New healthcare cert addresses security, privacy of medical records

Talk about a security certification whose time has come! Earlier this month, (ISC)2 launched the HealthCare Information Security and Privacy Practitioner (HCISPP) credential. It is the first foundational global standard for assessing both information security and privacy expertise within the healthcare industry. The credential is designed to provide healthcare employers and those in the industry with validation that a healthcare security and privacy practitioner has the core level of knowledge and expertise required by the industry to address specific security concerns.

Protected health information (PHI) and electronic health records (EHR) are garnering more attention worldwide as governments institute regulations to ensure that private data remains private, and that it is fully secured as it traverses network systems and online storage. The HCISPP credential reflects internationally accepted standards of practice for healthcare information security and privacy.

"The HCISPP credential was developed based on direct feedback from our membership and industry luminaries from around the world working in healthcare who have observed the evolving complexity of information risk management in the industry as online system migration and regulations increase," said W. Hord Tipton, CISSP, executive director of (ISC)2.

As Tipton explained in a press release announcing the new certification, "Over the past few years, the healthcare industry has undergone a major transformation to adjust its compliance management practices and data protection requirements — moving from highly paper-based processes to a digital and more connected working environment. (ISC)2 has introduced this new healthcare credential to help employers bring more qualified and skilled professionals into this industry who can help protect vital patient records and personal data."

The certification is aimed at practitioners who are responsible for protecting their organizations and sensitive patient data against emerging threats and breaches. This would include people in roles such as Medical Records Supervisor, Information Technology Manager, Privacy & Security Consultant and Compliance Officer.

To attain the HCISPP, applicants must have a minimum of two years of experience in one knowledge area of the credential that includes security, compliance and privacy. Legal experience may be substituted for compliance and information management experience may be substituted for privacy. One of the two years of experience must be in the healthcare industry. All candidates must be able to demonstrate competencies in each of the following six common body of knowledge (CBK) domains in order to achieve HCISPP:


  • Healthcare Industry
  • Regulatory Environment
  • Privacy and Security in Healthcare
  • Information Governance and Risk Management
  • Information Risk Assessment
  • Third Party Risk Management


The exam for this certification is now available worldwide. Education materials are currently being developed and will be ready in early 2014. The exam outline is a useful self-study aid. It provides an overview of each domain and a list of key knowledge areas in each of the domains, as well as a list of references to aid candidates in studying the domains in depth.

Candidates may find more information about HCISPP, download the exam outline, and register for the exam at the (ISC)2 website.

Would you like more insight into the history of hacking? Check out Calvin's other articles about historical hackery:
About the Author