Use this quick start guide to collect all the information about ISC2 HCISPP Certification exam. This study guide provides a list of objectives and resources that will help you prepare for items on the HCISPP ISC2 HealthCare Information Security and Privacy Practitioner exam. The Sample Questions will help you identify the type and difficulty level of the questions and the Practice Exams will make you familiar with the format and environment of an exam. You should refer this guide carefully before attempting your actual ISC2 HCISPP certification exam.
The ISC2 HCISPP certification is mainly targeted to those candidates who want to build their career in HealthCare Security domain. The ISC2 Certified HealthCare Information Security and Privacy Practitioner (HCISPP) exam verifies that the candidate possesses the fundamental knowledge and proven skills in the area of ISC2 HCISPP.
ISC2 HCISPP Exam Summary:
| Exam Name | ISC2 Certified HealthCare Information Security and Privacy Practitioner (HCISPP) |
| Exam Code | HCISPP |
| Exam Price | $599 (USD) |
| Duration | 180 mins |
| Number of Questions | 125 |
| Passing Score | 700 / 1000 |
| Schedule Exam | Pearson VUE |
| Sample Questions | ISC2 HCISPP Sample Questions |
| Practice Exam | ISC2 HCISPP Certification Practice Exam |
ISC2 HCISPP Exam Syllabus Topics:
| Topic | Details |
|---|---|
Healthcare Industry - 12% |
|
| Understand the healthcare environment components |
- Types of organizations in the healthcare sector (e.g., providers, pharma, payers) - Health insurance (e.g., claims processing, payment models, health exchanges, clearing houses) - Coding (e.g., Systematized Nomenclature of Medicine Clinical Terms (SNOMED CT), International Classification of Diseases (ICD) 10) - Revenue cycle (i.e., billing, payment, reimbursement) - Workflow management - Regulatory environment - Public health reporting - Clinical research (e.g., processes) - Healthcare records management - Remote workforce (i.e., telecommuting) |
| Understand third-party and supply chain relationships |
- Vendors - Business partners - Regulators - Data analytics - Managed service providers - Cloud service providers - Other third-Party relationships - Supply chain vendors (e.g., software, open source analysis) |
| Understand foundational health data management |
- Information flow and ecosystem lifecycle in the healthcare environments - Health data characterization (e.g., classification, taxonomy, analytics, protected health information (PHI) vs. personally identifiable information (PII)) - Data Interoperability and Exchange (e.g., Health Level 7 (HL7), International Health Exchange (IHE), Digital Imaging and Communications in Medicine (DICOM)) - Legal Medical Records |
Data and Information Governance in Healthcare - 5% |
|
| Understand and identify data and information governance frameworks |
- Security governance - Privacy governance |
| Identify data governance charters, roles and responsibilities | |
| Align data and information security and privacy standards policies and procedures |
- Standards - Policies - Procedures and processes |
| Understand and integrate the code of ethics in a healthcare data environment |
- Organizational Code of Ethics - (ISC)² Code of Ethics |
Information Technologies in Healthcare - 14% |
|
| Understand the impact of healthcare information technologies on privacy and security |
- Increased exposure affecting confidentiality, integrity, availability and privacy (e.g., threat landscape) - Oversight and regulatory challenges in a changing technological environment - Requirements for data interoperability - Information Technologies |
| Understand data life cycle management |
- Creation and classification of healthcare data - Storage - Data sharing/transfer - Data use monitoring and access control - Archiving and record retention - Destruction |
| Understand third-party connectivity |
- Trust models for third-party interconnections - Technical standards (e.g., physical, logical, network connectivity) - Connection agreements (e.g., memorandum of understanding (MOU), Interconnection Security Agreements (ISAs)) |
Regulatory and Standards Environment - 15% |
|
| Identify regulatory requirements |
- Legal issues that pertain to data security and privacy for healthcare organizations - Data breach regulations and guidance - Protected Personal and Health Information (e.g., Personally Identifiable Information (PII), Personal Health Information (PHI)) - Jurisdiction Implications - Data Subjects - Clinical research |
| Recognize regulations and controls of various countries |
- Treaties - Laws and regulations (e.g., General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH), Personal Information Protection and Electronic Documents Act (PIPEDA)) |
| Understand compliance frameworks |
- Privacy frameworks (e.g., Organization for Economic Co-operation and Development (OECD) Privacy principles, Asia-Pacific Economic Cooperation (APEC), Generally Accepted Privacy Principles (GAPP)) - Security frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Common Criteria) |
Privacy and Security in Healthcare - 24% |
|
| Understand security objectives/attributes |
- Confidentiality - Integrity - Availability - Privacy |
| Understand general security definitions and concepts |
- Authorization and authentication - Identity and Access Management (IAM) - Cryptography and data encryption - Security training and Awareness - Logging, Monitoring and Auditing - Vulnerability Management - Segregation of Duties - Incident response - Business continuity (BC) and disaster recovery (DR) - Data backup and recovery including testing and validation - Endpoint management (e.g. Mobile Device Management (MDM)) - Data classification controls (e.g., data loss prevention (DLP)) - Cloud provided services - Designated security officer (e.g., facility security officer, information security officer) |
| Understand general privacy definitions and concepts |
- Consent, restrictions, access and accountability - Limited collection, legitimate purpose and purpose specification - Appropriate use and disclosure limitations, third-party data exchange and trans-border concerns - Access limitation - Data integrity (e.g., accuracy, completeness and quality) - Management, designation of privacy officer, supervisor re-authority, processing authorization and accountability - Privacy training and awareness - Transparency and openness (e.g., notice of privacy practices, privacy policy) - Reporting (e.g., events, incidents and breaches) |
| Understand the relationship between privacy and security |
- Dependency (i.e., security impacts to privacy) - Integration (e.g., introduction of new technology/updates) |
| Understand sensitive data and handling |
- Sensitivity Mitigation (e.g., de-identification, anonymization) - Categories of Sensitive Data (e.g., behavioral health) |
Risk Management and Risk Assessment - 17% |
|
| Understand enterprise risk management |
- Risk management overview - Information asset identification - Asset valuation - Exposure - Likelihood - Impact - Threats - Vulnerability - Risk - Controls (e.g., administrative, technical, physical) - Residual Risk - Acceptance |
| Understand risk frameworks |
- International Organization for Standardization (ISO) - National Institute of Standards and Technology (NIST) - Health Information Trust Alliance (HITRUST) |
| Understand risk management process |
- Definition - Data classification (e.g., personally identifiable information (PII), protected health information (PHI), electronic protected health information (ePHI)) - Approach (e.g., qualitative, quantitative) - Intent - Life cycle and continuous monitoring - Tools, resources and techniques - Desired outcomes - Role of internal and external audit/assessment (e.g., privacy and information security risk assessments) |
| Identify control assessment procedures utilizing organization risk frameworks | |
| Participate in risk assessment consistent with roles within the organizational environment |
- Information gathering - Risk assessment process - Gap analysis |
| Understand risk response (e.g., corrective action plan) |
- Mitigation - Avoidance - Transfer - Acceptance - Compensating controls - Communications and reporting |
| Utilize controls to remediate risk (e.g., preventative, detective, corrective) |
- Administrative - Physical - Technical |
| Participate in continuous improvement and monitoring | |
Third-Party and Supply Chain Risk Management - 13% |
|
| Understand the definition of third-party in healthcare context | |
| Maintain a list of third-party organizations |
- Third-party relationship with the organization - Health information use (e.g., processing, storage, transmission) |
| Apply management standards and practices for engaging third-parties | - Relationship management |
| Determine when a third-party assessment is required |
- Organizational standards - Triggers of a third-party assessment |
| Support third-party assessments and audits |
- Information asset protection controls - Compliance with information asset protection controls - Communication of results and recommended actions |
| Participate in third-party remediation efforts |
- Risk assessment activities - Impact assessment and risk tolerance - Corrective action plans - Compliance validation |
| Respond to notifications of security/privacy events |
- Documenting and testing internal processes for incident response - Relationship between organization and third-party incident response - Breach recognition, notification and initial response |
| Respond to third-party requests regarding privacy/security events |
- Legal or contractual breach notification requirements - Organizational information dissemination policies and standards - Risk Assessment Activities - Chain of custody principles |
| Promote awareness of third-party requirements |
- Information flow mapping and scope - Data sensitivity and classification - Privacy and security requirements - Risks associated with third-parties |
To ensure success in ISC2 HCISPP certification exam, we recommend authorized training course, practice test and hands-on experience to prepare for ISC2 HealthCare Information Security and Privacy Practitioner (HCISPP) exam.