Introduction

If you’re a cybersecurity or information security professional in the healthcare industry, or are looking to specialize your skillset to make a transition, you may have come across the Health Information Security and Privacy Practitioner (HCISPP) certification offered by (ISC)2. It’s a worthwhile certification to obtain if you meet the experience requirements, and a great way to improve your knowledge and progress your career.

In fact, if you were to become a certified HCISPP, you would be apart of an elite group of only 1410 HCISPP holders at the time of writing. This number is staggeringly small when compared to the (ISC)2 CISSP population which is well over 100,000 and counting!

Admittedly, the HCISPP is a much more niche certification without as much industry renown as the CISSP. However, this number is sure to grow in the coming years, as Data Privacy & Security in Healthcare continues on its massive uptrend in importance and opportunity.

Before long, I imagine there will be tens of thousands of HCISPPs and upwards of half a million CISSP holders by then!

Early Bird Gets The… Burn?

That was a pretty weak pun.

What I mean is: as seekers and holders of the HCISPP, we can certainly be considered “early adopters”. Unfortuantely, being a member of this respectable minority represents its own unique challenges.

Specifically, there’s practically nothing out there in terms of learning materials or study guides for the HCISPP exam!

If you’ve stumbled across this article, it’s probably a result of having scoured the internet in search of a complete HCISPP study guide. I know when I began, it took a while to find enough study materials to be confident enough to sit for the exam.

To make it easier for everyone else, I put together this handy study guide that includes resources, tips, tricks, and a little bit of first-hand insight on how to pass the HCISPP exam.

In this guide, we’ll go over the following topics:

Let’s get started.

About the Exam

First, let’s look at the exam itself to understand, on a high level, the topics with which we will need to become familiar in order to be successful.

The exam contains 125 multiple choice questions, each with four possible answers, which you’ll have to complete within a three hour time limit.

The HCISPP exam is divided into seven domains:

Domain 1 - Healthcare Industry Domain 2 - Information Governance in Healthcare Domain 3 - Information Technologies in Healthcare Domain 4 - Regulatory and Standards Environment Domain 5 - Privacy and Security in Healthcare Domain 6 - Risk Management and Risk Assessment Domain 7 - Third Party Risk Management

These domains cover the breadth of industry knowledge a successful security and privacy professional will need to know in order to be successful working for healthcare business associates or covered entities.

I won’t break these domains down for you here, but I will give you a good resource available directly from (ISC)2 that does…

Official HCISPP Exam Outline

The Official ISC2 HCISPP Exam Outline breaks down the HCISPP exam domains into specific keywords, terms, and concepts.

This is a great document for understanding all of the topics in which you’ll need to demonstrate competence to pass the HCISPP exam.

I kept this reference close at hand while studying. This made it easy to connect information from my study materials back to the domain to which it was related.

For example, if I viewed a video about conducting Security Risk Assessments, I could tie that back to Domain 6 and make sure to cover all the bases on the subject - such as delving deeper into the Risk Management Framework (RMF) as suggested by the exam outline.

The outline is a great tool to see the scope of everything you’ll need to learn to pass the exam, but it’s not a great way of actually learning about each topic.

For that, let’s look at all the resources I used to prep for the HCISPP exam.

HIPAA

When it comes to healthcare security and privacy in the United States, the Healthcare Insurance Portability and Accountability Act (HIPAA) has the final word on legal requirements and security safeguards.

HIPAA regulations dictate what covered entities and business associates must do to protect the confidentiality, integrity, and availability of protected health information (PHI).

Knowledge of HIPAA and its tenets are essential to being a successful healthcare security and privacy professional. Unsurprisingly, they are referenced very often in the HCISPP exam.

As it relates to HCISPP, the primary components of HIPAA that you should review are the following:

Knowing how each rule contributes to the field is imperative to becoming a certified HCISPP.

To prepare for the HCISPP exam, you should familiarize yourself with each of these rules and understand how they impact your responsibilities as a healthcare security and privacy professional.

A simple Google search of these three rules should yield a wealth of information, but you should also consider skimming through the rules themselves.

Unless you’re a real over-achiever, I do not recommend reading the entirety of this legalese. Tt would be extraordinarily time consuming and isn’t necessary to pass the HCISPP exam.

Books

For some, cracking open a 600-page long textbook and reading through the whole thing is the key to success.

If you’re in this camp, you’re in luck.

There are a number of useful books available to help you on your journey to getting HCISPP-certified.

First, lets review the ones I used:

Official (ISC)2 Guide to the HCISPP CBK This textbook-style resource comes from (ISC)2 itself, so its a good way to get information related to all seven domains in one place. Admittedly, I didn’t read it end-to-end. It makes for dry reading, and because I already have experience in the field, I was better off jumping around to chapters where I felt my knowledge was weakest. There are review questions at the end of each chapter which can be helpful for practice and memorization of key concepts. On the day of the test, I reviewed the chapter summaries. This proved really valuable as a last-minute refresher. Healthcare Information Security and Privacy In terms of readability, this book was a lot better than the tome-like (ISC)2 official guide. However, sometimes it came off as repetitive, and it was little less in-depth on some topics. At the end of each chapter, there are review questions to complete. Coupled these with those available in the official guide, these questions make a good addition to your practice question bank. Some of the reviewers on Amazon even claim to have passed using only this book. I found it was worthy supplementation.

There are other books available should you need them, however, I can’t personnaly attest to their efficacy. In fact, I could only even find one available:

HCISPP Study Guide by Syngress The reviews don’t seem to be glowing on this one, but if you’re the equivalent of a doomsday prepper when it comes to test preparation, it may be worth grabbing.

In all honesty, I have trouble reading these kinds of books end-to-end. The ones I purchased were valuable as referential material and for filling in knowledge gaps, but I knew I needed some other mediums for learning if I was to have any hope of passing the HCISPP exam.

Forunately, I dug up some other, more accessible resources…

HCISPP Videos

When studying for certification tests, I find visual and audio mediums for learning very effective. Also, they’re flexible. Instead of my usual podcasts, I can listen to videos in the car, or watch them wherever I have my phone. Plus, they can be engaging when it becomes tiresome to read lengthy textbooks.

In my searches, I found an entire collection of HCISPP videos available on YouTube. However, I’m not going to link them directly, because I’m not confident as to the ownership of the content.

In the meantime, I suggest you search through YouTube for anything related to HCISPP, HIPAA, privacy and security in healthcare, as well as any topics or subjects pulled out of the official exam outline.

Interactive Flashcards from (ISC)2

One of the biggest issues for prospective HCISPPs is the lack of practice questions available on the internet. There are a limited number of review questions in HCISPP textbooks, and didn’t find any reliable resources for them

As it turns out, (ISC)2 offers official HCISPP digital flash cards that can double as interactive practice questions. These were crucial for me to practice knowledge and get exposed to learning directly from same organization that creates the exam itself.

Best of all, they’re free!

Unfortunately, accessing them is kind of confusing, so here’s a step-by-step:

First navigate to the HCISPP flashcard page. You will need to sign into your account and “purchase” them for $0.00 Once you’ve “purchased” them (again, for free) navigate to the (ISC)2 Home Page. Make sure you are still logged in and select “My Courses” in the top menu: The flashcards will show up on the left side under My Courses. Select the tile for the flashcards to open the training platform. There, you should have access to the interactive flash cards by selecting each domain’s tile. In the lower left, there is a drop down menu to use different “Study Modes”. I did multiple, but found Match, Learn, and Test to be the most valuable.

These flashcards were super helpful to learn and review all the keywords, terminologies, and concepts. I probably ran through each domain 2-3 times until I was scoring as close to 100% as I could.

Being an interactive learner, I think these flashcards were the most valuable part of my studying and were a huge help for passing my HCISPP exam!

NIST Special Publications

Much of the fundamentals related to information security, cybersecurity, and privacy can be tied back to research performed by the National Institute of Standards and Technology (NIST). NIST has published multiple documents, called Special Publications (SP) that contain verbose descriptions of security challenges, best practices, standards, controls, and processes that can be adopted by organizations to secure their environments.

For the HCISPP exam, reviewing the following documents will yield some valuable insight on many different topics, such as risk management, encryption, and privacy:

Like the HIPAA rules, I really don’t recommend reading the entirety of these documents. Instead, jump to sections that map to domains specified in the exam outline.

Total Cost

By using all of these resources, most of which are free, you should expect to come in under $100 for study materials.

For three years (or more) of certification, that’s a pretty good deal.

Exam Day

I scheduled my exam for the afternoon at 2:00PM on a Monday. Obviously, the usual test taking best practices apply here: get a solid 8 hours of sleep and eat light meals. I used PTO to take off work entirely the day of

The morning before the test, I reviewed the flashcards again for a couple hours. After arriving to the center an hour early, I read through the Chapter Summaries at the end of the (ISC)2 HCISPP book in the car.

Overall, I believe my testing time was under 45 minutes out of the nearly 3 hours they give you, which is either a testament to my preparedness, or the easiness of the test.

Final Thoughts

Without a doubt, the HCISPP is a valuable certification to have when working as a healthcare security and privacy professional. The exam encompasses all the topics one needs to be successful in this field.

For those seeking to achieve HCISPP status, as long as you take the time to prepare and study - you will be pass. It is not a particularly difficult exam, and many of us have enough experience to be familiar with the terminologies, scenarios, and answers to be successful.

Looking forward to seeing you join our ranks as an HCISPP,

Ian