HealthCare Information Security and Privacy Practitioner (HCISPP) Briefing Paper. Piloted by the Cyber Security Programme

Transcription

1 HealthCare Information Security and Privacy Practitioner (HCISPP) Briefing Paper Piloted by the Cyber Security Programme Published August 2015

2 2 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

3 We are the trusted national provider of high-quality information, data and IT systems for health and social care. Author: Dayam McIntosh Project Manager, Cyber Security Programme Health and Social Care Information Centre Responsible Manager: Dan Taylor, Cyber Security Programme Head Version: Date of publication: 12 th August Copyright 2015, Health and Social Care Information Centre. All rights reserved.

4 Contents 1. About the Pilot Pilot details Pilot benefits 6 2. About the Course 6 Examinations 7 Ongoing Continuing Professional Development About (ISC)² - the Training Supplier Evaluation 8 3. How to get involved? The purpose of expressions of interest process Entry criteria Expressions of Interest dates 11 How will someone with HCISPP help our organisation? 11 4 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

5 1. About the Pilot This pilot aims to qualify 100 members of staff in key positions in the field of information security. It also seeks to evaluate such a tailored qualification to see if this, or one like it, could be rolled out further across health and care. The pilot also aims to do the following: Ensure that key staff have a greater awareness of, and a relevant qualification in, Cyber Security related governance. To test the viability and suitability of the HCISPP certification programme for further roll out and/or endorsement by HSCIC to health and social care organisations. To empower health and social care with more in depth knowledge on cyber threats, vulnerability management, reporting and protocols in operational areas with patient/client recording systems or developing services. This pilot is part of the Cyber Security Programme hosted by the HSCIC. We are working in partnership with the Department of Health to deliver a Cabinet Office and HM Treasury funded programme designed to build the awareness and capability of the health and social care sector in terms of Cyber Security and threat management. The need to do this is also backed up further as a deliverable in the NIB Framework and in the HSCIC Business Strategy , both of which centre around ensuring the patient/customer record is kept safe within our care. HSCIC has already trained a number staff in Information Security related qualifications with a training supplier called (ISC)², one of which is the HCISPP which has been tailored to suit the Health and Care sector. Before the programme can make further recommendations we need to gain a clear understanding of what is needed. 1.1 Pilot details HSCIC is offering a free course, exam and certification in information security and privacy. These elements will be free for participants as part of the pilot. HSCIC must spend money wisely. Although we recognise travel, subsistence and lunch are often bonuses to such events we would like to ensure a level of joint commitment is gained by health and social care employers and participants. Travel, subsistence and lunch will not be provided. Beverages will be provided throughout the classroom dates show. 5 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

6 Here are some quick fire facts about this pilot:. Output: 100 Courses and examinations of 100 Health and Social Care Staff Pilot delivery start & end: 19 th October to 11 th December 2015 Venues: Leeds, Manchester, Birmingham, Reading, London Classroom based learning: 4 consecutive days Monday to Thursday Examinations: 3 hour examination at a local Pearson s UK Test centre Friday Travel and subsistence: HSCIC will not pay for the travel or subsistence of participants. Course costs: The course, exam and certification are all free to participants and their organisations Ongoing certification and membership: HSCIC will not fund any continuing development or membership fees linked to recertification. Standard practice dictates that the individual have the option themselves to pick up such costs cost (12 months after successful certification) Beverages: Beverages will be supplied. Lunch will not be supplied, participants should bring their own, or use nearby facilities 1.2 Pilot benefits The pilot aims to realise the following benefits: Increased effectiveness of security and the ability to adapt to change Increased vigilance of cyber and security space Improved health and social care sector s ability to learn from experiences, mistakes and successes of peers Identification of job roles key to making cyber security more effective Improved ability to implement future plans and guidance among set groups of staff across health and social care Improved knowledge on protecting health and social care networks Find Cyber Champions embedded throughout health and social care, installing foundations that can be further developed Provide access to subject and sector specific knowledge 2. About the Course The HealthCare Information Security and Privacy Practitioner (HCISPP) certification from (ISC)² is the only credential that provides healthcare employers with industry-leading validation of your foundational knowledge, experience, and commitment to addressing security and privacy concerns 6 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

7 within healthcare. As a HealthCare Information Security and Privacy Practitioner, you are the front-line defence for protecting health and care information. The course aims to improve the overall experience and quality of care patients receive by helping you to recognise the risks and potential consequences of exposed sensitive data and using the proper security and privacy controls to protect it. There is a growing need for security and privacy practitioners who possess the foundational knowledge and experience necessary to protect this sensitive information. That is where the HCISPP comes in. The HCISPP certification is the ideal credential for those with the core knowledge and experience needed to implement, manage, or assess the appropriate security and privacy controls of a healthcare organization. HCISPP draws from a comprehensive, up-to-date, global common body of knowledge and ensures practitioners know the best practices and techniques to protect organizations and sensitive data against emerging threats and breaches. Examinations The examinations will be held at Pearson UK Test centres. As this is a security related certification identifying and checking participant standards is more focussed. So, on exam day: Participants are required to produce two suitable pieces of Identification such as a passport for example. See page 28 of the Exam Outline for more details. Participants must also agree to a the (ISC)² Candidate Background Qualifications, a Code of Ethics and a Non-Disclosure Agreement. The exam itself is for 3 hours and is 125 multiple choice questions. The exam has a save function giving participants the ability to save and go back to questions throughout. To pass, participants need to score 700 points or above out of a possible 1000 points. Ongoing Continuing Professional Development The HCISPP certification lasts 3 years so long as participants continue to develop their skills in line with (ISC)² Continuing Professional Education (CPE), 7 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

8 also known as Continuing Professional Development. This includes training or qualifications linked to the domains that form HCISPP. These relate to: Healthcare Industry Regulatory Environment Privacy and Security in Healthcare Information Governance and Risk Management Information Risk Assessment Third-Party Risk Management There is also an annual membership fee payable by participants to (ISC)², which is usual with most leading qualifications payable after 12 months of passing the exam. 2.1 About (ISC)² - the Training Supplier Inspire. Secure. Certify. International Information System Security Certification Consortium, Inc., (ISC)², is the global, not-for-profit leader in educating and certifying information security professionals throughout their careers. (ISC)² are recognized for Gold Standard certifications and world class education programmes. (ISC)² provides vendor-neutral education products, career services, and Gold Standard credentials to professionals in more than 160 countries. We take pride in our reputation built on trust, integrity, and professionalism. And we re proud of our membership an elite network that has over 100,000 certified industry professionals worldwide. For more information Evaluation The pilot will fully evaluate the way that the course was run as well as the content and delivery. Along with evaluating the course delivery, we would also like to know how you will use the knowledge. This is important should there be a comprehensive update to the learning materials or exam in the future to make them more fit for health and social care. We have tried to include some of this in the expression of interest process. The pilot also aims to conduct a series of short case studies on volunteers who successfully pass their exam to get qualitative perspective of how the pilot went. 8 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

9 3. How to get involved? Check the entry criteria to ensure you meet our requirements, then simply complete and the Expression of Interest form to 3.1 The purpose of expressions of interest process The Project will undertake a longlist and then shortlist process to ensure the following: To ensure there is the desired type of participants on the course. To ensure there is a representative cross section of health and social care staff present. To find out what interest the potential participant has in this subject. To find out what role the participant holds and where the course subject matter fits in. To ensure no more than 2 participants from any one organisation attends the course. To gain permission from the participants employer to attend the course. To get a level of buy-in for the participants employer via sharing the name of a sponsor within each organisation. 3.2 Entry criteria Here are the criteria we will be using to eventually shortlist 100 participants. After this process we will contact everyone on or shortly after the closing date - 30 th September 2015: (1) Participants must have 2 years of continuous health and social care experience. (2) Participants must work in one of the following organisation types: a. Department of health or other national health or social care agency b. NHS trusts c. Clinical Commissioning Group s, Clinical Support Unit s and NHS England Area Teams d. Councils with Adult Social Care and/or Public Health Responsibilities e. GP practices or groups f. Registered care homes or care providers (3) Participants must tell us why they are suitable for the course by listing current or active projects, programmes or operations. 9 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

10 (4) Preferred participants are those who have some influence or responsibility for data processing, data warehousing or accurate recording in areas where large volumes of health and social care patient/customer personal identifiable data is stored. (This doesn t mean that we are looking for people who specifically work within ICT. Clinical managers or practitioner managers who make decisions about data processing or recording are also suitable for this qualification.) Other areas include: Those who have access and/or responsibility for the day to day security of large quantities of health or social care personal identifiable and/or sensitive data Those who have access and/or responsibility for the day to day recording of large quantities of health or social care personal identifiable and/or sensitive data in practice Those who are responsible for high levels of data processing Those in a staffing group typically associated with being responsible for information security, or being part of it. Manager and supervisors of data quality and play a part in internal cyber threat detection Managers of functions that are developing, creating or transforming new services. New knowledge may influence the security of such systems or services. (5) Specific job titles of interest: a. Chief Information Officers b. Senior Information Risk Owners c. Caldicott Guardians d. Head of Information Governance or Information Governance Managers e. Privacy Managers f. Information Security Managers g. Information Management and Technology Managers h. Programme/Project Managers involved in system build of redevelopment i. System Developers j. Client Information System or Network Managers k. Compliance Managers - in similar areas as programme/project managing 10 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

11 l. Data Quality Managers m. Clinical informatics specialist Managers n. Service desk Managers o. Head of Patient/Customer Records departments (6) Participants must state how this certification will help their organisation. 3.3 Expressions of Interest dates Open to entries Immediately Closing date for entries 30 th September s letting potential participants know they have been successful or not 5 th October 2015 How will someone with HCISPP help our organisation? As above the pilot is targeting individuals who are close to data processing, data warehousing and in areas where personal confidential data (PCD) is stored. Again this is so that we lay the foundations for health and social care to take Cyber Security with the importance it is due as well as implement such knowledge and skills in practice. The main benefits to organisations are: Solidify front-line defence with staff who are certified healthcare information security and privacy practitioners. To partly help organisations to demonstrate the organisation s proactive commitment to minimizing the risk of breaches. Increase confidence that participants can do the job right. In time, mitigate risk by starting the process of ensuring third-parties that handle PCD have the right checks and balances in place in term s information security. Increase organisational integrity in the eyes of clients and other stakeholders. Ensure practitioners stay current on emerging and changing technologies as well as security and privacy issues related to these technologies through the continuing professional education requirements. So in summary we want to enable people who will be able to influence and promote cyber security as well as set the foundations we need to take cyber security further. Our aim is to: 11 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

12 Ensure that every citizen s data is protected We want to do that with the sector and are providing this as a further opportunity to develop even better relations with Health and Social Care organisations. 12 Copyright 2015, Health and Social Care Information Centre. All rights reserved.

13 Published by the Health and Social Care Information Centre Cyber Security Programme For further information Copyright 2015 Health and Social Care Information Centre. All rights reserved. This work remains the sole and exclusive property of the Health and Social Care Information Centre and may only be reproduced where there is explicit reference to the ownership of the Health and Social Care Information Centre. This work may not be re-used by NHS and government organisations without permission. 13 Copyright 2015, Health and Social Care Information Centre. All rights reserved.