New InfoSec Credential: Filling a Gap?Assessing the Value of Healthcare Certification
The developers of a new healthcare-specific security credential that will be available later this year say it's needed to help fill a knowledge gap.
See Also: HIPAA Audits: A Revised Game Plan
But one security expert questions whether yet another credential is needed, citing healthcare certifications already available. And another emphasizes the need for additional security education in healthcare, but not necessarily tied to a credential.
(ISC)Â², which already offers the Certified Information Systems Security Professional, or CISSP, credential, is working with the Health Information Trust Alliance to develop a yet-to-be-named credential to specifically bolster information protection skills of professionals working with healthcare data, says Hord Tipton, CEO of (ISC)Â².
Throughout healthcare, there's a growing need to develop a more comprehensive understanding of privacy and security, he says. Thousands of healthcare organizations nationwide are rolling out electronic health records under the HITECH Act's meaningful use incentive program. Meanwhile, organizations are facing increasing regulatory compliance demands, including the new HIPAA Omnibus Rule.
The new credential will address these unique needs in the healthcare sector, says Bryan Cline, vice president of development and implementation at HITRUST, a non-profit educational group best known for its Common Security Framework, a free guide to implementing security controls to comply with various regulations, including HIPAA.
"There is a knowledge gap in the understanding of risk management frameworks and how they may be applied in a healthcare setting, and a general skills gap in the selection and implementation of security controls and the management of security and privacy risk to meet business objectives and regulatory requirements specific to the industry," Cline says.
Is There a Need?
But healthcare security specialist Tom Walsh of the consulting firm Tom Walsh Associates questions whether another new credential is needed. He cites healthcare-specific certifications from other organizations, such as the Certified in Healthcare Privacy and Security (CHPS) credential from the American Health Information Management Association as well as credentials offered by the HIPAA Academy, including Certified HIPAA Professional (CHP) and Certified HIPAA Administrator (CHA).
"Most of the larger healthcare systems already have a certified professional leading their information security programs," Walsh says. However, some smaller, rural healthcare organizations are often lacking in specific privacy and security expertise.
"In these smaller and rural healthcare providers, one individual may be responsible for privacy, security, risk management and compliance," Walsh says. "They need a broader set of certification skills. Unfortunately, these organizations are often lacking the money needed to support sending a person off to training to get a certification or to pay for their annual dues and training to maintain their credential. I'd like to see the credential offered to smaller and rural organizations at a reduced price."
Kate Borten, CISSP, a former CISO who now leads the IT security consulting firm The Marblehead Group, says there's a need for security education in healthcare - but not necessarily a new credential.
"The healthcare industry is definitely short on security and privacy expertise, although some organizations do a great job," Borten says. "I support the availability of courses and workshops on healthcare privacy and security, regardless of whether there's a credential attached or not."
Available in Fall
The new credential that's been under development by (ISC)Â² and HITRUST over the last three years will be available around September, says Tipton (see: HealthInfoSec Credential in Development)
"Existing healthcare-specific credentials are limited, are not ANSI-accredited, and have seen limited adoption," Cline contends.
"There is currently no ANSI-accredited credential that validates an individual's understanding of the unique needs of healthcare and the skills needed to manage this type of risk," he says. "Existing ANSI-accredited certifications are broad-based, not industry specific, and address general security concepts and safeguards, focus on audit-style assessments, or are intended for management-level security professionals."
As the educational, testing, and validation programs for the new credential are further developed in coming months, the groups will reach out for input from other organizations, including the Department of Health and Human Services and the Healthcare Information and Management Systems Society, Tipton says.
The main targets for the new credential are individuals whose primary duties are the protection of health information, Cline says. "This would include security, privacy, compliance and even health information management or legal professionals with a focus on information protection."
However, other professionals, such as clinical and management staff, could also benefit from the certification, which (ISC)Â² also will likely make available as an "associate" status for individuals who seek to take the exam by don't meet other experience requirements, Tipton says.
"A pure security expert cannot solve problems on their own that happen in healthcare involving information breaches," he says. "When you look at the people who handle data, from the people at the doctor office to the drug store, there's a need to understand basic security and privacy concepts."
Also, as HIPAA Omnibus expands compliance liability to business associates and their subcontractors who provide services to healthcare entities - and at the same time expands the scope of companies that fall under the "business associate" umbrella - the population of people working with health data who need to understand privacy and security is also growing.
And while there are approximately 90,000 professionals with other security certifications offered by (ISC)Â², "only 2 percent of them work in healthcare," which is more evidence of a security and privacy knowledge gap in the sector, he says.
Cline says the new healthcare specific information protection credential will:
- Certify the minimum qualifications and expertise needed to implement and assess information security controls;
- Provide assurances to regulators, employers and others of the qualifications held by information security and privacy professionals;
- Help ensure successful implementation and consistent assessment controls intended to satisfy regulatory and other best practice requirements of covered entities and their business associates;
- Support successful adoption of EHRs and the exchange of PHI by covered entities and their business associates.
As plans for the credential get fleshed out, (ISC)Â² and HITRUST will make available details of the content that candidates will need to know for earning their certification, Tipton says. Categories to be covered include:
- Knowledge of players in healthcare environments, ranging from EHR vendors to insurers.;
- Privacy and security concepts in healthcare, including what data meets the definition of protected health information;
- Technologies used for protecting data, such as access control tools and encryption;
- Privacy and security risk management, including risk assessments;
- Dealing with business associates under HIPAA Omnibus;
- Privacy and security regulatory issues, such as breach notification.