Domain 1: Healthcare Industry

• Understand the Healthcare environment
  • Types of Organizations in the Healthcare Sector (e.g. providers, pharma, payers, business associates)
  • Health Information Technology (e.g., computers, medical devices, networks, health information exchanges, Electronic Health Record [EHR], Personal Health Record [PHR]
  • Health Insurance (e.g., claims processing, payment models)
  • Coding (e.g., SNOMED CT, ICD-9/10)
  • Billing, Payment, and Reimbursement
  • Workflow Management
  • Regulatory Environment (e.g., security, privacy, oversight)
  • Public Health Reporting
  • Clinical Research (e.g., process)
  • Healthcare Records Management
• Understand Third-party relationships
  • Vendors
  • Business Partners
  • Data Sharing
  • Regulators
• Understand foundational health data management concepts
  • Information Flow and Life Cycle in the Healthcare Environments
  • Health Data Characterization (e.g. classification, taxonomy, analytics)
  • Data Interoperability and Exchange (e.g. HL7, HIE, DICOM)
  • Legal Medical Records

Domain 2: Regulatory Environment

• Identify applicable regulations
  • Legal issues that Pertain to Information Security and Privacy for Healthcare Organizations
  • Data Breach Regulations
  • Personally Identifiable Information
  • Information Flow Mapping
  • Jurisdiction Implications
  • Data Subjects
  • Data Owners/Controllers/Custodians/Processors
• Understand international regulations and controls
  • Treaties (e.g., Safe Harbor)
  • Regulations
  • Industry-Specific Laws
  • Legislative (e.g., EU Data Privacy Directive, HIPAA/HITECH)
• Compare internal practices against new policies and procedures
  • Policies (information security and privacy)
  • Standards (information security and privacy)
  • Procedures (information security and privacy)
• Understand compliance frameworks
• Understand responses for risk-based decision
  • Compensating Controls
  • Control Variance Documentation
  • Residual Risk Tolerance
• Understand and comply with Code of Conduct/Ethics in HealthCare information Environment
  • Organizational Code of Ethics
  • (ISC)2 Code of Ethics

Domain 3: Privacy and Security in Healthcare

• Understand security objectives/attributes
  • Confidentiality
  • Integrity
  • Availability
• Understand general security definitions/concepts
  • Access Control
  • Data Encryption
  • Training and Awareness
  • Logging and Monitoring
  • Vulnerability Management
  • Systems Recovery
  • Segregation of Duties
  • Least Privilege (Need to Know)
  • Business Continuity
  • Data Retention and Destruction
• Understand general privacy principles
  • Consent/Choice
  • Limited Collection/Legitimate Purpose/Purpose Specification
  • Disclosure Limitation/Transfer to Third Parties/Trans-Border Concerns
  • Access Limitation
  • Security
  • Accuracy, Completeness, Quality
  • Management, Designation of Privacy Officer, Supervisor Re-authority, Processing Authorization, Accountability
  • Transparency, Openness
  • Proportionality, Use, and Retention, Use Limitation
  • Access, Individual Participation
  • Notice, Purpose Specification
  • Additional Measures for Breach Notification
• Understand the relationship between privacy and security
  • Dependency
  • Integration
• Understand the disparate nature of sensitive data handling implications
  • Personal and Health Information protected by Law
  • Sensitivity mitigation (e.g., de-identification, anonymization)
  • Categories of sensitive data (e.g., mental health)
  • Understand Security and Privacy Terminology Specific to Healthcare

Domain 4: Information Governance and Risk Management

• Understand Security and Privacy Governance
  • Information governance
  • Governance structures
• Understand basic risk management methodology
  • Approach (e.g., qualitative, quantitative)
  • Information Asset Identification
  • Asset Valuation
  • Exposure
  • Likelihood
  • Impact
  • Threats
  • Vulnerability
  • Risk
  • Controls
  • Residual Risk
  • Acceptance
• Understand information risk management life cycles
• Participate in risk management activities
  • Remediation Action Plans
  • Risk Treatment (e.g. mitigation/remediation, transfer, acceptance, avoidance)
  • Communications
  • Exception Handling
  • Reporting and Metrics

Domain 5: Information Risk Assessment

• Understand risk assessment
  • Definition
  • Intent
  • Lifecycle/Continuous Monitoring
  • Tools/Resources/Techniques
  • Desired Outcomes
  • Role of Internal and External Audit/Assessment
• Identify control assessment procedures from within organizational risk frameworks
• Participate in risk assessment consistent with a role in the organization
  • Information Gathering
  • Risk Assessment Estimated Timeline
  • Gap Analysis
  • Corrective Action Plan
  • Mitigation Actions
• Participate in efforts to remediate gaps
  • Types of Controls
  • Controls Related to Time

Domain 6: Third-party Risk Management

• Understand the definition of third parties in the Healthcare context
• Maintain a list of third-party organizations
  • Health Information Use (e.g., processing, storage, transmission)
  • Third-Party Role/Relationship with the Organization
• Apply Third-Party Management Standards and Practices for Engaging Third Parties Based upon the relationship with the organization
  • Relationship Management
  • Comprehend Compliance Requirements
• Determine when the third-party assessment is required
  • Organizational Standards
  • Triggers of Third-Party Assessment
• Support third-party assessments and audits
  • Information Asset Protection Controls
  • Compliance with Information Asset Protection Controls
  • Communication of Findings
• Respond to notifications of security/privacy events
  • Internal Process for Incident Response
  • Relationship between Organization and Third-Party Incident Response
  • Breach Recognition, Notification, and Initial Response
• Support establishment of third-party connectivity
  • Trust Models for Third-Party interconnections
  • Technical Standards (e.g., physical, logical, network connectivity)
  • Connection Agreements
• Promote awareness of the third-party requirements (internally and externally)
  • Information Flow Mapping and Scope
  • Data sensitivity and classification
  • Privacy Requirements
  • Security Requirements
  • Risks Associated with Third Parties
• Participate in remediation efforts
  • Risk Management Activities
  • Risk Treatment Identification
  • Corrective Action Plans
  • Compliance Activities Documentation
• Respond to third-party requests regarding privacy/security event
  • Organizational Breach Notification Rules
  • Organizational Information Dissemination Policies and Standards
  • Risk Assessment Activities
  • Chain of Custody Principles

Domain 7: Practice questions