Background
The importance of security and privacy is rapidly increasing across all industries, especially given a recent acceleration in public data breach and record disclosures. As this book was composed the public has witnessed large breaches within the retail industry involving stolen credit card and personal information. At first glance one might discard this type of threat as not applicable to healthcare organizations given their core business involves the delivery of patient care. In many cases they might be wrong given patients regularly pay for healthcare services using a credit or debit card, the massive amount of personal health information (PHI) within the organization, a significant increase in the use of health information technology (which creates additional privacy and security risk), and PHI being shared outside organizational boundaries with third parties to support the delivery of healthcare services. Healthcare organizations will need qualified risk management professionals to assist with managing the broad array of risks faced within the industry. The HCISPP certification is for individuals who want to understand how to assess risk and implement and maintain security and privacy controls specific to the healthcare industry while being compliant with the many laws and regulations that govern the healthcare industry. Individuals with certifications such as the HCISPP are more likely to be selected for job interviews based on the immediate recognition of an industry certification and the qualifications it conveys. Since the exam details are subject to change, per (ISC)2, we encourage candidates to obtain the most current HCISPP Candidate Information Bulletin available from (ISC)2 prior to beginning their exam preparation. Candidates may require a deeper understanding of some concepts discussed throughout this book depending on the nature of their current or future roles, educational background, and work experience in each of the specific HCISPP exam domains. However, this book was written to provide a foundational level of knowledge and teach candidates only what is necessary to pass the HCISPP examination – nothing more, nothing less. Consider this the first step in a journey, as a security and privacy practitioner in the healthcare industry. Since the healthcare industry, the technology that supports it, and the laws and regulations that govern it continuously change we encourage HCISPP candidates and certificate holders to actively participate in the industry, stay abreast of changes, and commit to continuing education and gaining new experiences. The examination and this book focus on six key domains of knowledge:
Healthcare industry
Regulatory environment
Privacy and security in healthcare
Information governance and risk management
Information risk assessment
Third-party risk management
Individuals who may want to consider obtaining a HCISPP certification include, but are not limited to:
Information security analysts
Information security officers (CSO, CISO, ISO)
Privacy officers (CPO)
Compliance officers (CCO)
Records management personnel
Information technology managers
Security and privacy consultants
Risk management personnel
Internal and external auditors
Data protection officers
Health information managers
HCISPP Certification Requirements
Prior to taking the HCISPP examination, candidates must meet the following requirements:
Have a minimum of 2 years’ security, privacy, and compliance experience in one of the six knowledge domains. At least 1 year of experience is required in one of the following three domains:
Healthcare industry
Regulatory environment in healthcare
Privacy and security in healthcare
The second year of experience can be in the domains mentioned earlier or in one of the following three domains:
Information governance and risk management
Information risk assessment
Third-party risk management
Legal and information management experience may also be substituted for compliance and privacy experience, respectively.
Provide a truthful attestation of professional experience and legally agree to abide by the Code of Ethics; and
Provide yes or no responses to four questions pertaining to criminal history and background.
Exam Registration
The exam is computer-based (CBT) and proctored at an authorized location, while paper-based exams are available on a case-by-case basis. The exam will consist of 125 multiple choice questions with 4 potential choices and must be completed in 3 h. Candidates should ensure sufficient rest prior to the examination, and if traveling from outside the area, consider staying at a hotel close to the testing facility the night beforehand. Registration for the exam can be completed online through the (ISC)2 website or over the phone and requires payment of the exam fee, agreement to the Code of Ethics, and responses to criminal history and background questions.
Code of Ethics
The Code of Ethics includes a preamble and four cannons focused on ethics. All professionals who receive an HCISPP certification must abide by the Code, recognize their certification is a privilege (not a right), and understand the certification is subject to revocation for members who intentionally or knowingly violate the Code.
Preamble
The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this Code is a condition of certification.
Code of Ethics Cannons
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.