Anyone else take the HCISPP?

cledford3cledford3 Member Posts: 66 ■■■□□□□□□□
Just signed up for ISC2 "official" training class for HCISPP. I've been in security engineering (firewalls, network security, VPN, IPS) for almost 20 years - with the last 12 in Healthcare IT. I've been a "security analyst" (IR, Security Policy, Endpoint EPP/EDR, Advanced malware protection, DLP) officially now for 2.5 years. I've been studying on/off again for almost 3 years for CISSP and just keep procrastinating. My employer (a midsized Healthcare system) offered to pay for the HCISPP out of end of year 2017 budget and I thought "why not?" I'm hoping to burn through it (class on 2/19) and use it as motivation for wrapping up CISSP.

Any thoughts on exam or advice on banging it out? I'm waiting on ISC2 book. I'm already reading through:

"Healthcare Information Security and Privacy" - Sean P. Murphy

Any online resources recommended?




  • talbert80talbert80 Member Posts: 29 ■■■□□□□□□□
    Hi Calvin,

    I have the HCISPP. The book you have is sufficient. I did not like the ISC2 book. Here's the list of what I used to study. You want to really understand the process/ tools used in the steps in the NIST Special Publications. There may be a strong focus on risk management, incident response, business continuity, understanding what a business associate is under HIPAA, the number of individuals affected before public breach notification, and other federal requirements for breach notification (Federal Trade Commission).

    Study Guides

    HCISPP Study Guide (dark blue book with orange letters)

    Healthcare Information Security and Privacy (Murphy)



    ISO Publication – 27002:2005 or 27002:2013 (understand risk assessment process)

    HITRUST (understand what the framework is and what it covers)

    NIST RMF 800-37

    Federal Legislation/Standards

    PIPEDA privacy principles (Canada)

    Data protection Directive (EU) privacy principles

    EU-US Safe Harbor

    HIPAA Security Rule

    HIPAA Privacy Rule

    Administrative simplification

    Transactions and code sets

    HIPAA Breach Notification Rule

    Federal Trade Commission Breach Notification Rule

    Organisation for Economic Co-operation and Development (OECD) Privacy Principles

    Generally Accepted Privacy Principles

    NIST Special Publications –

    FIPS 140-2 Security Requirements for Cryptographic Modules

    NISTIR 8053 – De-Identification of Personally Identifiable Information

    800-30 rev 1 – Conducting Risk Assessments

    800-34 – Contingency Planning

    800-37 – Guide to applying the Risk Management Framework

    800-39 – Managing Information Security Risk

    800-53 – Security and Privacy Controls for Federal Information Systems and Organizations Rev 4

    800-61 – Computer Security Incident Handling Guide (understand the Incident Response Process)

    800-66 – Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

    800-86 – Guide to Integrating Forensics Techniques into Incident Response (understand Forensics Process and what happens in each step)

    800-122 – Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
  • K-9K-9 Member Posts: 82 ■■■□□□□□□□
    I am scheduled to take the HCISPP in a few months. Thank you cledford3 for posting this question and thank you talbert80 for such a specific answer!

    I just ran through the online training. It simply runs through the book like a long study session. I only purchased the online training to get the book because there was no other way to get that book.
  • talbert80talbert80 Member Posts: 29 ■■■□□□□□□□
    No problem. Good luck to you. Strong focus on risk management, process, understanding HIPAA Privacy/Security/Breach Notifcation Rules. Another resource would be ISC2 Education Official Quizlet flashcards. ISC2 posts suggested resources for preparing for the exam.
  • AharrellAharrell Member Posts: 18 ■■■□□□□□□□
    Thank you for the information Talbert80. Should the CISSP be done before going for the HCISPP?

  • K-9K-9 Member Posts: 82 ■■■□□□□□□□
    The HCISPP (lots of privacy topics) is so very different than the CISSP, you don't need to take the CISSP first.
  • talbert80talbert80 Member Posts: 29 ■■■□□□□□□□
    Another long winded answer......K-9 is correct, the HCISPP is heavy privacy, risk management, and regulatory compliance. You may need to identify process and technical tools in the NIST SPs. Some security is covered.

    A CISSP is not required before taking the HCISPP exam. A different mindset is needed for the HCISPP. Think privacy compliance program versus security (privacy officer v. chief information security officer). Security is needed to support privacy, but there are different elements to consider, like disclosure, notification, access (patient access to their records), use, modification, third party use/ access. Super important: breach under HIPAA is unauthorized access/disclosure/use/acquisition of PHI (protected health information) in any form.

    I took the CISSP (failed 699)/SSCP in April, HCISPP in July, then CISSP again (passed) in September 2015. I just took the CAP a few weeks ago. The SSCP (security operations) and CISSP were more technical, CISSP more advisory/risk mgmt than operations. The CAP and HCISPP were more process and risk mgmt. It is important to understand roles and responsibilities in the last two.
  • K-9K-9 Member Posts: 82 ■■■□□□□□□□
    Excellent answer, talbert80. I wanted to take the HCISPP (and later CIPP) exam because I constantly have to answer privacy officer questions and fill out forms. I have a pretty good idea of the privacy side, but I wanted to know more so I can more efficiently help the privacy team.
  • AharrellAharrell Member Posts: 18 ■■■□□□□□□□
    Thanks K-9 and talbert80 (again)! I work in Healthcare IT at the moment, and have debated which to pursue first for the last couple of weeks. Right now, it looks like I will go for the HCISPP, and then the CISSP.

  • K-9K-9 Member Posts: 82 ■■■□□□□□□□
    The CISSP is FAR FAR more valuable than the HCISPP even if you are in HIT. If you have the experience to get the CISSP, I would suggest going after that one first. Few certifications are as valuable as the CISSP at this time.
Sign In or Register to comment.