applicable Regulations
• Legal Issues That Pertain to Information Security and Privacy for Healthcare Organizations
• Data Breach Regulations
• Personally Identifiable Information
• Information Flow Mapping
• Jurisdiction Implications
• Data Subjects
• Data Owners/Controllers/Custodians/Processors
B. Understand International Regulations and Controls
• Treaties (e.g., Safe Harbor)
• Regulations
• Industry-Specific Laws
• Legislative (e.g., EU Data Privacy Directive, HIPAA/HlTECH)
C. Compare Internal Practices Against New Policies and Procedures
• Policies (information security and privacy)
• Standards (information security and privacy)
• Procedures (information security and privacy)
D. Understand Compliance Frameworks (e.g., ISO, NIST, Common Criteria, IG Toolkit, Generally Accepted Privacy Principles [GAPP])
E. Understand Responses for Risk-Based Decision
• Compensating Controls
• Control Variance Documentation
• Residual Risk Tolerance
F. Understand and Comply With Code of Conduct/Ethics in a Healthcare Information Environment
• Organizational Code of Ethics
• Professional Codes of Ethics

Third-Party Risk Management
A. Understand the Definition of Third Parties in Healthcare Context
B. Maintain a List of Third-Party Organizations
• Health Information Use (e.g., processing, storage, transmission)
• Third-Party Role/Relationship With the Organization
C. Apply Third-Party Management Standards and Practices for Engaging Third Parties Based Upon the Relationship With the Organization
• Relationship Management
1) Internal compliance with third-party Service Level Agreements (SLAs)
2) third parties' compliance with SLAs
3) organizational contract management standards and practices
• Comprehend Compliance Requirements
1) international variances
2) implications of global trade restrictions
D. Determine When Third-Party Assessment Is Required
• Organizational Standards
• Triggers of Third-Party Assessment
E. Support Third-Party Assessments and Audits
• Information Asset Protection Controls
• Compliance With Information Asset Protection Controls
• Communication of Findings
F. Respond to Notifications of Security/Privacy Events
• Internal Processes for Incident Response
• Relationship Between Organization and Third-Party Incident Response
• Breach Recognition, Notification, and Initial Response
G. Support Establishment of Third-Party Connectivity
• Trust Models for Third-Party Interconnections
• Technical Standards (e.g., physical, logical, network connectivity)
• Connection Agreements
H. Promote Awareness of the Third-Party Requirements (internally and externally)
• Information Flow Mapping and Scope
• Data Sensitivity and Classification
• Privacy Requirements
• Security Requirements
• Risks Associated With Third Parties
I. Participate in Remediation Efforts
• Risk Management Activities
• Risk Treatment Identification
• Corrective Action Plans
• Compliance Activities Documentation
J. Respond to Third-Party Requests Regarding Privacy/Security Events
• Organizational Breach Notification Rules
• Organizational Information Dissemination Policies and Standards
• Risk Assessment Activities
• Chain of Custody Principles

Privacy and Security in Healthcare
A. Understand Security Objectives/Attributes
• Confidentiality
• Integrity
• Availability
B. Understand General Security Definitions/Concepts
• Access Control
• Data Encryption
• Training and Awareness
• Logging and Monitoring
• Vulnerability Management
• Systems Recovery
• Segregation of Duties
• Least Privilege (Need to Know)
• Business Continuity
• Data Retention and Destruction
C. Understand General Privacy Principles (e.g., OECD Privacy Principles, GAPP, PIPEDA, UK Data Protection Act 1998)
• Consent/Choice
• Limited Collection/Legitimate Purpose/Purpose Specification
• Disclosure Limitation/Transfer to Third Parties/Trans-Border Concerns
• Access limitation
• Security
• Accuracy, Completeness, Quality
• Management, Designation of Privacy Officer, Supervisor Re-Authority, Processing Authorization, Accountability
• Transparency, Openness
• Proportionality, Use and Retention, Use Limitation
• Access, Individual Participation
• Notice, Purpose Specification
• Additional Measures for Breach Notification
D. Understand the Relationship Between Privacy and Security
• Dependency
• Integration
E. Understand the Disparate Nature of Sensitive Data and Handling Implications
• Personal and Health Information Protected by Law
• Sensitivity Mitigation (e.g., de-Identification, anonymization)
• Categories of Sensitive Data (e.g., mental health)
• Understand Security and Privacy Terminology Specific to Healthcare

Information Governance and Risk Management
A. Understand Security and Privacy Governance
• Information Governance
• Governance Structures
B. Understand Basic Risk Management Methodology
• Approach (e.g., qualitative, quantitative)
• Information Asset Identification
• Asset Valuation
• Exposure
• Likelihood
• Impact
• Threats
• Vulnerability
• Risk
• Controls
• Residual Risk
• Acceptance
C. Understand Information Risk Management Life Cycles (e.g., NIST, eMS, ISO)
D. Participate in Risk Management Activities
• Remediation Action Plans
• Risk Treatment (e.g., mitigation/remediation, transfer, acceptance, avoidance)
• Communications
• Exception Handling
• Reporting and Metrics

Information Risk Assessment
A. Understand Risk Assessment
• Definition
• Intent
• life Cycle/Continuous Monitoring
• Tools/Resources/Techniques
• Desired Outcomes
• Role of Internal and External Audit/Assessment
B. Identify Control Assessment Procedures From Within Organization Risk Frameworks
C. Participate in Risk Assessment Consistent With Role in Organization
• Information Gathering
• Risk Assessment Estimated Timeline
• Gap Analysis
• Corrective Action Plan
• Mitigation Actions
D. Participate in Efforts to Remediate Gaps
• Types of Controls
1) administrative
2) operational/physical
3) technical
• Controls Related to Time
1) preventative
2) detective
3) responsive
4) administrative

NIATEC National Science Foundation Information Assurance Directorate Department of Homeland Security CISSE Scholarship For Service