HealthCare Information Security and Privacy (HCISPP) Practitioner Practice Exam

HealthCare Information Security and Privacy (HCISPP) Practitioner Practice Exam

The HealthCare Information Security and Privacy (HCISPP) certification validates a professional's knowledge and skills in protecting patient health information (PHI) within the healthcare industry. 

Who Should Pursue the HCISPP Certification?

• Security Analysts: Specializing in healthcare IT security and conducting security risk assessments.
• Compliance Officers: Ensuring adherence to HIPAA regulations and internal security policies.
• Privacy Officers: Overseeing patient data privacy practices and managing privacy risks.
• IT Security Managers: Leading and managing the overall information security program within a healthcare organization.
• Healthcare Professionals with Security Responsibilities: Physicians, nurses, and other healthcare personnel who handle ePHI and need to understand security best practices.

Prerequisites

(ISC)² recommends that candidates have:

• A minimum of two years of cumulative paid work experience in one or more knowledge areas of the HCISPP CBK (Common Body of Knowledge). This experience can involve information security, healthcare IT, compliance, or privacy within the healthcare industry.
• At least one year of experience within the healthcare industry demonstrates a familiarity with healthcare specific regulations and workflows.

Roles and Responsibilities 

• Healthcare System Administrators: Responsible for configuring and securing healthcare IT systems.
• Health Information Management (HIM) Professionals: Ensuring the integrity and confidentiality of patient medical records.
• Healthcare Application Developers: Building secure healthcare applications that comply with privacy regulations.

Exam Details 

• Exam Code HCISPP 
• Exam Duration 3 hours
• Exam Format Multiple Choice
• Number of Questions 125 Questions

 Course Outline

The exam covers the following topics:

Domain 1: Healthcare Industry 

Understanding the Healthcare Environment Components 

• Types of organizations in the healthcare sector (e.g., providers, pharma, payers)
• Health insurance (e.g., claims processing, payment models, health exchanges, clearing houses)
• Coding (e.g., Systematized Nomenclature
• of Medicine Clinical Terms (SNOMED CT), International Classification of Diseases (ICD) 10)
• Revenue cycle (i.e., billing, payment, reimbursement)
• Workflow management
• Regulatory environment
• Public health reporting
• Clinical research (e.g., processes)
• Healthcare records management
• Remote workforce (i.e., telecommuting)

Understanding Third-Party Relationships 

• Vendors
• Business partners
• Regulators
• Data analytics
• Managed service providers
• Cloud service providers
• Other third-party relationships
• Supply chain vendors (e.g., software, open source analysis)

Understanding Foundational Health Data Management Concepts

• Information flow and ecosystem lifecycle in the healthcare environments
• Health data characterization (e.g., classification, taxonomy, analytics, protected health information (PHI) vs. personally identifiable information (PII))
• Data interoperability and exchange (e.g., Health Level 7 (HL7), International Health Exchange (IHE), Digital
• Imaging and Communications in Medicine (DICOM))
• Legal medical records

Domain 2: Data and Information Governance in Healthcare 

Understanding and identifying data and information governance frameworks

• Security governance
• Privacy governance

Identify data governance charters, roles and responsibilities

Align data and information security and privacy standards policies and procedures

• Standards
• Policies
• Procedures and processes

Understand and integrate the code of ethics in a healthcare data environment

• Organizational code of ethics
• (ISC)² code of ethics

Domain 3: Information Technologies in Healthcare

Understanding the impact of healthcare information technologies on privacy and security

• Increased exposure affecting confidentiality, integrity, availability and privacy (e.g., threat landscape)
• Oversight and regulatory challenges in a changing technological environment
• Requirements for data interoperability
• Information technologies

Understanding data life cycle management

• Creation and classification of healthcare data
• Storage
• Data sharing/transfer
• Data use monitoring and access control
• Archiving and record retention
• Destruction

Understanding third-party connectivity

• Trust models for third-party interconnections
• Technical standards (e.g., physical, logical, network connectivity)
• Connection agreements (e.g., memorandum of understanding (MOU), Interconnection Security Agreements (ISAs))

Domain 4: Regulatory and Standards Environment

Identifying Regulatory Requirements 

• Legal issues that pertain to data security and privacy for healthcare organizations
• Data breach regulations and guidance
• Protected personal and health information (e.g., personally identifiable information (PII), personal health information (PHI))
• Jurisdiction implications
• Data subjects
• Clinical research

Recognizing Regulations and Controls of Various Countries

• Treaties
• Laws and regulations (e.g., General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH), Personal Information Protection and Electronic Documents Act (PIPEDA))

Understanding Compliance Frameworks 

• Privacy frameworks (e.g., Organization for Economic Co-operation and Development (OECD) Privacy principles, Asia-Pacific Economic Cooperation (APEC), Generally Accepted Privacy Principles (GAPP))
• Security frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Common Criteria)

Domain 5: Privacy and Security in Healthcare

Understanding Security Objectives/Attributes 

• Confidentiality
• Integrity
• Availability
• Privacy

Understanding General Security Definitions and Concepts

• Authorization and authentication
• Identity and access management (IAM)
• Cryptography and data encryption
• Security training and awareness
• Logging, monitoring and auditing
• Vulnerability management
• Segregation of duties
• Incident response
• Business continuity (BC) and disaster recovery (DR)
• Data backup and recovery including testing and validation
• Endpoint management (e.g. Mobile Device Management (MDM))
• Data classification controls (e.g., data loss prevention (DLP))
• Cloud provided services
• Designated security officer (e.g., facility security officer, information security officer)

Understanding General Privacy Definitions and Concepts 

• Consent, restrictions, access and accountability
• Limited collection, legitimate purpose and purpose specification
• Appropriate use and disclosure limitations, thirdparty data exchange and trans-border concerns
• Access limitation
• Data integrity (e.g., accuracy, completeness and quality)
• Management, designation of privacy officer, supervisor re-authority, processing authorization and accountability
• Privacy training and awareness
• Transparency and openness (e.g., notice of privacy practices, privacy policy)
• Reporting (e.g., events, incidents and breaches)

Understanding the Relationship Between Privacy and Security

• Dependency (i.e., security impacts to privacy)
• Integration (e.g., introduction of new technology/updates)

Understanding Sensitive Data and Handling 

• Sensitivity mitigation (e.g., de-identification, anonymization)
• Categories of sensitive data (e.g., behavioral health)

Domain 6: Risk Management and Risk Assessment 

Understanding Enterprise Risk Management 

• Risk management overview
• Information asset identification
• Asset valuation
• Exposure
• Likelihood
• Impact
• Threats
• Vulnerability
• Risk
• Controls (e.g., administrative, technical, physical)
• Residual Risk
• Acceptance

Understanding Information Risk Management Framework (RMF) 

• International Organization for Standardization (ISO)
• National Institute of Standards and Technology (NIST)
• Health Information Trust Alliance (HITRUST)

Understanding the Risk Management Process

• Definition
• Data classification (e.g., personally identifiable information (PII), protected health information (PHI), electronic protected health information (ePHI))
• Approach (e.g., qualitative, quantitative)
• Intent
• Life cycle and continuous monitoring
• Tools, resources and techniques
• Desired outcomes
• Role of internal and external audit/assessment (e.g., privacy and information security risk assessments)

Identifying Control Assessment Procedures Utilizing Organization Risk Frameworks 

Participating in risk assessment consistent with roles within the organizational environment

• Information gathering
• Risk assessment process
• Gap analysis

Understanding risk response (e.g., corrective action plan)

• Mitigation
• Avoidance 
• Transfer
• Acceptance
• Compensating controls
• Communications and reporting

Utilizing controls to remediate risk (e.g., preventative, detective, corrective)

• Administrative
• Physical
• Technical

Participating in continuous improvement and monitoring

Domain 7: Third-Party and Supply Chain Risk Management

Understanding the Definition of Third-Parties in the Healthcare Context

Maintaining a List of Third-Party Organizations 

• Third-party relationship with the organization
• Health information use (e.g., processing, storage, transmission)

Applying Management Standards and Practices for Engaging Third-Parties 

• Relationship management

Determining When a Third-Party Assessment Is Required 

• Organizational standards
• Triggers of a third-party assessment

Supporting Third-Party Assessments and Audits 

• Information asset protection controls
• Compliance with information asset protection controls
• Communication of results and recommended actions

Participating in Third-Party Remediation Efforts

• Risk assessment activities
• Impact assessment and risk tolerance
• Corrective action plans
• Compliance validation

Responding to Notifications of Security/Privacy Events 

• Documenting and testing internal processes for incident response
• Relationship between organization and third-party Incident response
• Breach recognition, notification and initial response

Responding to Third-Party Requests Regarding Privacy/Security Events 

• Legal or contractual breach notification requirements
• Organizational information dissemination policies and standards
• Risk assessment activities
• Chain of custody principles

Promoting Awareness of Third-Party Requirements 

• Information flow mapping and scope
• Data sensitivity and classification
• Privacy and security requirements
• Risks associated with third-parties