Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

HCISPP certification: What are the benefits?

(ISC)2's HCISPP certification has many potential benefits for health information privacy and security. Expert Joseph Granneman examines them.

The (ISC)2 is launching a new certification, the HealthCare Information Security and Privacy Practitioner (HCISPP),...

which it calls the first global standard for assessing information security expertise within the healthcare industry. I work in healthcare, but I already have my pick of information security jobs in the healthcare industry. What's the benefit of obtaining this certification?

There is a critical need for qualified security professionals in healthcare. The rapid adoption of electronic medical records under the meaningful use program has created an environment where insecure configurations and nonexistent basic security controls are the norm. The government has responded by increasing the penalties for HIPAA violations. The revised rules in the 2009 American Recovery and Reinvestment Act increased penalties up to $1.5 million. Then the revised Omnibus rules raised the stakes again in September 2013 by adding an increasing damage scale for violations based on the organization's foreknowledge and handling of an incident. Even with these regulatory threats looming, more than 21 million patient identities have been breached since 2009.

(ISC)2, the organization behind the popular CISSP certification, has identified this need and developed the HealthCare Information Security and Privacy Practitioner (HCISPP) certification for healthcare information security professionals. The certification presents a broad overview of the roles and requirements of security and privacy in healthcare. It covers the requirements of many different global regulations beyond HIPAA, such as PIPEDA and the UK Data Protection Act of 1998. Other non-security specific technologies are included in the certification such as HL-7, DICOM, ICD-9/10 coding and clinical research processes.

There is a lack of any deep technical information in the certification, as it seems to be targeting a different and wider audience than the CISSP. Everyone from practice managers to medical records supervisors is specified in (ISC)2's HCISPP candidate information bulletin. These are exactly the people that need this type of education, as they are often selected by executive management to take on the HIPAA security officer role without any other training or experience.

The HCISPP is a good certification for people who want to get into healthcare and better understand this complex security and privacy regulatory environment. It may take a while for employers to catch on to the value of this certification, as it is brand new. However, given (ISC)2's success with the CISSP, the HCISPP has the potential to become the standard healthcare information security certification.

I have high hopes for this certification, as patients should not have to endure identity theft to receive healthcare. I have worked in both finance and healthccare, and found the latter to be far behind the maturity of the information security industry at large and not making any strides to catch up. The HCISPP may inspire more certifications and education that can only help this lagging industry and prevent another 21 million patients from receiving a breach letter just because they saw their doctor.

Ask the Expert:
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)

This was last published in June 2014

Dig Deeper on Security industry certifications