HIPAA certification HCISPP vs CSCS

Disgruntled3lf

So my boss pulled me into his office today and told me he wanted me to get the Certified Security and Compliance Specialist (CSCS) from EC-First here. The brochure reads well (go figure) but I'm not familiar with the cert or the company. I am familiar with ISC2 which offers the HCISPP here. My question is should I do what my boss suggests or try to sway him towards the HCISSP? Also has anyone any experience with EC-First or the CSCS? ( I searched TE and came up empty )

philz1982

Disgruntled3lf wrote: »

So my boss pulled me into his office today and told me he wanted me to get the Certified Security and Compliance Specialist (CSCS) from EC-First here. The brochure reads well (go figure) but I'm not familiar with the cert or the company. I am familiar with ISC2 which offers the HCISPP here. My question is should I do what my boss suggests or try to sway him towards the HCISSP? Also has anyone any experience with EC-First or the CSCS? ( I searched TE and came up empty )

So, here is my opinion. I build middleware for many verticals but HC is my main focus. The things I have seen in the HC environment are down right scary. Some of the EMR providers are straight up LAZY in their programming. I've seen EMR's that pass the login credentials in the URL in plain text.... So with that being said, forget the those certs. I would learn how to use BurpSuite, learn how to code/read HL7 feeds, and learn the different EMR, and ADT providers.

The best thing I ever did for security in HC was to get my hands on BurpSuite and Kali and start testing out the EMR/Middlewares that are running on client sites. That's my two cents.

Disgruntled3lf

That is good advice and I understand where you're coming from, I recently found a system that was storing credentials in plain text. In their defence it was in a database table that required authentication, but they put the SA username and password in their help doc and didn't provide a way to change it... But I think he's pretty set on someone getting a health information security cert in the very near future and it might as well be me. I'd just like to get something that has some value to it. Have you encountered either of those?

colemic

I would see if you could sway him, if only because ISC(2) has more recognition in the cert market, especially more than one that nobody's ever heard of... but that's just me.

Questions I would ask:

-Study on company time?
-Who pays for test?
-Raise, promotion, etc for passing?

Just some things to keep in mind...

Disgruntled3lf

Yeah. As long as my job gets done I can study whenever. He'll pay. Raise....lols....

JDMurray

Maybe your boss will do some Googling in researching differences between the CSCS and HCISPP and find this thread.

Disgruntled3lf

Stranger things have happened. But I'm going to try to get him to go for the HCISPP. We shall see.

philz1982

My parting words. I've worked on designing some of the world's most advanced hospitals and haven't ran into people with these certs.

I would think a San's cert around compliance or a college program on compliance and healthcare would be more practical and useful.

Just my two cents...

philz1982

Now ITL is a solid cert. What is your role/ title? What do you do for your company? Based on that answer I can better direct you.

datacomboss

I would do HCISPP or CHPS from AHIMA

datacomboss

philz1982 wrote: »

So, here is my opinion. I build middleware for many verticals but HC is my main focus. The things I have seen in the HC environment are down right scary. Some of the EMR providers are straight up LAZY in their programming. I've seen EMR's that pass the login credentials in the URL in plain text.... So with that being said, forget the those certs. I would learn how to use BurpSuite, learn how to code/read HL7 feeds, and learn the different EMR, and ADT providers.

The best thing I ever did for security in HC was to get my hands on BurpSuite and Kali and start testing out the EMR/Middlewares that are running on client sites. That's my two cents.

As a 18 year vet of HIT I will tell you that Philz hit the nail on the head with the lazy comment. Lazy software companies building enterprise software on bullsh data platforms like mumps, c-tree and pervasive. Even the ones that run native on Oracle or SQL force you to dumb down the OS to work properly. Lazy and cheap healthcare providers who balk at spending money for security and redundancy and complain when the lack of both causes downtime. Lazy and ignorant sales and IT people with no ethics or skills to solve the issues facing the industry such as BYOD, fixed content storage and HIPAA/MU/ICD10.

philz1982

Oh, come on now, the EPIC EMR is an amazing Gem of early 2000's security design.......

Disgruntled3lf

I'm the one man IT shop for a VAR. We do alot of imaging and records management. My role is to build and maintain all of our in house networks and systems (and a few clients), support all the software we sell, automate any part of the production process I can, write our policies, and keep the Boss's phone sync'd. Almost all of our clients are hospitals, Dr's Offices, Drug Rehab, etc or are somehow subject to HIPAA. He's got it in his head that someone needs a HIPAA technical cert. And I'm not surprised you've not encountered them before. The fact that I'd never heard of the CSCS is what brought me here and the HCISPP has only been out a year I think. I do appreciate your input and your resume is quite impressive. I'm certain you're correct and I will look into what you've said. However, the options I have are fairly limited.

datacomboss

philz1982 wrote: »

Oh, come on now, the EPIC EMR is an amazing Gem of early 2000's security design.......

Epic is taking over. Every stinking major healthcare system in DFW uses it. lol

philz1982

datacomboss wrote: »

Epic is taking over. Every stinking major healthcare system in DFW uses it. lol

EPIC and Cerner are the bain of my existence. A necessary evil of sorts. Between them and Rauland Responder V I'd just about shoot myself.. Rauland still runs their nursecall on a TAP interface so forget about doing any RESTful/API integrations... You literally have to use C to do your middleware....

Just saw your in Dallas! Crazy! I am moving to Milwaukee November 21st I live in Prosper Texas.

superdave90266

ECFirst is a new outfit. I believe these guys tried to push out a HIPAA Certification for healthcare organizations. No one is recognizing this... certainly not HHS. For individual certification, no one in the security space recognizes ECFirst. No one!!

ECFirst does not have any clout. Go with ISC2, SANS, CompTIA, Cisco Academy, ISACA, BSI ISO 27001 Auditor Certification, or Offensive Security. ECFirst == junk!!

btw, the BigFive Healthcare Groups are pushing out their own initiative, HITRUST, similar to what the BigFive Merchant Banks did with PCI - "for you to play with us, you have to get certified with _______." HITRUST is not recognized by HHS.

beads

No one heard of these certs because they are so new. ISC(2) reports more than 15,000 cert holders last I saw and that was recent. Awarded my HCISPP all the way back in January of 2014 and took the exam in November of 2013.

Why take such a cert? Because I was and still am working in Healthcare. As a bonus, it appears that I was the second person to take the exam (1002) early that first week of release. Did talk to the gent who beat me by a few hours that day with exam 1001. Not that it matters but it is interesting to break such new ground.

Was it worth it? No, no one recognizes the certificate or at least understands it but again, it is an interesting conversation piece like a nice piece of table art. You remark on it and move on. Good news is the exam is not nearly as difficult as the CISSP or other more notoriously difficult exams.

EC-Council is outright out to make a buck and having completed a couple of those as well I would wisely suggest going for the known quantity in the ISC(2) back exam hands down. Now, convincing your boss should be based on future payback not the number of letters in the acronym. The CISSP is the 900 pound gorilla in the room where EC-Council... well, not so much. Go with the big dogs in the certification field and you won't be fire for buying IBM as the old saw goes.

HCISPP - no doubt.

- b/eads

soccarplayer29

beads wrote: »

EC-Council is outright out to make a buck and having completed a couple of those as well I would wisely suggest going for the known quantity in the ISC(2) back exam hands down. Now, convincing your boss should be based on future payback not the number of letters in the acronym. The CISSP is the 900 pound gorilla in the room where EC-Council... well, not so much. Go with the big dogs in the certification field and you won't be fire for buying IBM as the old saw goes.

So the OP was referring to CSCS from ECFirst and not EC-Council...which I of course had never heard of either and thought it was some obscure offering from ECC.

It appears the Certified Security Compliance Specialist (CSCS) is provided by ECFirst and HIPAA Academy (https://hipaaacademy.net/cscs/) and that the focus is actually on multiple compliance frameworks (ISO, PCI, FISMA, HIPAA). If it was recognized and provided by an organization like ISC2 I could see an overarching compliance catch-all certification as an introduction/stepping stone to more in-depth specific compliance certifications (e.g., ISO 27001, PCI QSA, ISC2 CAP, HITRUST CCSFP, etc.)

cledford3

I've been in HIT (Healthcare IT) for almost 15 years now - working all of that time as permanent party employee for Covered Entities (hospitals and HC systems) - all of it in technical IT security roles. I just took the ISC2 official HCISPP training last week (live classroom) and was pleasantly surprised!

The positive - I gained a fair amount of information I was missing on the privacy side - and the security portion was an *outstanding* review for the CISSP. (I've been studying on-again/off-again for the CISSP for over two years and also attended the ISC2 CISSP boot-camp that was abysmally bad...) I'll go as far to say that while the CISSP stuff wasn't new (or comprehensive) by any stretch, it was more concise and cleared up a couple of things up I've never seen clear anywhere else - and I've purchased *every* book out there. I'm very glad my employer sent me to the class, even having gone in with very low expectations based on my poor experience with the ISC CISSP class.

The negative, as with the CISSP class, the HCISPP courseware was embarrassingly bad for ISC2. I honestly can't see how a cert (CISSP or HCISPP for that matter) which is held is such high regard could even be considered serious given how bad the party that provides the cert does training. Seriously, it is inexcusable. For the HCISSP class the student guide has not been updated since 2014. I'm not talking about content - I mean *anything*. Some of it is not too bad a read, but a large part of it is simply horrible! Numerous typos, inexcusable grammatical errors, some passages so convolutedly written it is near impossible to decipher what is being stated, redundant information with zero context (so you think you're going over something new only to find out you are relearning the exact same thing you did in previous chapter), poor slides, acronyms not written out (leading to searching for what they mean instead of paying attention in class), some writing that is so bad that it is shameful that someone purporting to be a professional in any field could have ever written it (seriously, I think 5th graders could have written more professional passages in some places), and (frankly) too much content for 3 days - it is a hot mess. As with the ISC2 CISSP class, some of the slides were so bad, the instructors were left to have to create their own just to convey fairly straight forward topics that the "offical" content had hopelessly twisted into knots. Don't even get me started on the CBK - again, as with the CISSP, one has to ask how the organization offering such a premium cert could have in good conscious ever put something out with their name on it like these books.

However, their (ISC2) main HCISPP instructor, Marco, is excellent. He is former healthcare clinical staff, HC administrative leadership, and does consulting with the FBI on HC related security cases. His input made for a really interesting class and he really gets it - from multiple angles.

I'm studying for the HCISSP right now and overall glad I was offered the opportunity to take the class and the exam. I think it strongly contributes to me professionally (again filling out the privacy and compliance gaps), and was also an outstanding review of several CISSP topics - renewing my pursuit of that cert.

I think the HCISPP being a ISC2 cert holds *much* regard due to the requirements for continued education, the code of ethics, and the endorsement process. These things set all ISC2 certs apart in my view. It's too bad that their training (especially the content) is just so bad, IMHO it tarnishes an otherwise outstanding certification organization.

Hope this helps.