The International Information System Security Certification Consortium (ISC)2 offers HealthCare Information Security and Privacy Practitioner (HCISPP) certification to healthcare industry individuals. The certification validates the individuals’ knowledge and skills regarding implementation, management, and assessment of privacy and security controls to protect the healthcare data (i-e patients’ health record).
HCISPP Fast Facts
- Introduced in 2013
- Compliant with ANSI/ISO/IEC Standard 17024
- Part of 125,000 cyber-security professionals network
- Exam available in 114 countries at 882 locations
- One of the eight recommended certifications in Health IT –Electronic Health Report
Who Should Earn HCISPP
HCISPP is the ideal certification for those who are working or looking to build a career in the following positions.
- Information security manager
- Information technology manager
- Health information manager
- Practice manager
- Privacy and security consultant
- Compliance officer
- Privacy officer
- Risk analyst
- Compliance auditor
- Medical record supervisor
HCISPP Exam Eligibility
Candidates having a minimum of two years of work experience in at least one of the (ISC)2’s recommended domains are eligible for the certification. Of the two years of required work experience, candidates must have one year of experience in healthcare industry domain. According to the 2019 (ISC)2 curriculum, there are seven following domains that contribute to the HCISPP exam.
- Healthcare industry
- Privacy and security in healthcare
- Regulatory and standards environment
- Risk management and risk assessment
- Information governance in healthcare
- Information technologies in healthcare
- Third-party risk management
The legal experience documents can be a substitute for compliance and information management experience for privacy. Those who don’t have the required work experience can also take the HCISPP exam. However, they are entitled as (ISC)2 associates until they acquire the two years of work experience. The experience must be gained within three years after taking the HCISPP exam.
Following is a new exam outline for HCISPP certification effective from September 1, 2019.
Exam length: 3 Hours
Exam questions: 125
Format: Multiple choice questions
Language availability: English
Passing score: 700 out of 1000 points (70%)
Test Center: Person VUE
HCISPP Exam Weight
HCISPP exam contains a certain percentage of questions from each domain. The following table shows each domain’s contribution to the HCISPP exam.
|Privacy and Security in Healthcare||25%|
|Risk Management and Risk Assessment||20%|
|Regulatory and Standards Environment||15%|
|Third-Party Risk Management||15%|
|Information Technologies in Healthcare||08%|
|Information Governance in Healthcare||05%|
From the table, it can be noticed that Privacy and Security in Healthcare domain contribute most to the HCISPP exam. The mandatory Healthcare Industry domain contributes 12%. Information governance in healthcare is the least contributing domain.
Following is a brief description of all the domains that are part of the HCISPP exam.
Domain-1 Privacy and Security in Healthcare: 25% question in HCISPP exam are related to the privacy and security in healthcare. The following domain knowledge can help in attempting questions related to privacy and security in healthcare.
- Understanding confidentiality, integrity, and availability of information
- Understanding general security concepts and definitions, such as identity and access management, data encryption and decryption, disaster recovery, business continuity, least privilege, system backup and recovery, and segregation of duties
- Understanding general privacy concepts and definitions, such as access limit, consent, disclosure limitation, transparency, authorization, and accountability
- Understanding the relationship (like dependency and integration) between privacy and security
- Understanding sensitive data
- Sensitive data handlings, such as sensitivity mitigation and categorization
Domain-2 Risk Management and Risk Assessment: HCISPP exam contains 20% questions related to risk management and risk assessment. Candidates should have the following knowledge and understanding of the domain.
- Understanding enterprise risk management like information asset identification, asset evaluation, risk, threat, vulnerabilities, impact, controls, and acceptance
- Understanding Risk Management Frameworks (RMFs) like ISO and NIST
- Understanding risk management process including definition, approach, intent, lifecycle, tools, outcomes, and role of internal and external audits
- Identification of control assessment procedures through organizations’ risk frameworks
- Risk assessment knowledge including information gathering, estimated timeline for assessment, mitigating actions, risk avoidance, risk acceptance, and transfer of risk
- Understanding corrective action plans
- Ability to utilize administrative, physical, and technical controls to remediate risk
Domain-3 Regulatory and Standards Environment: Regulatory and Standards Environment domain contributes 15% to the exam. The domain covers the following knowledge and skill sets.
- Identification of regulatory requirements like legal issues, jurisdiction implications, data subjects, data breach regulation, and research
- Knowledge of regulations and controls working in different countries. Examples include the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR)
- Knowledge of different security and privacy compliance frameworks, such as the International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and Generally Accepted Privacy Principles (GAPP)
Domain-4 Third-Party Risk Management: Third-Party risk management is another important domain added (15%) to the HCISPP exam. The candidates should have the following knowledge and skill sets about this domain in order to attempt the related questions in the HCISPP exam.
- Knowledge of Third-parties in the context of healthcare
- Ability to maintain a list of roles and relationships of third-parties with the organizations
- Ability to engage third-parties through management standards and practices
- Third-party assessment when required
- Ability to support third-party assessment and audits through controls, compliance, and communication
- Participation in remediation efforts like risk management activities, compliance activities, and corrective action plans
- Ability to respond to security and privacy events like internal processes and breaches
- Ability to respond to third-party requests regarding security and privacy events
- Awareness of information flow mapping, data sensitivity and classification, privacy and security requirements, and risks associated with third-parties
Domain-5 Healthcare Industry: Healthcare industry is the most important domain of HCISPP. Although it contributes only 12% in the HCISPP exam, the candidate must have at least one year of work experience in Healthcare industry to take the exam. The candidates should have the following knowledge and skills to cover the healthcare industry domain.
- Understanding healthcare environment components, such as the type of organization, Coding, revenue cycle, workflow, healthcare record, and regulatory environment
- Understanding third-party relationships like vendors, partners, or regulators
- Knowledge of basic health data management concepts, such as the flow of information in the healthcare environment, data characterization (classification, analytics, taxonomy), and data interoperability
Domain- 6 Information Technologies in Healthcare: Another domain with 8% weight in the HCISPP exam is the information technologies in healthcare. Following domain information is important from the HCISPP exam point of view.
- Understanding the impact of information technologies in healthcare on security and privacy
- Knowledge of data lifecycle (create, store, use, share, archive, destroy)
- Knowledge of third-party connectivity features like trust models, technical standards, and connection agreements
Domain-7 Information Governance in Healthcare: Information governance in healthcare is the least contributing domain in HCISPP exam (only 5%). Users should have the following domain knowledge.
- Knowledge of information governance frameworks
- Knowledge of roles and responsibilities in information governance
- Understanding of compliance with the code of conduct in the healthcare environment
HCISPP certification is valid for three years. The holders need to recertify every three years. HCISPP holders need to earn and submit 20 CPEs annually to maintain the certification. A total of 60 CPEs are required over a period of three years. (ISC)2 offers free CPE credit opportunities to those who attend webinars, events, or contribute to reading and writing tasks.