New Health InfoSec Credential DebutsSizing Up the Value of the Latest (ISC)Â² Offering
A new professional certification from (ISC)Â² aims to help employers assess the healthcare information security and privacy expertise and knowledge of practitioners.
See Also: OnDemand I Critical Considerations When Choosing Your Security Awareness Training Vendor
The new HealthCare Information Security and Privacy Practitioner, or HCISPP, certification, which is now available, has been under development by (ISC)Â² in collaboration with the Healthcare Information Trust Alliance for more than three years (see New InfoSec Credential: Filling a Gap?).
(ISC)Â², which also already offers the Certified Information Security Systems Professional, or CISSP, credential, says the new certification is "designed to provide healthcare employers and those in the industry with validation that a healthcare security and privacy practitioner has the core level of knowledge and expertise required by the industry to address specific security concerns."
Sizing Up the Value
Security expert Mac McMillan, CEO of the consulting firm CynergisTek, says the healthcare industry doesn't necessary need another professional credential, but because the certification is from a well-known organization, employers and practitioners are likely to take notice.
Because (ISC)Â² developed the credential, McMillan says, "I can assure you it will take off." He cautions, however, that "folks will have to see a real difference between this and the CISSP to want it. Organizations are not gushing with dollars for training or certifications, so one more, if not unique, is going to just strain the system."
Several other organizations, including the American Health Information and Management Systems Society and the HIPAA Academy, already offer credentials that certify expertise in healthcare privacy and security.
Marc Schandl, an enterprise architect from BlueCross Blue Shield of Minnesota who participated as a subject matter expert in reviewing the content and exam for the new (ISC)Â² credential, says HCISPP differentiates itself in several ways from other certifications.
"One is that it has an international scope, which benefits individuals and employers alike, who are crucial to driving and adopting practices to properly store, secure, and exchange sensitive healthcare data," he says.
"Great care is taken to not only provide assurance that a candidate has a solid understanding of HIPAA's requirements for the United States, but also those of Europe and other regions that have very strict requirements for how personal data must be protected, how it can be shared, what to do in case of a breach, and so forth," he explains.
Schandl says another differentiator for the new credential is that it's much more comprehensive than a HIPAA awareness certificate that can be obtained by attending a training class and passing an exam. "That's because it's designed to fairly assess an individual's understanding of implementing, managing and assessing security and privacy controls, which requires experience and an understanding of how to apply that knowledge to the healthcare environment," he says.
To attain the HCISPP credential, applicants must have a minimum of two years of experience in one knowledge area of the credential - security, compliance or privacy. Legal experience may be substituted for compliance, and information management experience may be substituted for privacy. At least one of the two years of experience must be in the healthcare industry.
All candidates must be able to demonstrate competencies in each of the following six domains in order to achieve HCISPP:
- Healthcare industry;
- Regulatory environment;
- Privacy and security in healthcare;
- Information governance and risk management;
- Information risk assessment; and
- Third-party risk management.
Those who should consider obtaining the new certification, (ISC)Â² says, include: privacy officers, compliance officers, information security officers, compliance auditors, risk analysts, medical records supervisors, IT managers, health information managers and privacy and security consultants.
"Anyone new to security and healthcare could certainly consider this certification," says security expert Brian Evans, principal of Brian Evans Consulting. "But with hundreds of tech-related and security specific certifications available today, the primary question to answer is whether or not it's the right certification for the individual and job they'll perform. Otherwise, people can end up with an alphabet soup of incomprehensible acronyms after their name. How many certifications does it take to demonstrate competence?"
Among employers who might consider hiring those who have earned the credential or encouraging existing personnel to obtain the credential, (ISC)Â² says, are: hospitals, physician group practices, consulting firms, claims processors and regulatory agencies.
Because HIPAA Omnibus Rule requires business associates to comply with HIPAA, some of these vendors might also consider having staff members obtain the credential, Evans says.
"Business associate staff ... may find value in a healthcare-specific certification if they lack any credentials today," Evans says. "But there is no 'one-size-fits-all' solution when it comes to looking for the right security certifications to earn. It truly depends on the role of the individual and the career path they plan to take. Are they looking for a broad base of knowledge or something specific to support technical skills such as networking or architecture?"
More information about the credential is available at the (ISC)Â² website.