ISC2’s HCISPP Certification in Health Care

Why Take the HCISPP Test?

I’d like to share my experiences with the healthcare information security and privacy practitioner (HCISPP) test. It’s ISC2’s niche healthcare test and I’d like to start by - providing a little background as to why I decided to get certified in the first place. There is of course the foundational reasoning for taking any cert: You want to spruce up the resume and learn a bit along the way. There are other healthcare/InfoSec crossover certifications (AHIMA’s CHPS and HIMSS’ CPHIMS come to mind), but the allure of the ISC2 brand, its reputation (which will hopefully rub off on the resume once gained), and its position as a great springboard into the field (only two years of full time work in at least one of the bodies of knowledge covered) all lent to this exam’s positioning to the front of my list after the Sec+ and CSA+. So, I was in the market for a little exposure to healthcare IT and wanted to build from a decent foundation in InfoSec.

Prepping for the HCISPP

I thought the turnaround time for this one would be a bit shorter, since I had hit a groove as of late – the CSA+ took a bit more (around six months of general reading while doing some prelim work on other certs, tapering off to two months of exclusive focus). Hence, I set a goal for three months of preparation in total. The biggest wildcard was the lack of preparation material out there for this exam! Not sure if this is a function of it being a relatively new certification, and the market not really being sold on how long it will stick around, but there didn’t seem to be much I could find in the way of video or slides, and definitely nothing with practice exam questions. The usual suspects came up empty: Boson, CBT Nuggets, Pluralsight, Cybrary, and even Reddit had nary a word of encouragement to offer, much less hard guidelines of any kind.

Helpful Books for the HCISPP

Well, not exactly: Reddit offered some clues in the form of books to read, which I ran on over to Amazon and picked up: Healthcare Information Security and Privacy by Sean Murphy, Hacking Healthcare by Fred Trotter and David Uhlman, and the Official ISC2 Guide to the HCISPP CBK by Steven Hernandez. I read the latter first, placing some faith in the fact that it was the only official guide out there from the certifying body and the good things said about it on Reddit. It did not disappoint! The layout was very well done, following the “Outline what you are going to cover, cover it, review what you covered” framework that is a go-to for a reason. What’s more, this book had questions at the end of each chapter! While this might not be out of the ordinary for a prep book, see above for how the general response was tumbleweeds and silence when looking for practice questions. Nothing outrageous, 11-12 questions tops, but something was better than nothing. Also, the answer section had fairly in-depth reasoning for why a given answer was the correct one, and I cannot stress enough how crucial this kind of information is: Besides just answering the immediate question at hand, writeups like this give some insight into how an expert on the test approaches the body of knowledge to be tested, so one can gradually gain a kind of intuitive sense of how the test itself is structured. This comes in handy when taking the actual exam and coming up on a question that seemingly has two equally “right” answers.” Another tidbit to keep in mind: this was the book I read first, so the way I view the next two books were colored slightly by this fact. Unsure as to how much, but felt I should let folks know in the interest of full disclosure.

The second book I used to prepare for my HCISPP was the similarly well-reviewed Sean Murphy entry, Healthcare Information Security and Privacy. Right there in the introduction, the author makes it clear that he almost assumes you have read the official guide, which made me feel like I was on the right track (and part of the reason why I mention the order for the three books chosen). There are more situational examples given with this one, and less of a buckshot approach: A lot of the official guide focused on international standards concerning healthcare information and privacy laws, which is great when you get out into the field and are faced with potentially navigating said minefields, but…we take the tests to pass them (thanks Coach Herm), and so Hernandez’s shift away from the international focus fit more with what was actually on the exam (which I cannot get into too many specifics on, with that dang NDA they make you sign, which might be some explanation for the lack of practice exam questions, although I say that as I look at the CISSP test bank across my desk…). Additionally, I cannot stress enough how this book filled in a lot of the other gaps that I almost did not know were there from the official guide: Health exchanges and how they fit into a secure environment, how each body of knowledge ties back to an actual healthcare IT environment, and what a security or privacy practitioner could really bring to the table at a thriving health practice, regardless of size.

The final book I tapped to get ready for this exam was Hacking Healthcare: A Guide to Standards, Workflows, and Meaningful Use by Fred Trotter and David Uhlman. Now, this text was not exactly directly connected with preparing for the HCISPP exam, and in fact, should you be pressed for time it is definitely one I would recommend cutting out of the ramp up for the test. However, should you manage to fit it in (easy read, both in length and approachability, well done on the authors’ part) then you will find a book that, particularly for someone not in healthcare such as myself, allows one to envision the workflows that all of this IT is supposed to be enhancing. This was quite helpful in allowing me to start developing targeted critical thinking skills for situations in this specific field. It serves two purposes: 1) Shifting towards a job in the field after a successful exam, you begin to get acclimated to the decisions that will be required of you, and 2) For the test itself, if there is anything that you do not remember from the other prep work, or the phrasing is a bit tricky (which all testing bodies seem to love to do every few questions or so, despite the braggadocio on Reddit about how “ez” something was) then Hacking Healthcare will help you with the tools to think like the ISC2 wants you think in context, and break down a seemingly unfamiliar question into more identifiable (and hopefully answerable) components.

Rounded out the prep with the flashcards that ISC2 graciously provides (snark is real, because it seemed like they were only interested in funneling towards official, aka high-priced courses which were out of range for me) and scheduled my exam. All told, put in about two months to ten weeks of prep time, reading and doing flashcards for a little bit of time (maybe an hour or so tops) each day.

Test Day and Beyond

The day itself was not too out of the ordinary if anyone has taken a proctored exam like this before, but for those who have not, here is the general flow: You show up, making sure that two forms of ID are handy (different proctoring companies and even the testing bodies themselves will demand different types, but I have not had a problem with an unexpired passport, a valid driver’s license, and a credit card with signature as backup). Then, you get to read the rules for the location (basically, don’t be shady, don’t try to bring snacks into the test area, if you have to move for any reason raise your hand and wait for someone to move with you), sign that you read them, and get your picture taken. Somewhere in the process the staff reminds you where the bathrooms are and present the ability to use a locker to house any of your belongings (try to leave as much as you can in the car, but whatever is left over can get securely locked away…haven’t had my phone or wallet lifted even once). Not sure if this was just an ISC2 thing, but I did have to get my palm scanned, which was different than when I took the CEH, any CompTIA exam, or my CCNA. Could have been the testing center (first time at the location in Norwalk, CT…try the crab cakes!). You then get lightly patted down to make sure you are not bringing any nukes or cheating aids into the exam room. After all the paperwork and preliminary steps are taken care of, you get walked into the room by a proctor and get logged into the computer where you will be taking your test. Most places also give you a dry erase marker and a surface to use it on, should you need a place to doodle out your thoughts to a question before answering.

Some locations will have noise-cancelling head phones to help you dial into the test, some will have earplugs, but no worries: Everyone else taking various exams are about as concentrated at they can be on what they are doing, so not much in the way of noise is happening other than the occasional errant cough or wayward sniffle, perhaps a chair scuffing the floor as a fellow intellectual adventurer shifts in their seat whilst wrestling with their own tests.

You click through some agreements, the most important of which is the Non-Disclosure: This puts the death penalty (not really, but kind of) on anyone taking the exam and then posting exact questions or their recollections of specifics out for the public to view. Unless the ISC2 (or whomever is in charge of the test you are taking) gives you the express go-ahead, then this is a strict non-starter. You could get stripped of the credential if you pass, or even be barred from taking any more tests from the governing body in question or the proctoring company themselves…which would just be plain silly to do. At least now everyone wondering when I was going to get into detail about the questions in the blog know why I could not! However, with the prep work I’ve outlined, and of course a little bit of luck thrown into the mix, you will get the “Congratulations” on the print-out at the end of the day.

However, the process is not yet done. For an ISC2 exam, as well as for a couple of others from various organizations, there is a work history component necessary for full accreditation. In the case of the HCISPP, you have to show two years of previous IT work in a healthcare environment. Without that, you can apply to be an Associate of ISC2, at which point you get three years to fulfill the 24-month requirement. In order to validate, you simply go through the steps the organization outlines in the congratulatory email they send a couple of days after passing (read: If you have not received this email within a week of successfully conquering the exam, check your spam filter or contact ISC2 ASAP…you do not want to leave room for all of the precious work to go to waste). The validation itself can take up to six weeks, because the organization actually does its due diligence and tries to verify you do what you say you do in regard to the cert you tested for. This is in both their best interest (to maintain the integrity of the cert and thus its pull in the workplace) and your best interest (you want the effort put into secure the cert to be rewarded in equal measure). Once everything checks out, you are given the greenlight to let the world know you are a holder of the HCISPP cert: Put it on your resume, LinkedIn, personal websites and blogs, business cards, bumper stickers, or get it inked on your arm like Kanye West. Celebrate, revel in the win, and then scope out that next cert!

Anything I did not cover enough that you want clarification on (NDA permitting, of course), or have any questions? Reach out to me on Twitter.

Article Link: https://www.alienvault.com/blogs/security-essentials/isc2s-hcispp-certification-in-health-care