Keep up with the latest on information governance as this key strategy emerges for addressing a myriad of information management challenges in healthcare. This blog will highlight the trends and opportunities IG presents for ensuring information is treated as an organizational asset.
By Robert Brzezinski, MBA, CISM, CHPS, CISA
I joined the ranks of Certified in Healthcare Privacy and Security (CHPS) professionals in 2011, when I was building my consulting practice. This was not the first healthcare privacy and security certification I obtained, but this AHIMA credential is one I decided to keep because of its footing—such as health information management (HIM) professionals, privacy officers—and recognition in healthcare. Over the years, I also obtained technical certifications from ISACA (CISA and CISM) and worked with the AHIMA Exam Development committee to strengthen the information security/technical component of the CHPS certification, to minimize knowledge and communication gaps between privacy and security professionals.
Why are privacy and security certifications important?
Working in the trenches allowed me to see the influx of security and risk management consultants, gurus, ninjas, and products that do NOT adhere to commonly used terminology or standards. I’ve seen:
- Checklists and risk analysis products that did NOT map evaluated controls to HIPAA standards or implementation specifications, or any other controls (i.e., NIST, ISO)
- “Innovative, proprietary” risk treatment categories that are not clear, and significantly different from standardized terminology used by NIST, AHIMA, or ISACA
- HIPAA risk analysis completed by security professionals focusing entirely on security rule, but missing nearly all privacy compliance requirements, exposing organizations to basic compliance deficiencies
- HIPAA assessment tools missing privacy rule compliance
Privacy and security is one of the ten competencies under the Information Governance Adoption Model (IGAM™), which requires effective controls to properly manage the privacy, security, access, and sharing of data and information, and to manage associated risks. To effectively communicate risk management, we must use standardized risk treatment terminology: avoidance, mitigation, acceptance, or transfer. To evaluate organizational risks, one must understand that privacy and information security is not just about scanning systems or safeguarding information confidentiality, but also about ensuring information integrity and availability (the “CIA triad”). Lack of common, standardized controls, methodologies, terminology, and clear definitions is an information governance issue, that will put the organization at disadvantage in any audit situation (questionable quality of risk management or assessments). Speaking different “languages” makes organization’s risk management and responses to regulatory inquiries more challenging and costly.
I believe in professional certifications for two major reasons:
- They verify that professionals obtained and maintain (through continuing education requirements) a standardized body of knowledge
- Certified professionals adhere to standards of performance and job ethics
Interested in managing healthcare privacy, security, compliance, or HIM?
It all starts with this question: Where do you see yourself five or 10 years from today? As of April 2018 (when this post was published), an Indeed.com search shows nearly 200,000 full-time openings for information security jobs, and more than 22,000 full-time openings for information privacy jobs.
I always thought about the CHPS as a primary credential for the role of privacy officer, HIM director/manager, records or audit manager, or compliance officer (in larger organizations), or privacy/security officer in smaller organizations. CHPS can also be a secondary certification for security or compliance officers with technical certification to improve their privacy acumen. I see CHPS-credentialed professionals working independently or in managerial roles; the Indeed.com search for information privacy managers jobs shows almost 10,000 full-time openings, many in healthcare.
The CHPS Advantage
Healthcare is a unique environment, but not all operational or security challenges are unique. Many IT systems, access management, process efficiency, or governance challenges are like banking or government. Healthcare does not have to reinvent the wheel, it can learn and adapt what works best.
- Professionals moving into healthcare security or the Governance, Risk Management and Compliance (GRC) space, would benefit from CHPS certification that emphasizes privacy rule compliance requirements.
- Healthcare professionals interested in advancing their careers into HIM or healthcare GRC fields should consider it, as well as those considering entering into privacy and security; based on further interest, they may want to consider additional technical/security certifications.
- HIM professionals have intricate healthcare terminology, data, and processes knowledge that security professionals do not have. Being able to translate and understand each other is a key to healthcare security and transformation.
- Privacy and security are NOT going away. Bridging and clarifying privacy and security aspects of various regulations (HIPAA, GDPR, NIST, US and state data protection legislative efforts, etc.) will require skilled, certified professionals.
- NIST 800-53 Privacy and Security Controls for Information Systems and Organizations version 5 (draft) establishes common security and privacy foundations for security and privacy, for both the government and private sector. It combines security and privacy controls across all security categories.
The business of healthcare is changing, but data protection, compliance, and governance requirements are not going away. As we consolidate health systems, change business models, digitize healthcare data, modernize service delivery, and expand use of analytics for healthcare data, information governance, risk management, and compliance efforts will become paramount for the success of healthcare transformation. We will need more CHPS professionals who understand the operators’ terminology, standards, modern processes, and tools, who speak the same language, and who can sometimes step in and do the operator’s job. We’ll need certified professionals who follow professional and ethical principles.
I believe that the need for individuals with abilities to understand the privacy, security, governance, and compliance challenges (from both IT and HIM perspectives)—and translate them into risk management, strategy, and business terms—will be indispensable.
Robert Brzezinski (firstname.lastname@example.org) is the principal of Bizwit LLC and a member of the AHIMA CCHIM Commission on Certification Exam Development Committee.