The healthcare industry is struggling to keep up with cybersecurity threats, which by now have become commonplace. According to the HIPAA Journal, over the last decade, the number of breaches has risen every year except one, and 2018 saw a 158 percent year-over-year increase in the number of exposed healthcare records. In Healthcare Information and Management Systems Society’s 2019 cybersecurity survey, 76 percent of 166 infosec leaders surveyed said their organization had a breach in the past year.
The growing number breaches underscores the need for more skilled cybersecurity professionals. Like all the other sectors, however, the industry can’t fill many cybersecurity jobs. The most-recent number from the (ISC)2 annual workforce study estimates the shortage of cybersecurity professionals at 2.93 million globally. In the United States, there were 313,735 cybersecurity job openings between September 2017 and August 2018, according to CyberSeek, a NIST-supported cybersecurity-job-market initiative.
This demand — created by the growing risk on one hand and the talent gap on the other — is great news if you’re trying to grow your career in healthcare cybersecurity. However, it doesn’t guarantee a job. Employers want to ensure they’re hiring candidates with the right skills, and they typically look for validation like industry certifications.
Every career path in cybersecurity offers a variety of certification choices, but if you’re planning to be in the healthcare niche, you may be trying to decide between Healthcare Information Security and Privacy Practitioner (HCISPP) and Certified Information Systems Security Personnel (CISSP). (ISC)2, which is considered one of the leaders in professional cybersecurity certifications, offers both of these credentials. They’re both solid choices but cover different focus areas and skill sets.
Benefits of CISSP
Considered by many as the gold standard for infosec professionals, CISSP is one of the certifications that are in highest demand by employers across all sectors. Jobs that require CISSP range from security analyst to chief information security officer.
An informal analysis of five top certs by Business News Daily found that CISSP was, by far, listed in the highest number of relevant jobs on four top job boards. Almost 50,000 jobs listed CISSP; the second-highest, CISM (Certified Information Security Manager, from ISACA), was listed in a total of just over 20,000 jobs.
In terms of compensation, CISSP is also at the top. Certification Magazine’s 2019 salary survey puts CISSP in the No. 22 spot out of 75, with an average U.S. base salary of $127,560. (The previous year, it was in the No. 20 spot, with $131,030 average salary.) When broken down into engineering and architecture, however, in the 2018 survey, CISSP jobs were in top second and third, respectively ($145,940 and $144,700). These were the highest salaries for vendor-neutral certifications. In the 2019 survey, CISSP for architecture came in second ($153,000).
Overview of CISSP Exam
CISSP is not a beginner cert — to qualify for the exam, you need at least five years of cumulative, paid experience in at least two of the domains covered by the credential. The exam knowledge body includes eight domains:
- Security and risk management (15 percent of the exam)
- Asset security (10 percent)
- Security architecture and engineering (13 percent)
- Communication and network security (14 percent)
- Identity and access management (13 percent)
- Security assessment and testing (12 percent)
- Security operations (13 percent)
- Software development security (10 percent)
The three-hour exam contains 100–150 questions, and you need a minimum score of 700 out of 1,000 to pass. The certification is valid for three years and recertification requires 120 continuing professional education (CPE) credits.
Benefits of HCISPP
HCISPP is a stand-alone credential — you don’t need to earn CISSP in order to qualify for it. Like CISSP, it’s a vendor-neutral certification, but it’s much narrower in scope because it’s only focused on healthcare.
In terms of salary, jobs listing the HCISPP cert pay lower on average compared to CISSP. HCISPP landed in the 29th spot in the Certification Magazine’s 2019 salary list, with an average U.S. salary of $119,940. PayScale also showed lower compensation for jobs listing HCISPP, at $98,000 versus $108,000 for CISSP.
The difference may be due in part to a broader sampling of sectors employing CISSP professionals. For example, some global tech enterprises would have much higher salaries, driving a higher average. Additionally, some tech regions may have a higher concentration of CISSP holders, and those regions are often in markets that have higher cost of living.
In Certification Magazine’s 2017 salary survey, 45 percent of those holding HCISPP said that after becoming certified, they felt there was a greater demand for their skills. Interestingly, those who had the cert were also older than in other categories, and the majority were IT veterans. Since this credential program was only a few years old at the time, this may indicate that those who pursue it are not doing so as a springboard into their careers in healthcare security.
(ISC)2 says lists the following five reasons that create high demand for HCISPPs:
- They understand the healthcare environment: Since healthcare has a unique set of challenges, threats and practices, specialized knowledge has a major advantage, compared to a generalist’s understanding of the industry
- They help manage risks: HCISPPs not only have knowledge that’s specific to the threats and risks of healthcare security, but also understand the unique requirements related to personal health information
- They show commitment to the healthcare industry: The specialized cert validates their pledge to keep patient data secure
- They contribute to the patient experience: HCISPPs are essential to providing programs and services within a secure ecosystem
- They show they’re serious about their healthcare career: Getting certified demonstrates their commitment
Overview of the HCISPP Exam
The HCISPP cert requires less experience than CISSP — only two years of cumulative, paid work experience in at least one of the exam’s domains. There are also fewer domains on this exam (six versus eight for CISSP):
- Healthcare industry (10 percent of the exam)
- Regulatory environment (16 percent)
- Privacy and security in healthcare (26 percent)
- Information governance and risk management (17 percent)
- Information risk assessment (16 percent)
- Third-party risk management (15 percent)
There are 125 questions on the three-hour exam, and the passing score is the same: 700 out of 1,000. The certification is also valid for three years but requires fewer CPEs to maintain — 60 compared to 120 for CISSP.
CISSP vs. HCISPP
HCISPP is one of the newer (ISC)2 credentials, introduced in 2013, whereas CISSP has been available since 1994. Besides the depth of the exam, prerequisite experience, cost of certification and number of CPEs for recertification, there are two fundamental differences between these two certs:
- The knowledge covered by CISSP is more technical, with a lot of the focus on security controls and operations. The HCISPP exam, on the other hand, puts more emphasis on healthcare regulatory issues, data governance and risk management
- Most of the principles in the HCISPP exam are specific to healthcare or viewed through the lens of a healthcare context. There’s also a lot more emphasis placed on privacy rather than security
Deciding the Best Path for You
If you’re just starting your infosec career, HCISPP can help you grow in the healthcare security, but the limited certification scope makes it less useful if you decide to move into a different sector. For those who love the healthcare field and plan a long-term tenure in it, this credential will help enhance skills and become more competitive. And if you’ve in healthcare IT for a long time, this is a good step toward higher management or risk management roles.
But if you’re still relatively new to the cybersecurity industry and want to keep your options broad, you are better off with CISSP. It’s not only applicable across sectors but also gives you a much better technical foundation. Since it doesn’t have much crossover with HCISPP in terms of domains covered, you may want to consider it as a next step once you decide on maintaining longevity in the healthcare industry.
- 2019 HIMSS Cybersecurity Survey, Healthcare Information and Management Systems Society
- Analysis of 2018 Healthcare Data Breaches, HIPAA Journal
- 2018 Cybersecurity Workforce Study, (ISC)2
- Hack the Gap: Close the cybersecurity talent gap with interactive tools and data, CyberSeek
- Best Information Security Certifications 2019, Business News Daily
- Salary Survey 2018, Certification Magazine
- Salary Survey 2019, Certification Magazine
- The Ultimate Guide to the CISSP, (ISC)2
- Top Five Reasons Why HCISPPs Are in Demand, (ISC)2
- Salary Survey Extra: Deep Focus on HCISPP, Certification Magazine
- The Ultimate Guide to the HCISPP, (ISC)2
- CISSP Certification Exam Outline, (ISC)2
- HCISPP Certification Exam Outline, (ISC)2