Best security cert for healthcare field?

Hi all,

Im looking to advance myself a bit.... Just started a job at a healthcare practice last year and would like to add some security skills to my resume etc. I was thinking of going the Sec+, SSCP, CISSP route. Is there anything specific to healthcare that would make one option more attractive than another? Maybe a particular SANS or HIPAA cert i dont know about?

Thanks

Find more posts tagged with

Comments

Everyone

HA!

The Healthcare industry doesn't care about security as much as you think they do/would/should.

GIAC used to have a HIPAA certification, the GHSC, but they retired it.

With my Security+ that I had from before I worked in Healthcare, I was one of only 2 people with any real Security knowledge, let alone a Security certification at the Healthcare organization I worked at (3000+ employees). The IT Director was a CISSP, but he quit because he got tired of no one really caring about security.

The route you're thinking of will be more than enough. It may not be too beneficial to you in the Healthcare industry, but could still be beneficial to you personally on your career path.

You'll find that nobody cares about security unless patient care is directly impacted by it (i.e. someone is injured or died because of a security issue that wasn't properly addressed) OR the organization loses a lot of money due to a HIPAA violation (i.e. someone hacks in and steals patient data). It's an afterthought, and preventative measures are ignored due to cost or convenience.

tdean

yeah, its funny that there are so many buzz word in health care regarding security but none seem to be followed. who knows if i'll stay in this field, i may as well do the Sec+ (again.... the have no record of me passing in 05?), then start the SSCP or maybe CCSP. Probably SSCP and see if theres anything about it im interested in.

jmasterj206

I would have to second what Everyone said about security. I have been fighting the battle for years. You may want to check out the Comptia IT Healthcare Technician cert. It might give you a little more understanding or HIPAA and other guidelines that are out there. From what I have heard it has some security+ related questions in it. Probably not a golden ticket, but it is cheap and a lifetime cert if they ever release any study material.

the_Grinch

I'm going to add that some hospitals care very much about security. I interviewed for a security position at a hospital and the team they had was top notch. Quarterly penetration tests, monthly rouge wifi scans, coordination with the various departments on secure setups, etc. At this point, most healthcare providers cannot be lax in security as medical identity theft is on the rise and the fines have been rolling out. Let's face it, nothing a doctor hates more then spending money, but they get even more ticked when it's a large fine....

Everyone

the_Grinch wrote: »

I'm going to add that some hospitals care very much about security. I interviewed for a security position at a hospital and the team they had was top notch. Quarterly penetration tests, monthly rouge wifi scans, coordination with the various departments on secure setups, etc. At this point, most healthcare providers cannot be lax in security as medical identity theft is on the rise and the fines have been rolling out. Let's face it, nothing a doctor hates more then spending money, but they get even more ticked when it's a large fine....

Dog and pony show. Penetration tests are a requirement in the industry. Having them done, then never doing anything to correct the issues are the norm, and that doesn't do anyone any good. A few "low hanging fruits" may be fixed, as long as fixing them won't interrupt or impact patient care in any way.

Unless it's a private practice that the doctor owns, the doctor won't pay the fine. It's the Healthcare organization that pays the fine. The rules are rarely enforced, they go after a couple big fish a year, and that's it, the smaller stuff either goes unnoticed, or is ignored. The ones that do get fined, are usually either extremely blatant violations, or something like a laptop with PHI on it being lost or stolen.

vsecgod

Everyone wrote: »

HA!

The Healthcare industry doesn't care about security as much as you think they do/would/should.

GIAC used to have a HIPAA certification, the GHSC, but they retired it.

With my Security+ that I had from before I worked in Healthcare, I was one of only 2 people with any real Security knowledge, let alone a Security certification at the Healthcare organization I worked at (3000+ employees). The IT Director was a CISSP, but he quit because he got tired of no one really caring about security.

The route you're thinking of will be more than enough. It may not be too beneficial to you in the Healthcare industry, but could still be beneficial to you personally on your career path.

You'll find that nobody cares about security unless patient care is directly impacted by it (i.e. someone is injured or died because of a security issue that wasn't properly addressed) OR the organization loses a lot of money due to a HIPAA violation (i.e. someone hacks in and steals patient data). It's an afterthought, and preventative measures are ignored due to cost or convenience.

Lol, as I was reading what you put, I have to strongly agree as well.

I recently joined a healthcare organization of about 5000+, and was amazed at how little they care about security. Everyone hit the nail on the spot, our organization gets audited yearly and year after year, they find the same things but don't care to fix it unless as Everyone put it, it's a low hanging fruit that can be fixed easily, other than that, it's ignored as it would take too much time/cost too much/other political BS.

I came on thinking, "oh wow healthcare security, this will be a good boost on my resume! They MUST be doing daily penetration scans/firewall scans, due to HIPAA", but nope, none of that, and FAR from that too. Our organization does nothing to provide any auditing tools or any data loss prevention tools, doesn't enforce password complexity (because it would be far too inconvenient for doctors to have to remember a hardened password...), the list goes on and on.

I'm just taking it as it is and looking to find something else that is relevant to real security, I advise you do the same.

JDMurray

vsecgod wrote: »

I came on thinking, "oh wow healthcare security, this will be a good boost on my resume! They MUST be doing daily penetration scans/firewall scans, due to HIPAA", but nope, none of that, and FAR from that too.

People assume HIPAA provides auditing/enforcement/penalties to the heath care industry in the same way PCI polices the retail industries. The regulation requirements and the penalties for non-compliance are actually quite different. I think there will need to be a security event in the health care industry on the magnitude of TJX to see any major improvements in the enforcements of HIPAA regulations.

vsecgod

you are absolutely right. I was thinking the same, in that it takes an actual security incident for our organization to take security seriously. Until then, healthcare organizations just want to tout they have a security dept -_-