Anyone else take the HCISPP?

cledford3

Just signed up for ISC2 "official" training class for HCISPP. I've been in security engineering (firewalls, network security, VPN, IPS) for almost 20 years - with the last 12 in Healthcare IT. I've been a "security analyst" (IR, Security Policy, Endpoint EPP/EDR, Advanced malware protection, DLP) officially now for 2.5 years. I've been studying on/off again for almost 3 years for CISSP and just keep procrastinating. My employer (a midsized Healthcare system) offered to pay for the HCISPP out of end of year 2017 budget and I thought "why not?" I'm hoping to burn through it (class on 2/19) and use it as motivation for wrapping up CISSP.

Any thoughts on exam or advice on banging it out? I'm waiting on ISC2 book. I'm already reading through:

"Healthcare Information Security and Privacy" - Sean P. Murphy

Any online resources recommended?

Thanks,

-Calvin

talbert80

Hi Calvin,

I have the HCISPP. The book you have is sufficient. I did not like the ISC2 book. Here's the list of what I used to study. You want to really understand the process/ tools used in the steps in the NIST Special Publications. There may be a strong focus on risk management, incident response, business continuity, understanding what a business associate is under HIPAA, the number of individuals affected before public breach notification, and other federal requirements for breach notification (Federal Trade Commission).


Study Guides

HCISPP Study Guide (dark blue book with orange letters)

Healthcare Information Security and Privacy (Murphy)

*

Frameworks

ISO Publication – 27002:2005 or 27002:2013 (understand risk assessment process)

HITRUST (understand what the framework is and what it covers)

NIST RMF 800-37

Federal Legislation/Standards

PIPEDA privacy principles (Canada)

Data protection Directive (EU) privacy principles

EU-US Safe Harbor

HIPAA Security Rule

HIPAA Privacy Rule

Administrative simplification

Transactions and code sets

HIPAA Breach Notification Rule

Federal Trade Commission Breach Notification Rule

Organisation for Economic Co-operation and Development (OECD) Privacy Principles

Generally Accepted Privacy Principles

NIST Special Publications –

FIPS 140-2 Security Requirements for Cryptographic Modules

NISTIR 8053 – De-Identification of Personally Identifiable Information

800-30 rev 1 – Conducting Risk Assessments

800-34 – Contingency Planning

800-37 – Guide to applying the Risk Management Framework

800-39 – Managing Information Security Risk

800-53 – Security and Privacy Controls for Federal Information Systems and Organizations Rev 4

800-61 – Computer Security Incident Handling Guide (understand the Incident Response Process)

800-66 – Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

800-86 – Guide to Integrating Forensics Techniques into Incident Response (understand Forensics Process and what happens in each step)

800-122 – Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

K-9

I am scheduled to take the HCISPP in a few months. Thank you cledford3 for posting this question and thank you talbert80 for such a specific answer!

I just ran through the online training. It simply runs through the book like a long study session. I only purchased the online training to get the book because there was no other way to get that book.

talbert80

No problem. Good luck to you. Strong focus on risk management, process, understanding HIPAA Privacy/Security/Breach Notifcation Rules. Another resource would be ISC2 Education Official Quizlet flashcards. ISC2 posts suggested resources for preparing for the exam.

https://quizlet.com/ISC2Education/folders/hcispp/sets
https://www.isc2.org/Certifications/References

Aharrell

Thank you for the information Talbert80. Should the CISSP be done before going for the HCISPP?

K-9

The HCISPP (lots of privacy topics) is so very different than the CISSP, you don't need to take the CISSP first.

talbert80

Another long winded answer......K-9 is correct, the HCISPP is heavy privacy, risk management, and regulatory compliance. You may need to identify process and technical tools in the NIST SPs. Some security is covered.

A CISSP is not required before taking the HCISPP exam. A different mindset is needed for the HCISPP. Think privacy compliance program versus security (privacy officer v. chief information security officer). Security is needed to support privacy, but there are different elements to consider, like disclosure, notification, access (patient access to their records), use, modification, third party use/ access. Super important: breach under HIPAA is unauthorized access/disclosure/use/acquisition of PHI (protected health information) in any form.

I took the CISSP (failed 699)/SSCP in April, HCISPP in July, then CISSP again (passed) in September 2015. I just took the CAP a few weeks ago. The SSCP (security operations) and CISSP were more technical, CISSP more advisory/risk mgmt than operations. The CAP and HCISPP were more process and risk mgmt. It is important to understand roles and responsibilities in the last two.

K-9

Excellent answer, talbert80. I wanted to take the HCISPP (and later CIPP) exam because I constantly have to answer privacy officer questions and fill out forms. I have a pretty good idea of the privacy side, but I wanted to know more so I can more efficiently help the privacy team.

Aharrell

Thanks K-9 and talbert80 (again)! I work in Healthcare IT at the moment, and have debated which to pursue first for the last couple of weeks. Right now, it looks like I will go for the HCISPP, and then the CISSP.

K-9

The CISSP is FAR FAR more valuable than the HCISPP even if you are in HIT. If you have the experience to get the CISSP, I would suggest going after that one first. Few certifications are as valuable as the CISSP at this time.