Passed HCISPP exam yesterday, my first ISC2 experience – strongly recommend the cert…

cledford3cledford3 Member Posts: 66 ■■■□□□□□□□
I’ve been a member of the forum for a couple years now and have been on again, off again studying for the CISSP during that time. I’ve been working in IT security for almost 20 years now, across several sectors (commercial, Federal, Service Provider, and Healthcare), multiple security domains, and have 18 other (mostly technical) certifications under my belt. My present title is Senior IS Security Analyst. As to why I haven’t taken the CISSP yet? I tend to over prepare for things, and I also feel that (generally speaking), after a certain point in one’s career, motivation for certification is usually inverse to one’s job satisfaction – and I’ve been blessed over the last 7 years to be very happy with my employer and job. Having said that, (aside from my Employer asking that I take it) pursing the HCISPP was intended to be a jump-start to my stalled CISSP studies and I now hope to take that exam by the end of summer.

This is sort of a roll up of info related to HCISPP study materials as there isn’t much out there.

To cut to the chase on the cert– I highly recommend the credential for any security practitioner in the Healthcare vertical. I also believe the bridge the cert builds between the parallel yet distinct disciplines of privacy and security is valuable enough for *any* security practitioner to consider taking the exam. Frankly, despite the “HC” in the title, most of the study content was general privacy related, along with a lot of CISSP security (basic security concepts, BCP/DR) and risk analysis. There is no denying that HC in in the US has a greater emphasis on privacy and 3rd party business associates than any other business vertical, but both matters are present in pretty much all others as well, making this cert useful beyond what it might seem.

I can say the perspective I gained from studying was transformational – and I think that is significant given my time in both IT security & HC. The bottom line is that, from a Healthcare perspective, privacy is what we do, and security is how we do it. A simple statement but one speaks volumes and can really change how one views what they do from a purely IT Security perspective. The business insight is invaluable.

The resources I used to study were:

ISC2 Official live classroom Training – 2/10 – In my opinion, throw the student guide away, buy one of the books below (better buy both books below) and read them the 3 days you are off work for the class (more about this below) – Frankly, I would not even consider taking the online version of this class

ISC2 Official Guide to the HCISPP CBK – Steven Hernandez – 8.5/10 (much, much better than the ISC2 CISSP CBK) Wish I could give this a 9 – but it did have some issues…

Healthcare Information Security & Privacy – Sean Murphy – 7.5/10 – solid on the HC & Privacy stuff, but very lacking (In my opinion) on the security side

NIST Special Publications mainly: 800-37, 800-39, 800-30, 800-66, & FIPS 199 & 200 – 10/10

OECD Privacy Framework 11/10

My comments are on the study materials *only*. Starting from the bottom, in reverse order:

OECD Privacy Framework 11/10 While a number of privacy frameworks and laws/regulations are covered in the study material – this is the granddaddy of them all. I would begin studying by FIRST memorizing each of the 8 principals, and then be able to articulate (at a basic level) exactly what each is. This will make studying ALL of the other privacy content 1000% more meaningful. I *strongly* recommend looking it up on the web and going directly to the source. It is in all three of the guides I mentioned, but it is cleaner to first learn it first from the source; then build on that knowledge by reading the other books.

The NIST docs cited – 10 out of 10 Memorizing the steps (and functions) of the first three (800-39,800-37, 800-30) is crucial to unlocking the HCISPP security related (Risk Assessment) study material – and again, is not really that much considering the gain from knowing the material straight from the source before expounding on it by reading the books. Pretty much everything in the study material (from a security perspective) is based on the NIST docs – so why not go to the original source? No matter what book you choose, I do not feel these docs are optional. They are free to download and there is no excuse for not reading them.

Healthcare Information Security & Privacy – Sean Murphy – 7.5/10 – This was a solid book and is frequently recommend as a study guide for the HCISPP. I give it 7.5out of 10 as it goes into the HC and privacy related content well – but, in my opinion, really stumbles on the security content. Also, chapter 6 was contributed by someone else (Rob Davis) and I thought it was poorly written and way too short. I frankly do not feel this book is sufficient alone to master the HCISPP CBK (others may feel differently) but augmenting with the CBK book really rounds it out.

ISC2 Official Guide to the HCISPP CBK – Steven Hernandez – 8.5/10 This one really surprised me! I had quite low expectations based on my opinion of the comparable CISSP book – but this resource was outstanding. I had such a bad opinion of the CISSP volume I would not have even bought this for myself, but my employer purchased it for me and when I sat down and read it I was blown away. I will note that some of the Amazon reviews were not great, but I felt it was clearly the best book of the three. It really shined on the security related content, and had the best comparison (by far) of the three of the major privacy frameworks and regulations. I actually thought the security content in the book was so good that it exceeded many CISSP books on the same topics – and I own them all. (AIO 6th, both Conrad books, The Sybex 7th Ed. And a couple of others…) I wish I could give this a 9 – but it did had some issues. I really can’t tolerate poor grammar, editing, and formatting in professional books. Unfortunately, while most of the book was excellent, there were several items that jumped out as poor editing. On whole it was a very good (and an enjoyable read)– but the handful of issues were just too noticeable to be acceptable, so .5 deducted. Further, the review questions are the heart of any study guide, and several were poorly written and formatted. One example was a True/false question that also had four ABCD answers? Also, the chapters were pretty long - a single chapter per domain - 6 total. The length of the chapters is not a big issue for me (it is for some - I actually like them) but when considering only between 7-10 practice questions per chapter and this is sort of rip off from a review perspective - especially since a number of the questions were simply too simple. I’m sure this seems like a nit-pic, but there were issues with a couple of other questions as well, and given that there were only a handful per chapter (I believe 7 on average) there really isn’t any excuse for sloppiness – another .5 deduction.

Without these issues the book would have a scored a 9. The other point docked because, while it had the best break down of the major privacy frameworks and regulations (from an organization perspective), on whole I thought it was light overall on the privacy content – especially related to HIPAA. It was sort of almost the reverse of the Murphy book, which was too light (in my opinion) on the security content. I feel this book could be a single study resource, but just barely. I recommend reading both books to completely cover the CBK. Again, in my opinion, the NIST docs are required to augment this book and reading them is assumed.

The Offical ISC2 HCISPP Training class (Instructor led, live classroom) 2/10 – I stretch to give this score and only due to the time off from work to focus on the content, along with the outstanding instructor (Marco Polizzi) I even offer a 2. If I had to pay for this training myself I simply would not take it. I can’t really say anything good about the training content or the student guide. The only thing the training was good for was getting out of the office to jumpstart studying, networking with other HC security professionals, and talking about CISSP prep on breaks. As with the ISC2 CISSP class (I took the ISC2 “training camp” bootcamp in 2016 – it was abysmally bad), the HCISPP courseware (in my opinion) was embarrassing for ISC2. I often wonder how a cert (CISSP or HCISPP for that matter) which is held is such high regard could be considered so, given how bad the party that provides the cert does training. Seriously, it is inexcusable. As with the ISC2 CISSP class, some of the slides were so bad the instructors were left to have to create their own just to convey fairly straightforward topics that the "official" content had hopelessly twisted into knots. Finally, it is too much content for 3 days – in short it is a hot mess. I cannot imagine taking this online. I feel the content has no value that can’t be gained by self-study if one is not inclined to take the in-class training. I only recommend taking the training IN CLASSROOM, only if you are paid to do so, to permit uninterrupted focus on the material away from work, and to enjoy the networking opportunities.

For the HCISSP Training Student Guide specifically, it has not been updated since 2014. (I took class in February 2018 ) I'm not talking about content - I mean *anything*. A small part of it is not too bad a read, but large portions of it is simply horrible in my opinion! Numerous typos, inexcusable grammatical errors, some passages so convolutedly written it is near impossible to decipher what is being stated, redundant information with zero context (so you think you're going over something new only to find out you are relearning the exact same thing you did in previous chapters), poor accompanying slides in the lecture, acronyms not written out (leading to googling for what they mean instead of paying attention in class), some writing that is so bad that it is shameful (in my opinion) that someone purporting to be a professional in any field could have written it, NO INDEX (!), what appears to be copy-and-paste from external web sites – I feel this book actually harmed my prep rather than helped it. I also found a lot of content in the Training guide NOT in the other books. I give it a zero out of 10. There is nothing (in my opinion) that can’t be gained from the other resources in a much less painful, unpleasant manner.

A quick note on the ISC2 main HCISPP instructor, Marco, he is excellent. He is former healthcare clinical staff, HC administrative leadership, and does consulting with the FBI on HC related security cases. His input made for a super interesting class from an anecdotal perspective and he really gets it - from multiple angles. I give Marco 10/10 – but no instructor, no matter how good, can fix horrible content.

On whole, I can’t recommend the HCISPP enough. I really think it added a dimension to my view on security & privacy I simply did not have prior, nor realized I was even lacking. I also think it was generally time well spent for someone who aspires to take the CISSP. There was a lot of foundational security content, especially related to BCP, DR and RA in the study guides that I would think would help anyone intending to take the CISSP later.

Hope this helps.


  • RussInGothamRussInGotham Member Posts: 15 ■■□□□□□□□□
    Congrats! And this review is stellar. Bookmarked.
  • ecuisonecuison Member Posts: 131 ■■■■□□□□□□
    Congrats and thanks for the info! Planning on taking this cert with my brother and will def reference your notes here.
    Accomplishments: B.S. - Business (Information Management) | CISSP | CCSP | TOGAF v9.2 Certified | Security + | Network +
  • COBOL_DOS_ERACOBOL_DOS_ERA Member Posts: 205 ■■■■■□□□□□
    Congrats!!! and thanks for such a details review of the exam. This review will help many HCISPP aspirants in their preparations for the exam.
  • ThePawofRizzoThePawofRizzo Member Posts: 389 ■■■■□□□□□□
  • talbert80talbert80 Member Posts: 29 ■■■□□□□□□□
    Congrats! I took a similar road. I have the HCISPP, CISSP, CISM, CAP, and SSCP designations.  I took the CISSP under the 2012 objectives in April 2015. I failed with a 699. I flipped one question upon review. I was not passing the weekend without taking something. I flipped through the SSCP study guide (Darril Gibson), reviewed key NIST docs, and Sec+/Net+ study material.

    I studied for the HCISPP in July 2015 for 2 weeks, using the NIST docs, Privacy Frameworks, ISO risk management framework, and the Sean Murphy guide. I was working as a Security lead at a health insurance company. I was not able to take advantage of the training as my colleagues who were full time employees (I was a contractor).

    I created my own study guide from the exam outline and books. After the HCISPP,  I took the CISSP in September 2015, then CAP in January 2018. You will find similar language on the exams but from a different perspective. I am a privacy and security consultant with a local government implementing their HIPAA compliance program; and teach IT/ Health Information Management at a university. 


    ISO Publication – 27002:2005 or 27002:2013 (understand risk assessment process)

    HITRUST (understand what the framework is and what it covers)

    NIST Risk Management Framework (SP 800-37) – What are the steps

    2010, Rev 1: 

    • Categorize information system (FIPS 199)
      • Determine information type
      • Determine impact to Confidentiality, Integrity, Availability (if any is medium/high, the whole system is medium/high)
    • Select security controls (800-53 rev 4 – impact levels h, m l)
    • Implement security controls 
    • Assess security controls (800-30)
    • Authorize information system
    • Monitor security controls (800-137)

    2018, Rev 2

    • Prepare
    • Categorize
    • Select
    • Implement
    • Assess
    • Authorize
    • Monitor

    International Legislation

    PIPEDA privacy principles (Canada)

    Data protection Directive (EU) privacy principles

    EU-US Safe Harbor

    General Data Protection Regulation (GDPR) (new for 2019)

    Federal Legislation/Standards


    HIPAA Security Rule

    HIPAA Privacy Rule

    HIPAA Breach Notification Rule

    HIPAA Enforcement Rule

    HIPAA Transactions and Code Sets

    HIPAA National Provider Identification

    HIPAA Employer Identifier Standard

    HIPAA De-Identification Framework

    Federal Trade Commission Breach Notification Rule

    Organisation for Economic Co-operation and Development (OECD) Privacy Principles

    Generally Accepted Privacy Principles


    • Vendor vs business associate
      • BA: health care provider, health plan, healthcare clearinghouse
    • TPO (treatment, payment, healthcare operations)
    • Incident vs breach vs. event
    • System logging and monitoring
    • Confidentiality, integrity, and availability
    • PII vs PHI
    • Sensitive (Super) PHI
    • De-identification
    • Encryption
    • Access control
    • Incident response
    • Business continuity plan vs. disaster recovery plan
    • Business impact analysis
    • Medical record vs personal health record
    • Information privacy vs. security

    NIST Special Publications – Understand key processes and steps

    FIPS 140-2 Security Requirements for Cryptographic Modules

    FIPS 199

    FIPS 200

    NISTIR 8053 – De-Identification of Personally Identifiable Information

    800-30 – Conducting Information Security Risk Assessments

    800-34 – Contingency Planning

    800-37 – Guide to applying the Risk Management Framework

    800-39 – Managing Information Security Risk

    800-53 – Security and Privacy Controls for Federal Information Systems and Organizations Rev 4

    800-61 – Computer Security Incident Handling Guide (understand the Incident Response Process)

    800-66 – Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

    800-86 – Guide to Integrating Forensics Techniques into Incident Response (understand Forensics Process and what happens in each step)

    800-122 – Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

    800-171 – Guide to Protecting Controlled Unclassified Information

  • K-9K-9 Member Posts: 82 ■■■□□□□□□□

    I just passed the HCISPP last weekend.  I concur with cledford3's list.  

    I had Cisco training classes that were perfect for taking the cert exam, but the HCISPP class and book were really not worth the money.  

  • COBOL_DOS_ERACOBOL_DOS_ERA Member Posts: 205 ■■■■■□□□□□
    congrats on the pass!!! :)
  • K-9K-9 Member Posts: 82 ■■■□□□□□□□
    I used the class book and the Murphy book, but my experience at the job was what really mattered.  Maybe I was lucky, but I wouldn't have done any better or worse if I had not taken the class or read the Murphy book. 
  • VipreArmedVipreArmed Registered Users Posts: 10 ■■■□□□□□□□
    K-9 said:
    I used the class book and the Murphy book, but my experience at the job was what really mattered.  Maybe I was lucky, but I wouldn't have done any better or worse if I had not taken the class or read the Murphy book. 
    How long did you study if you don't mind me asking?
  • K-9K-9 Member Posts: 82 ■■■□□□□□□□
    Honestly?  I took the class and read the book last year.  I had forgotten that I scheduled the test so far in advance so I really didn't study.  I assumed I would walk in, take it, fail, and decide if I should retake it.  Everything (almost) on the test was stuff I have used or learned on the job, so it really wasn't so difficult for me.  I wish I had a better answer for you.
  • VipreArmedVipreArmed Registered Users Posts: 10 ■■■□□□□□□□
    Actually your answer works for me.  I feel like my work experience has helped me but I'm just wondering what else do I need to supplement it.  It seems like the class is a waste of time according to everyone and I have the OP's books and reading them and feel comfortable.  
  • K-9K-9 Member Posts: 82 ■■■□□□□□□□

    The test was long, arduous, and difficult.  I don't mean to pretend that it wasn't.  The OP listed off the correct subjects.  Know HIPAA, OECD Privacy, NIST, Third Party stuff, and, above all... know your information security.

    There was no real single study guide or practice exam for this.  I just went in and took it mostly to see what they would really ask on the test. 

  • VipreArmedVipreArmed Registered Users Posts: 10 ■■■□□□□□□□
    Thanks. I appreciate the help. I know it's difficult but it just seems like everyone says the class(es) aren't worth it.  I know with most bootcamps they are a refreshing course more than they are instructive so I've just slowly preparing for it by following the guides presented in this thread.  
Sign In or Register to comment.