Measuring Healthcare InfoSec Competency CISO Describes Importance of Professional Credentials
Sean Murphy

Information security and privacy work in healthcare environments often requires a depth of specialized knowledge and competency that can be validated through the help of professional credentialing, says CISO Sean Murphy.

"The CIO or CISO or compliance officer ... they need something tangible to say this person has what it takes to address the complex needs of information security and privacy in a healthcare environment, says Murphy, health information privacy and security officer at the consulting firm Leidos Health Solutions Group, formerly SAIC.

"In healthcare, there are a lot of places we have very junior staff," Murphy says in an interview with Information Security Media Group. "We have people that have maybe grown up with the organization and have different roles within the organization, but now have an almost brand new responsibility in handling electronic information or protecting electronic assets.

"We need to be able to develop these personnel in a way that gives us a tangible return on investment, something that we can see very clearly - that they have been able to obtain a level of competency that is measured by a third-party," he says.

For example, while there is automation in some areas of information security, such as remote software patching, in healthcare "you have an environment where medical devices, special purpose computing platforms are out there," he says. "You have to be able to accommodate those from the perspective of a lot of it has to be done manually, you have to coordinate with the medical device manufacturers to make sure they've tested and approved the patch," he notes.

"We need people in the workforce in healthcare that understand the complexity and can work through those processes."

The HealthCare Information Security and Privacy Practitioners, or HCISPP, credential from the International Information System Security Certification Consortium, or (ISC)² , not only helps to measure the competency of individuals, but is an impetus for them to stay up-to-date with the changing demands of healthcare security and privacy work, he says.

"Annually you have to maintain the level of doing the education and staying current in the profession, and growing yourself and evolving as the healthcare information security professional, privacy and security professional," he says.

In this interview, Murphy also discusses:

  • The top information security priorities named by healthcare organizations participating in the 2014 Healthcare Information Security Today survey, sponsored by (ISC)², and how professional credentials such as HCISPP can contribute to organizations meeting those objectives;
  • Suggestions for what factors to weigh in choosing a professional credential to pursue;
  • How individuals can obtain HCISPP certification, and how it differs from other professional credentials.

As a vice president at Leidos Health Solutions Group, Murphy serves as the organization's health information privacy and security officer. He has nearly 20 years experience in healthcare information security, serving at all levels of healthcare, from a hospital to an international integrated delivery system. He has multiple professional certifications, including CISSP, ISSMP, HCISPP, FACHE, CPHIMS and CIPP. Before joining Leidos, Murphy was a lieutenant colonel in the U.S. Air Force Medical Service Corps. He is a past chairman of the HIMSS Privacy and Security Committee and currently serves on the Excelsior College Industry Advisory Councils for Information Technology and General Technology.




Around the Network