One of the drivers for rolling out the new assessment is the rapidly evolving nature of the healthcare industry itself. Paperless record-keeping, the use of tablets and smartphones, telemedicine, digital X-rays and a variety of electronic storage approaches for patient records and the like have exposed the vertical to cyber-attackers in a way it has never been before.
“Over the past few years, the healthcare industry has undergone a major transformation to adjust its compliance management practices and data protection requirements – moving from highly paper-based processes to a digital and more connected working environment,” explained W. Hord Tipton, executive director of (ISC)², in a statement.
And indeed, the traditionally analog healthcare field faces escalating costs and notoriety stemming from data breaches. Whether it’s a laptop or USB stick with unencrypted information being physically lost or employee error, improper email encryption, or hackers with nefarious intents, the sector has been in the spotlight in the last few years involving data leakage. In fact, a full 94% of healthcare organizations were breached in the last two years, according to Backgroundcheck.org.
"Healthcare organizations face significant and evolving challenges for the proper design, implementation and administration of effective privacy and security protection programs,” said Marc Schandl, enterprise architect at Blue Cross and Blue Shield of Minnesota. “The HCISPP will benefit organizations by having a much greater chance for success in tackling these and other opportunities because they will have a contextual understanding for the appropriate application of essential practices and controls that meet organizational, legislative and directive mandates for the correct handling, processing, and securing of healthcare information.”
The industry also has more stringent regulatory requirements when it comes to patient privacy than it has in the past. “Recent trends towards stronger enforcement of security regulations have begun to change the healthcare industry’s perception of information security,” said Bryan Cline, vice president of CSF development and implementation at HITRUST. “There is a growing need in the industry for qualified professionals to help mature the current state of healthcare information security and improve regulatory compliance. (ISC)²’s HCISPP will help organizations streamline their hiring process by ensuring prospective candidates have a basic level of knowledge about the healthcare industry, the security and privacy concerns specific to healthcare, and the general risk management principles and concepts required of a healthcare information protection professional.”
With all of these drivers taken together, the credential is designed to provide healthcare employers and those in the industry with validation that a practitioner has the core level of knowledge and expertise required by the industry to address specific security concerns, especially when it comes to protecting the privacy and security of sensitive patient health information.
To attain the HCISPP, applicants must have a minimum of two years of experience in one knowledge area of the credential: security, compliance and privacy. Legal experience may be substituted for compliance and information management experience may be substituted for privacy. One of the two years of experience must be in the healthcare industry.
All candidates must be able to demonstrate competencies in all six CBK domains in order to achieve the HCISPP: Healthcare Industry; Regulatory Environment; Privacy and Security in Healthcare; Information Governance and Risk Management; Information Risk Assessment; and Third Party Risk Management.
For executives accountable for protecting sensitive healthcare data, HCISPP demonstrates a proactive commitment to ensuring an organization is making the necessary human resources investment in information security, (ISC)² explained.
As with all its credentials, (ISC)² conducted a job task analysis (JTA) study to determine the scope and content of the HCISPP credential program. Subject matter experts from the (ISC)² membership and other industry players from organizations in Hong Kong, Europe and the US attended several exam development workshops and contributed to develop the common body of knowledge (CBK) reflecting internationally accepted standards of practice, that serves as the foundation for the credential.
“The HCISPP credential was developed based on direct feedback from our membership and industry luminaries from around the world working in healthcare who have observed the evolving complexity of information risk management in the industry as online system migration and regulations increase,” said Tipton.