HIPAA certification HCISPP vs CSCS

in SSCP
So my boss pulled me into his office today and told me he wanted me to get the Certified Security and Compliance Specialist (CSCS) from EC-First here. The brochure reads well (go figure) but I'm not familiar with the cert or the company. I am familiar with ISC2 which offers the HCISPP here. My question is should I do what my boss suggests or try to sway him towards the HCISSP? Also has anyone any experience with EC-First or the CSCS? ( I searched TE and came up empty )
Comments
So, here is my opinion. I build middleware for many verticals but HC is my main focus. The things I have seen in the HC environment are down right scary. Some of the EMR providers are straight up LAZY in their programming. I've seen EMR's that pass the login credentials in the URL in plain text.... So with that being said, forget the those certs. I would learn how to use BurpSuite, learn how to code/read HL7 feeds, and learn the different EMR, and ADT providers.
The best thing I ever did for security in HC was to get my hands on BurpSuite and Kali and start testing out the EMR/Middlewares that are running on client sites. That's my two cents.
Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito
Questions I would ask:
-Study on company time?
-Who pays for test?
-Raise, promotion, etc for passing?
Just some things to keep in mind...
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
I would think a San's cert around compliance or a college program on compliance and healthcare would be more practical and useful.
Just my two cents...
Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito
Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito
Arthur Ashe
Arthur Ashe
Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito
Epic is taking over. Every stinking major healthcare system in DFW uses it. lol
Arthur Ashe
EPIC and Cerner are the bain of my existence. A necessary evil of sorts. Between them and Rauland Responder V I'd just about shoot myself.. Rauland still runs their nursecall on a TAP interface so forget about doing any RESTful/API integrations... You literally have to use C to do your middleware....
Just saw your in Dallas! Crazy! I am moving to Milwaukee November 21st I live in Prosper Texas.
Connect with me on LinkedIn @ https://www.linkedin.com/in/phillipzito
ECFirst does not have any clout. Go with ISC2, SANS, CompTIA, Cisco Academy, ISACA, BSI ISO 27001 Auditor Certification, or Offensive Security. ECFirst == junk!!
btw, the BigFive Healthcare Groups are pushing out their own initiative, HITRUST, similar to what the BigFive Merchant Banks did with PCI - "for you to play with us, you have to get certified with _______." HITRUST is not recognized by HHS.
Why take such a cert? Because I was and still am working in Healthcare. As a bonus, it appears that I was the second person to take the exam (1002) early that first week of release. Did talk to the gent who beat me by a few hours that day with exam 1001. Not that it matters but it is interesting to break such new ground.
Was it worth it? No, no one recognizes the certificate or at least understands it but again, it is an interesting conversation piece like a nice piece of table art. You remark on it and move on. Good news is the exam is not nearly as difficult as the CISSP or other more notoriously difficult exams.
EC-Council is outright out to make a buck and having completed a couple of those as well I would wisely suggest going for the known quantity in the ISC(2) back exam hands down. Now, convincing your boss should be based on future payback not the number of letters in the acronym. The CISSP is the 900 pound gorilla in the room where EC-Council... well, not so much. Go with the big dogs in the certification field and you won't be fire for buying IBM as the old saw goes.
HCISPP - no doubt.
- b/eads
So the OP was referring to CSCS from ECFirst and not EC-Council...which I of course had never heard of either and thought it was some obscure offering from ECC.
It appears the Certified Security Compliance Specialist (CSCS) is provided by ECFirst and HIPAA Academy (https://hipaaacademy.net/cscs/) and that the focus is actually on multiple compliance frameworks (ISO, PCI, FISMA, HIPAA). If it was recognized and provided by an organization like ISC2 I could see an overarching compliance catch-all certification as an introduction/stepping stone to more in-depth specific compliance certifications (e.g., ISO 27001, PCI QSA, ISC2 CAP, HITRUST CCSFP, etc.)
The positive - I gained a fair amount of information I was missing on the privacy side - and the security portion was an *outstanding* review for the CISSP. (I've been studying on-again/off-again for the CISSP for over two years and also attended the ISC2 CISSP boot-camp that was abysmally bad...) I'll go as far to say that while the CISSP stuff wasn't new (or comprehensive) by any stretch, it was more concise and cleared up a couple of things up I've never seen clear anywhere else - and I've purchased *every* book out there. I'm very glad my employer sent me to the class, even having gone in with very low expectations based on my poor experience with the ISC CISSP class.
The negative, as with the CISSP class, the HCISPP courseware was embarrassingly bad for ISC2. I honestly can't see how a cert (CISSP or HCISPP for that matter) which is held is such high regard could even be considered serious given how bad the party that provides the cert does training. Seriously, it is inexcusable. For the HCISSP class the student guide has not been updated since 2014. I'm not talking about content - I mean *anything*. Some of it is not too bad a read, but a large part of it is simply horrible! Numerous typos, inexcusable grammatical errors, some passages so convolutedly written it is near impossible to decipher what is being stated, redundant information with zero context (so you think you're going over something new only to find out you are relearning the exact same thing you did in previous chapter), poor slides, acronyms not written out (leading to searching for what they mean instead of paying attention in class), some writing that is so bad that it is shameful that someone purporting to be a professional in any field could have ever written it (seriously, I think 5th graders could have written more professional passages in some places), and (frankly) too much content for 3 days - it is a hot mess. As with the ISC2 CISSP class, some of the slides were so bad, the instructors were left to have to create their own just to convey fairly straight forward topics that the "offical" content had hopelessly twisted into knots. Don't even get me started on the CBK - again, as with the CISSP, one has to ask how the organization offering such a premium cert could have in good conscious ever put something out with their name on it like these books.
However, their (ISC2) main HCISPP instructor, Marco, is excellent. He is former healthcare clinical staff, HC administrative leadership, and does consulting with the FBI on HC related security cases. His input made for a really interesting class and he really gets it - from multiple angles.
I'm studying for the HCISSP right now and overall glad I was offered the opportunity to take the class and the exam. I think it strongly contributes to me professionally (again filling out the privacy and compliance gaps), and was also an outstanding review of several CISSP topics - renewing my pursuit of that cert.
I think the HCISPP being a ISC2 cert holds *much* regard due to the requirements for continued education, the code of ethics, and the endorsement process. These things set all ISC2 certs apart in my view. It's too bad that their training (especially the content) is just so bad, IMHO it tarnishes an otherwise outstanding certification organization.
Hope this helps.