Risk Management and Risk Assessment in a Healthcare Setting

(ISC)² via Coursera

Go to class Write review

Details

Go to class

Provider

Coursera
Pricing

Free Online Course (Audit)
Languages

English
Certificate

Paid Certificate Available
Duration & workload

3 hours 4 minutes
Sessions

On-Demand
Level

Beginner
Subtitles

English

Found in

Overview

Class Central Tips

This is course three in the ISC2 Healthcare Certificate Specialization. Risk management is a crucial element for understanding information and privacy security. This domain sets the foundation for the entire course; terms defined here will be used in this book and in your day-to-day career. Risk management is one of the most complicated and important topics in information security, and this chapter does not pretend to cover all the different elements pertaining to it, but it provides a high-level glimpse of the essential concepts of this vital function. In the healthcare industry, the importance of adopting a risk management approach is even more crucial, due to the sensitive nature of the information. Data sharing can, in many cases, be a matter of life and death in the healthcare industry. However, patient safety is not the only objective. Saving someone's life only to have their most sensitive secrets leaked to unauthorized parties is counterproductive. Hence, the security and privacy practitioner must balance the clinical need for information and the patient's rightful expectation of privacy. Like other industries, the healthcare industry relies on technology to improve operations and patient care. In many cases, these technologies come with associated risks that must be considered. The industry also has unique regulatory and business requirements that the security and privacy practitioner must uphold. This course will cover the following learning objectives: - Define the foundations of enterprise risk management. - Explain the information risk management and assessment process. - Identify control assessment procedures using organization risk frameworks. - Explain the process of monitoring for and mitigating risk. - Define continuous monitoring.

Syllabus

Course Introduction

Risk management is a crucial element for understanding information and privacy security. This domain sets the foundation for the entire course; terms defined here will be used in this book and in your day-to-day career. Risk management is one of the most complicated and important topics in information security, and this chapter does not pretend to cover all the different elements pertaining to it, but it provides a high-level glimpse of the essential concepts of this vital function. In the healthcare industry, the importance of adopting a risk management approach is even more crucial, due to the sensitive nature of the information. Data sharing can, in many cases, be a matter of life and death in the healthcare industry. However, patient safety is not the only objective. Saving someone's life only to have their most sensitive secrets leaked to unauthorized parties is counterproductive. Hence, the security and privacy practitioner must balance the clinical need for information and the patient's rightful expectation of privacy. Like other industries, the healthcare industry relies on technology to improve operations and patient care. In many cases, these technologies come with associated risks that must be considered. The industry also has unique regulatory and business requirements that the security and privacy practitioner must uphold.

Module 1: Principles of Enterprise Risk Management

Maintaining the confidentiality, integrity, and availability (CIA) of assets is the basis of information security. As security and privacy practitioners, maintaining the CIA of personally identifiable information (PII) and protected health information (PHI) is of the highest priority. We use the objectives of confidentiality, integrity, and availability—the CIA triad—as a framework for assessing how different security policies, processes, and tools affect the overall security posture of a system. When discussing assets in the information and privacy security world, we are talking about data assets. They can exist in many forms but are commonly stored in digital form or as physical copies. Maintaining the CIA aspects of the information is crucial regardless of data format. Ensuring that CIA expectations are met requires evaluating all the supporting technologies and mechanisms in the data process (creation, use, storage, and archiving). The interrelated nature of data systems makes it more challenging to ensure a comprehensive assessment of security controls over the data.

Module 2: Information Risk Management Frameworks and Processes

Risk management frameworks provide security practitioners with a set of guidelines and best practices intended to reduce the organization’s exposure to a wide range of compromises. The use of frameworks allows the organization to assess its security posture and maturity and take it to a desired level while creating an auditable, repeatable system for managing information assets. Risk frameworks protect the confidentiality, integrity, and availability of the organization and its data. Many risk frameworks exist, including the NIST Risk Management Framework (RMF), the Information Security Management System defined in the ISO 27000 series, and the Information Technology Infrastructure Library (ITIL), among others. Some of them, such as ISO 27799:2016–Health Informatics, include specific healthcare-related topics, whereas others are more general. The healthcare security professional should be familiar with leading risk frameworks and utilize them to improve policies and procedures, implement security controls, and build business continuity plans in the organization.

Module 3: Control Assessment Procedures

Performing risk assessment is only an initial part in the risk management process. The more complicated aspect is choosing and implementing controls that are best suited to the organization’s needs. Every organization has different needs, requirements, and resources for addressing the findings in the risk assessment. Control choice can vary based on geographic location, existing staffing levels, contractual requirements, and so on. This module provides insight as to how controls are chosen.

Module 4: Risk Response, Continuous Monitoring, and Controls to Mitigate Risk

The risk management process’s objective is to identify risks and address them to protect the business. There are four general approaches to respond to risk. In this module, we will review these four approaches and consider when and how they are used.