Introduction

If you are reading this introduction, you are probably one of two types of people. The first type is someone who has worked in healthcare for a few years and whose responsibilities are becoming more dependent on information technology—and therefore information security. Perhaps you work in healthcare records management, and your organization recently implemented an electronic healthcare record. You have been chosen to provide your records management expertise to the new digital system. Congratulations! You are clearly valued in your organization. And this book will serve you because it will address, in a practical manner, your concerns about moving from paper-based records to digital, networked systems.

The second type of person is someone who has worked in information technology in healthcare or an industry other than healthcare. Perhaps you are a network operator who previously worked for the local bank or supermarket. Now you have the opportunity to be the firewall administrator for the community hospital. Congratulations to you as well! You are now an important person in the delivery of healthcare. You may not consider yourself a healthcare provider, but you are, and you most certainly support directly those personnel who provide patient care. Within this book, you will learn the implications on patient care and healthcare business of providing information security and privacy in a healthcare organization. When it comes to healthcare provision, the actions or inactions of information technology practitioners can impact patient safety or clinical quality.

For those of you who do not fit into the two categories I mentioned, do not worry. This material is very much applicable to your pursuit to elevate your competency and your dedication to the profession. Having performed healthcare information security and privacy work for a decade or two, I offer this book as a collection of lessons learned as much as anything else. Here, you will find real scenarios, actual issues, and practical solutions. I name no names to protect the innocent. In sum, I grew up in healthcare information security and still maintain a "healthcare first" attitude. When perfectly acceptable information security practices are applied to healthcare without considering the impact on patient care or provider practices, healthcare often suffers. My goal is to be part of mitigating the risk that information protection can actually introduce when trying to do the right thing. Competent healthcare information security and privacy professionals can, in fact, enable better healthcare, improve outcomes, and advance organizational initiatives.

I hope you will enjoy reading this material as much as I have enjoyed constructing it. I welcome your feedback on any and all of the material. In many ways, what you will read is the result of many discussions and commiseration sessions I have had over the years with like-minded colleagues and friends. Actually, the need for this book can be described by that same feedback loop. Let me know what you think.

There are just a handful of books about healthcare information security and privacy from which to choose today. That may change over time. The title may indicate a specific focus and target audience, but this book is not limited in purpose:

• This book will help those of you who are experiencing first-hand the integration of healthcare, biomedical engineering, information security, information technology, and privacy.

• It is a terrific desk reference for those of you who already have a few years in a healthcare information security and privacy position.

• The material is valuable as part of a curriculum in healthcare information security and privacy in universities, colleges, and technical education workshops and seminars.

I would like to share some of the intentions behind how the content was assembled and delivered.

For the most part, we are guided more by our organizational policies and experiences than theoretical practices and higher-level regulatory pressures. That said, organizational policies and procedures should be based on those laws and directives from regulators. To be effective as a healthcare information security and privacy professional, however, you will be guided more by organizational policies and procedures. This is also why experience in the healthcare field is so important toward measuring competency. With that in mind, one of the underlying themes of this book is the role you will play in developing and implementing organizational policies. As you read this book, take the opportunity to think about your own organizational policies and procedures around information protection:

• What policies and procedures are in place?

• What are their stated purposes?

• What regulations do they comply with?

• What are the roles and responsibilities presented?

The following are some of the types of policies you should look for:

• Information security program

• Information risk management

• Incident reporting process

• Information governance (Information Management Council, Configuration Control Board, and so on)

• Notice of privacy practices

In this way, the book has a practical application. As you read and study, you may find areas that do not reflect how your organization does things. There is always room and need for some variation. By comparing and gathering internal sources, you will gain a better appreciation of the general organization and structure of information protection, which should be evident in all healthcare organizations. (If nothing else, you might identify opportunities for improvement!) Again, internal policies and procedures are typically linked to a requirement that is external to the organization, such as HIPAA or PHIPA. Therefore, this book recognizes how important internal guidance is in understanding the application of overarching national or international regulatory frameworks and directives.

The majority of the references provided in the book are publically available. In most cases, they are offered with the intent of suggesting further reading. Not only are they listed to cite a particular point made, but also to point you to a wealth of additional material you might want to also access. In this way, the book expands your knowledge base. No single book can cover every topic in sufficient detail, but narrowing the universe of information down to a manageable list of sources is possible. At the same time, obscure, hard-to-find, and proprietary sources of information are likely not available to any of us on a day-to-day basis, so these do not make up this book's source material. The sources listed are intended to augment the material and be applicable to healthcare. Some of the references include

• National Institute of Standards and Technology 800 series, with special emphasis on

  • SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

  • SP 800-66, Rev 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

  • SP 800-61, Rev. 2, Computer Security Incident Handling Guide

  • SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations

  • SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View

  • SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

• International Association of Privacy Professionals (IAPP) Privacy Advisor accessed at https://www.privacyassociation.org/publications/privacy_advisor

If you work in the United States, you undoubtedly are concerned with HIPAA and its amendments. In this book, you will find ample material to guide you in the relevant areas of HIPAA compliance. However, as the provision of healthcare becomes global and many U.S. healthcare providers expand their markets overseas, international healthcare laws and procedures become relevant to U.S.-based healthcare workers. Add to that the growing market for electronic health records and cloud-based services, to name a few, that are outside the United States and you can see that, although healthcare is still local in nature, it requires an international perspective as well.

At the same time, the target audience of this book includes all of our international colleagues in healthcare. The fact is we all share the same convergence of

• Paper-based records to digital

• Regulatory pressures to protect sensitive information

• Workforce professions with new information protection responsibilities

• Increased networking and interoperability

Because we share these common concerns, this book is inclusive of an international healthcare information security and privacy professional audience. Some may think there is too much of an international focus. Others will think it is not enough. In the end, the intent is to at least acknowledge the common concerns we all have and the similar framework and approaches we take.

One of the central responsibilities in the practice of healthcare information security and privacy is managing information risk:

• Knowing the standards-based assessment tools

• Understanding the importance of assessing the organization and third-parties

• Comprehending the process of mitigating vulnerabilities

• Communicating findings throughout the organization

• Continually assessing the organization and the risk management program for improvement

These basic concepts are foundational and a large portion of this text is dedicated to them. This is on purpose as risk management proficiency is a practical skill that you must have. I am not the first author to point out that no silver bullet exists—that there is no perfect process or technology—that will prevent all data incidents and breaches. Perfection is not the goal. It is not possible. What is key is your proficient application of risk management to your organization to protect, detect, correct, and recover as quickly as possible, with minimal impact, and at the least cost to the organization.

If you do these things, which are hard, your role as a healthcare information security and privacy professional can be rewarding and vital to improved patient care, enhanced organization-wide quality, and reduced costs over the long run. Not to mention… the work can be a lot fun!