Measuring Healthcare InfoSec CompetencyCISO Describes Importance of Professional Credentials
Information security and privacy work in healthcare environments often requires a depth of specialized knowledge and competency that can be validated through the help of professional credentialing, says CISO Sean Murphy.
"The CIO or CISO or compliance officer ... they need something tangible to say this person has what it takes to address the complex needs of information security and privacy in a healthcare environment, says Murphy, health information privacy and security officer at the consulting firm Leidos Health Solutions Group, formerly SAIC.
"In healthcare, there are a lot of places we have very junior staff," Murphy says in an interview with Information Security Media Group. "We have people that have maybe grown up with the organization and have different roles within the organization, but now have an almost brand new responsibility in handling electronic information or protecting electronic assets.
"We need to be able to develop these personnel in a way that gives us a tangible return on investment, something that we can see very clearly - that they have been able to obtain a level of competency that is measured by a third-party," he says.
For example, while there is automation in some areas of information security, such as remote software patching, in healthcare "you have an environment where medical devices, special purpose computing platforms are out there," he says. "You have to be able to accommodate those from the perspective of a lot of it has to be done manually, you have to coordinate with the medical device manufacturers to make sure they've tested and approved the patch," he notes.
"We need people in the workforce in healthcare that understand the complexity and can work through those processes."
The HealthCare Information Security and Privacy Practitioners, or HCISPP, credential from the International Information System Security Certification Consortium, or (ISC)Â² , not only helps to measure the competency of individuals, but is an impetus for them to stay up-to-date with the changing demands of healthcare security and privacy work, he says.
"Annually you have to maintain the level of doing the education and staying current in the profession, and growing yourself and evolving as the healthcare information security professional, privacy and security professional," he says.
In this interview, Murphy also discusses:
- The top information security priorities named by healthcare organizations participating in the 2014 Healthcare Information Security Today survey, sponsored by (ISC)Â², and how professional credentials such as HCISPP can contribute to organizations meeting those objectives;
- Suggestions for what factors to weigh in choosing a professional credential to pursue;
- How individuals can obtain HCISPP certification, and how it differs from other professional credentials.
As a vice president at Leidos Health Solutions Group, Murphy serves as the organization's health information privacy and security officer. He has nearly 20 years experience in healthcare information security, serving at all levels of healthcare, from a hospital to an international integrated delivery system. He has multiple professional certifications, including CISSP, ISSMP, HCISPP, FACHE, CPHIMS and CIPP. Before joining Leidos, Murphy was a lieutenant colonel in the U.S. Air Force Medical Service Corps. He is a past chairman of the HIMSS Privacy and Security Committee and currently serves on the Excelsior College Industry Advisory Councils for Information Technology and General Technology.
MARIANNE KOLBASUK MCGEE: How are you hiring individuals with professional credentials to contribute to an organization meeting all or some of these goals?
SEAN MURPHY: The short answer is, [with] all of those priorities, someone with a level of competency within the healthcare [industry] can help in all of those areas. Over time, what we had learned is that when you take even the best proven information security practices from other industries and bring them into the healthcare clinical setting, to try to implement them without fully acknowledging that there are certain differences in the patient safety concerns and risks that are introduced, that is a big issue. It takes a level of healthcare savvy for an information protection professional to come into an organization and be able to implement. Sometimes, it is the tailored risk approach or controls; doing things just a little bit differently then what the prescribed control is, but still getting to the same endpoint. Then often times it's developing a compensating control or some kind of mitigation action. You acknowledge that maybe you can't do this control as it is prescribed by whatever standard body you're using, but instead you're going to use this control to get to the same endpoint. Often times that is a more expensive proposition, and we don't typically try to do things in security that just simply add cost. You have to be able to communicate what that value is as well to your organization.
From a clinical perspective, the value is minimizing patient safety [and] care issues. Having somebody that has a demonstrated level of competency is very important and can help with all of the priorities you outlined. I think the common thread among all of them is we need people that are able to support us in achieving those goals.
MCGEE: Why are professional credentials in healthcare security and privacy so important?
MURPHY: I think it starts with the level of assurance that healthcare leadership, whether it's the CIO, CISO or compliance officer, need to have that their workforce gets it. That they are confident and have the ability to implement changes, controls and security in the privacy measures that are needed. They need something tangible to say, this person has what it takes. One of the things that I find as I talk to more CIOs [and] CISOs in healthcare is, in a lot of places we have very junior staff. We have people that [may] have grown up with the organization and have different roles within [that], but now have an almost brand new responsibility in handling electronic information or protecting electronic assets. We need to be able to develop these personnel in a way that gives us a tangible return on investment, something that we can see very clearly; that they have been able to obtain a level of competency that is measured by an executive [or] third-party.
When we talk about credentials, a lot of people talk [ask], "wWhy credentials? Why not formal education or some other measurement? Why do we have to have these initials behind our name?" Because you know you can get training, and you know they have a great body of knowledge that they can point to within their resume. That is all tried [and] true and it is very valid. However, within many different industries, credentialing has been proven as a pretty good way of providing objective measurement to how confident somebody is within their profession. So healthcare didn't invent credentialing, but we certainly use it in a lot of different ways. Information security didn't invent credentialing, but we use it in a lot of different ways. If there is any industry in general that has really valued credentialing over others, [it] has been information technology, simply because it's so dynamic.
Five or ten years ago, credentials that were the industry standard, or the pinnacle of success, are now obsolete, the industry moves fast. I think healthcare information security is the same, it's very dynamic. Formal education degrees at the bachelor and master level are certainly very important, and they are always going to be very important. But when you talk about the level of competency for specific tactical kind of things, these credentials that we have within the information security industry, with (ISC)2 and now the HCISPP, really do point to a very relevant and reliable standard of competency, and it points to time limits. I mean this is a credential that is able to change with the changes in technology, within the changes in regulation, and it's international. That dynamic aspect is why credentialing becomes so very important.
Choosing a Credential
MCGEE: So now what would you suggest people look for in choosing a credential to pursue?
MURPHY: I think you start with looking at organizations that are leading the way in providing credentials in general. If this is the only credential, then maybe they are at the forefront, or in terms of maturity level of an organization, they may need to have a little more experience in developing credentials and offering and maintaining them. I look for somebody that is leading the way in providing credentials at first. I want to know that the organization that is developing or offering the credential has a rigorous process in putting it together, not just something that they put out there without a whole lot of thought and strategic planning. So there is a rigorous selection process for candidates, not everybody can take the test and cut a check and get the credentials. I also like to see that there is an objective third-party that has credentialed the credentialing organization. Somebody like the American National Standards Institute that has looked at the process and as I mentioned, you [should have] a rigorous process if the American National Standards Institute and others has looked at the process and said, yes this passes the muster for developing, maintaining and offering credentials. Then I think that is a feather in that organization's cap, and it's a plus for the validity of the credential itself that they are offering.
I look at the organization that is offering the credential, and I want to see that there are bona fide subject matter experts that are putting together the credentialing process, curriculum, body of knowledge, exam, and developing the requirements to even sit for the exam. People that have worked in the field people that are recognized people stand behind the credential that they have, has that much more meaning. I really would like to see that there is a continuing education piece behind the credential. It's not a pass-once lifetime credentialing process. You get the credential but then annually, you have to maintain the level of [getting] the education and staying current in the profession, and growing yourself and evolving [as a] healthcare information security professional. That goes back to the idea that this is a very dynamic field, and what was true maybe five years ago is an old way of thinking. We've got new technology, processes, and regulations that we're dealing with. So you've got to stay on top.
One last thing is, I really think there is value in affiliating with that [credential] organization and have a network of like-minded professionals that either have this credential or [are] aspiring to this credential. In any case, it's an organization that you can also collaborate [and] network with. I think all that wrapped up in a summary statement is [I'm looking for an] organization that offers a credential, but has all of those components.
MCGEE: What specific gaps can be filled by healthcare organizations hiring HCISSPs, and how do the specific skill sets and knowledge needed by healthcare security professionals differ from other industries?
MURPHY: To start with, if you're comparing just the CISSP against a healthcare credential, there are some specific areas of emphasis. I don't know if I would call them gaps per say, but there are areas of emphasis that become very important. So if somebody has a CISSP, it doesn't mean that they shouldn't look at the HCISPP as a credential; that can also help them further communicate their level of confidence with a healthcare specific focus. But it also does very well as a standard on certification to communicate the same kind of healthcare depth of knowledge and experience. But in healthcare, for me it starts with the availability of information, patient care, [and] business processes. I would argue that it is a little more important in healthcare for availability of information then in a lot of other fields that apply information security. That is exemplified [with] the recent executive order that named healthcare infrastructure as a critical infrastructure along with several other industries. So it's an acknowledgement that healthcare information has to be available to the provider; the right provider at the right time for the right patient. It's critical for that to happen and to [have] availability up-time network access, these kinds of things are just very crucial in healthcare. That is a starting point.
Then oddly enough with the implementation of the electronic health record, [in the] last couple of years, a lot of healthcare organizations have become very adept at using EHR. In many ways we're not as good at going back to manual processes for accessing data as we once might have been. That is proven out in several incidents where EHR went offline at different organizations; the ability to look at medication histories or previous encounters becomes very problematic, especially in an industry where time is of the essence and providers do not have an abundance of time to spend with patients. They don't have that information at the fingertips, and they don't have any kind of warning that they are not going to have that information at their fingertips. A lot of times it's very difficult to go back and pull a chart, or find some kind of a paper record or manual process to access that data for them. That's a patient care and safety issue, and those are things that are very important in healthcare. So up-time, again, and availability of information are so very important.
It's not just the lack of information per say, but in some cases, the requirements for the availability of information may be a little more stringent then what some of our vendors [or] third-parties are used to. If they have healthcare clients from a datacenter perspective, they have their client, they have clients in banking, [and] clients in retail. Healthcare, especially in the U.S., we have them respond to regulations like HIPAA and all of its amendments, which require us to have certain provisions within a datacenter or cloud environment that can be more stringent then what they might be used to with other clients. That may be the time notification alerts or segmentation of the data becomes an issue, maybe the third-party vendor wasn't necessarily looking to have to support. But we can't relax those standards, and so someone who is working in healthcare information privacy and security that [has] responsibility for third-party risk management really needs to have the healthcare savvy behind them to be able to negotiate those business associate agreements, contract language, and service level agreements that are important in those situations. They certainly can't just accept some kind of a template contract from the third-party service provider that is a take-it or leave-it option, because the law won't allow that. The personnel that are in charge of working those issues to understand it and to stand behind it. Those are some of the things that HIPAA HTISPP try to address and tease out through the curriculum and examination process. [They] tease out some of these nuances that are they are very impactful in the healthcare setting.
One other thing I mentioned earlier about best practices in information security when they are overlaid into a healthcare setting...they often have the intent, they do secure the organization and protect information, but sometimes they have an unintended effect. One of these areas of emphasis that I like to point to is things like automated patch pushing for vulnerabilities. We like to do everything remotely and automatically, and a patch, once it's tested [to] fix the vulnerability and push it out through the organization, fixes upon the next boot-up of a machine, that's great. But when you have an environment where medical devices, special purpose computing platforms are out there, you have to be able to accommodate those from the perspective of, a lot of it has to be done manually. At the very least, you have to coordinate with the medical device manufacturers to make sure they've tested and approved the patch. If not, then you have to work through those processes, which can be tiresome and in a lot of ways not as efficient as we would like them to be. However, they are important and needed in the workforce in healthcare [to] understand the complexity and [so we] can work through those processes.
Professionals with Credentials vs. No Credentials
MCGEE: What are the top reasons why a health entity should choose a professional with a HCISPP certification over a candidate with a different credential, or no credential?
MURPHY: When I saw data that pointed [to] the number two most popular response, a desire to have workforce that [was] aware of privacy [and] general healthcare issues, to me it validated the water cooler conversations I've had over the years with many of my colleagues [saying] this is something that we need. We hire people that have a lot of information security or privacy protection backgrounds, and put them in a healthcare environment, and in some ways it frustrates them. In some ways it is a very steep learning curve. It's not impossible, that is certainly not the message here. Just one of the top two or three competencies that we really need out of a healthcare information security workforce is that understanding and acknowledgement of the healthcare environment. The physician, nurses, workforce, [and] medical technicians that exist come together to provide patient care, knowing that is very important. So it is interesting the survey demonstrated that. It brought that information out. That answer was given ahead of a lot of other technical and administrative skill sets that we also need within [the] healthcare environment, but they were number three, four, number five on [most] popular answers.
I think what it also points to is in healthcare, a lot of the surveys that are out there have demonstrated that we are still in an era where the major risk is internal, whether it's fully qualified authorized user doing something incorrectly or somebody snooping into records. But it is almost the inadvertent unauthorized use of protected health information [that] is really still one of our most major threats. Having the confident workforce at the ready to help build programs and awareness, and even implement technical solutions that helps you guard against the internal threat is still so very important. There is a demonstrated return on investment to having those qualifications in your organization, to at least do your best to prevent against the internal threat, because that is still kind of where we are in terms of what we're seeing as exploiting vulnerabilities in the organization. It is still primarily internal; however, as we move into the next year or two, the external threat is certainly catching up to us. They are finding out that medical records, if you can get a hold of that, [are] worth about four times as much on the black market as the social security numbers [are]. In terms of medical identity theft, financial identity theft, it's a very valuable target. So they are coming, and we have to guard against that as well. So having a confident workforce, having these credentials and personnel helps to keep them current on that kind of a concept. This is kind of looking out in the very near [future] and getting ahead of any threats that we see coming from the outside. Having people that are continually developing themselves as professionals and having special organizations they can network with is still very crucial. Even for being able to program and implement the technology and administrative controls, you're going to need to defend against the external threat which is growing.
To answer your question directly, would I look for this credential as a hiring authority? The short answer is yes for all the reasons that I've outlined. If I'm looking at two relatively qualified individuals, and I see one has taken the time to invest in themselves and the profession of healthcare, I think that communicates so very much in the span of about five letters. If I see HCISPP, I know a lot about that candidate immediately, and I think that's going to become more prevalent as the credential grows. The headlines continue to read, data breach in healthcare, data breach in healthcare. There are a lot of people that are looking for answers. I look for a day when healthcare is going to need to be able to demonstrate that their workforce is competent in some way, shape, or form to handle this information. It's not an additional duty that's strapped on to the guy or gal that shows enough interest in it that they get the job.
Positions of a HCISSP
MCGEE: What sorts of jobs and roles in the healthcare sector would someone with a HCISPP credential typically hold?
MURPHY: I think if you walk into a healthcare organization and ask people, who is responsible here for protecting information? Probably every hand in the room would go up because you go through HIPAA training and used-data protection training; we all grow up with the idea that we're all responsible in some way, shape or form. Healthcare is interesting, there are many communities that have long had a role in protecting information in one way, shape or form, and those communities are really coming together through the use of more electronic information and network devices. I see three major communities in a healthcare organization that this kind of a credential would apply to very specifically.
First, I would look at the individuals that used to work, well they still work in what we call the health information management area, and they are the medical record professionals. Those records are becoming more digital. There are still a lot of paper in most healthcare organizations, but healthcare information management is becoming a very digital profession and with that comes the HIPAA security rule. They already are experts in the HIPAA privacy rule, but they are taking on this additional electronic protection health information role and this credential is a great measure for the work they do, and it applies to them.
The other community is the IT professional, that either has worked in healthcare for a while or the IT professionals that are coming from other industries, like retail [or] financing. They are walking into a healthcare organization and some of the domains that are covered in the credential cover those domains that are healthcare specific. [It] helps them to get that their savvy that is going to be needed to tailor the controls, develop compensating control, and just implement healthcare information privacy and security that actually enables patient care and minimizes risk.
The last community is one that I think has long [said], we do a lot with information technology, specifically healthcare information technology. Those are our biomedical technicians, clinical engineers. They have long been in the information technology business with medical devices, and those medical devices are becoming more network, and that statement is almost passÃ©. Almost any medical device right now is looking for a way to be networked, whether it's a body area or a personal area network. The clinical engineers and biomedical technicians are doing information technology and security as much as anybody else in the healthcare industry right now, if not maybe a little bit more. This credential is one that is a great way for them to show their competency and ability, because the domains are all basically within HCISPP; the domains are all basically things that they are doing and things that they know.
Those three communities are coming together. In the middle of that diagram is the ideal HCISPP person who is pretty much cognizant and aware of all those different types of issues those three communities work with, because they are converging. They are all having the same conversations and the issues, and they always have had to work together to make sure the organization provides clinical care and optimizes revenue. Even more so now as everything is becoming more digital, more networked, regulations are reflecting that. I think those three communities have the most vested interest in this credential. I've outlined some of the job job titles that those people would have, but certainly network administrators, IT healthcare professionals, IT directors [and] CISOs would be looking at this credential. Of course, I finish up with the biomedical technicians, biomedical engineers [and] clinical engineers in the organization; they would be well-suited with a credential like this.
How to Get Credentialed
MCGEE: How would professionals go about getting the HCISPP credential?
MURPHY: As it is kind of a brand new credential, there are education offerings and different study materials coming out. The first place I would go to is the (ISC)2 website and look through what is available online right now to describe the curriculum. There is some information out there on what experience levels are for being able to study for the exam. This credential is a practitioner-based credential. There is a lot of experience that goes into building the curriculum. Not to put too sharp a point on this, the curriculum is more developed from the experiences of the subject-matter experts that put it together. Through years of experience, these are the things that we encountered. If you have experience in healthcare and information security and technology, you'll see a lot of the same kind of issues that you've dealt with through your career, depending on how much experience you have. There is a curriculum, and it is developed with learning objectives on a common body of knowledge. They just recently launched a training program for helping people to focus on the study materials and sources rooted in the National Institute of Standards special publications. If you are familiar with some of those, you'll do very well. It's really relating to how the information security privacy professional relate in their organization, putting into place the policies and procedures to protect information [and] the technical aspects of controls. Then, an acknowledgement to the ability for them to be able to tailor and drive compensating controls.
Last but not least, after you've gotten done looking at the website and have found yourself within the experience level in the certain domains that are required, and you feel like you're a candidate for the exam, take the training that is available. There will be text that will be available pretty soon from (ISC)2 that outlines the common body of knowledge and provides a good study guide for taking the exam. But I guess as I close on that thought, I want to emphasize that it's not about reading a book and taking a test. You've got to have the experience, at least in some of the domains, and then certainly learn more about the other domains. So if you're strong in one or two domains, and you haven't worked in healthcare for very long, you'll learn that. There is no one study guide, no one particular source that you want to run to and then go take the test, because that is not the way this was developed.