This is course two in the ISC2 Healthcare Certificate Specialization.

Patients have expectations of privacy and that they will have some control over their medical information. In a healthcare context, this can include medical images, diagnoses, and notes relating to their treatment, the state of their health-related financial information, and other sensitive facts. To protect this information, organizations apply a range of safeguards to provide assurance that information is shared only if necessary. This includes processes, procedures, techniques, or technologies specifically designed to guarantee the confidentiality, integrity, and availability of the information. The ultimate objective is to ensure that personally identifiable information (PII) is adequately protected regardless of its state or the system in which the information exists. ​ This course will cover the following learning objectives: Identify essential security and privacy principles. Define the relationship between privacy and security. Describe sensitive data handling.

This is course three in the ISC2 Healthcare Certificate Specialization.

Risk management is a crucial element for understanding information and privacy security. This domain sets the foundation for the entire course; terms defined here will be used in this book and in your day-to-day career. Risk management is one of the most complicated and important topics in information security, and this chapter does not pretend to cover all the different elements pertaining to it, but it provides a high-level glimpse of the essential concepts of this vital function. ​ In the healthcare industry, the importance of adopting a risk management approach is even more crucial, due to the sensitive nature of the information. Data sharing can, in many cases, be a matter of life and death in the healthcare industry. However, patient safety is not the only objective. Saving someone's life only to have their most sensitive secrets leaked to unauthorized parties is counterproductive. Hence, the security and privacy practitioner must balance the clinical need for information and the patient's rightful expectation of privacy. ​ Like other industries, the healthcare industry relies on technology to improve operations and patient care. In many cases, these technologies come with associated risks that must be considered. The industry also has unique regulatory and business requirements that the security and privacy practitioner must uphold. ​ This course will cover the following learning objectives: - Define the foundations of enterprise risk management. - Explain the information risk management and assessment process. - Identify control assessment procedures using organization risk frameworks. ​ - Explain the process of monitoring for and mitigating risk. - Define continuous monitoring.