Anyone else take the HCISPP?
Just signed up for ISC2 "official" training class for HCISPP. I've been in security engineering (firewalls, network security, VPN, IPS) for almost 20 years - with the last 12 in Healthcare IT. I've been a "security analyst" (IR, Security Policy, Endpoint EPP/EDR, Advanced malware protection, DLP) officially now for 2.5 years. I've been studying on/off again for almost 3 years for CISSP and just keep procrastinating. My employer (a midsized Healthcare system) offered to pay for the HCISPP out of end of year 2017 budget and I thought "why not?" I'm hoping to burn through it (class on 2/19) and use it as motivation for wrapping up CISSP.
Any thoughts on exam or advice on banging it out? I'm waiting on ISC2 book. I'm already reading through:
"Healthcare Information Security and Privacy" - Sean P. Murphy
Any online resources recommended?
Thanks,
-Calvin
Any thoughts on exam or advice on banging it out? I'm waiting on ISC2 book. I'm already reading through:
"Healthcare Information Security and Privacy" - Sean P. Murphy
Any online resources recommended?
Thanks,
-Calvin
Comments
I have the HCISPP. The book you have is sufficient. I did not like the ISC2 book. Here's the list of what I used to study. You want to really understand the process/ tools used in the steps in the NIST Special Publications. There may be a strong focus on risk management, incident response, business continuity, understanding what a business associate is under HIPAA, the number of individuals affected before public breach notification, and other federal requirements for breach notification (Federal Trade Commission).
Study Guides
HCISPP Study Guide (dark blue book with orange letters)
Healthcare Information Security and Privacy (Murphy)
*
Frameworks
ISO Publication – 27002:2005 or 27002:2013 (understand risk assessment process)
HITRUST (understand what the framework is and what it covers)
NIST RMF 800-37
Federal Legislation/Standards
PIPEDA privacy principles (Canada)
Data protection Directive (EU) privacy principles
EU-US Safe Harbor
HIPAA Security Rule
HIPAA Privacy Rule
Administrative simplification
Transactions and code sets
HIPAA Breach Notification Rule
Federal Trade Commission Breach Notification Rule
Organisation for Economic Co-operation and Development (OECD) Privacy Principles
Generally Accepted Privacy Principles
NIST Special Publications –
FIPS 140-2 Security Requirements for Cryptographic Modules
NISTIR 8053 – De-Identification of Personally Identifiable Information
800-30 rev 1 – Conducting Risk Assessments
800-34 – Contingency Planning
800-37 – Guide to applying the Risk Management Framework
800-39 – Managing Information Security Risk
800-53 – Security and Privacy Controls for Federal Information Systems and Organizations Rev 4
800-61 – Computer Security Incident Handling Guide (understand the Incident Response Process)
800-66 – Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
800-86 – Guide to Integrating Forensics Techniques into Incident Response (understand Forensics Process and what happens in each step)
800-122 – Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
I just ran through the online training. It simply runs through the book like a long study session. I only purchased the online training to get the book because there was no other way to get that book.
https://quizlet.com/ISC2Education/folders/hcispp/sets
https://www.isc2.org/Certifications/References
A CISSP is not required before taking the HCISPP exam. A different mindset is needed for the HCISPP. Think privacy compliance program versus security (privacy officer v. chief information security officer). Security is needed to support privacy, but there are different elements to consider, like disclosure, notification, access (patient access to their records), use, modification, third party use/ access. Super important: breach under HIPAA is unauthorized access/disclosure/use/acquisition of PHI (protected health information) in any form.
I took the CISSP (failed 699)/SSCP in April, HCISPP in July, then CISSP again (passed) in September 2015. I just took the CAP a few weeks ago. The SSCP (security operations) and CISSP were more technical, CISSP more advisory/risk mgmt than operations. The CAP and HCISPP were more process and risk mgmt. It is important to understand roles and responsibilities in the last two.