Security Musings

Security Musings

Musings on Certifications

Collected musings on information security certifications.

Other Related Articles in Musings on Certifications

Does GIAC need to create a HIPAA Certification?

GIAC Advisory Board

First, a bit of a discussion of the landscape. Recently, I was contacted by a former employee of HIPAA Academy telling me that GIAC needed to create a HIPAA certification. It seemed like a lot of work, but we would be willing to do it if the world needed it. To get clarification, I asked the GIAC Advisory Board (students that score 90 or above on their exams are invited, and they are a pretty smart bunch of folks). Here are their thoughts.

A recent HIPAA audit, the first was generated from an internal complaint and not from an “at random” audit.

I am not sure how much value this would be to a company like the one I work for. The law firm that we use worked with us to form our HIPAA policy, and it was signed off by them. I feel that they are the ones who would closely monitor HIPPA changes. As you know, HIPAA does not fully address how things will be done; in a nutshell, all it states is that patient data will be protected. Using my skills I learned in the GSEC, GCFW, and Securing Windows classes were of more value to me in applying HIPAA type measures. HIPAA still falls short though. Case in point: we state within our HIPAA policy that we do not change passwords on our window systems or our EMR; it does state that we do have passwords…just not industry best practices. By the way, the passwords policy is not my doing (I know better)…the doctors can’t seem to remember or be bothered by the changing of passwords or their complexity.

In a nut shell, HIPAA is open for interpretation. One consultant who comes in will say something completely different from that of another. Your classes already teach the basics of what is needed to be known. It would be more important to us for a consultant to have had prior experience with hospitals and other medical facilities than just be HIPAA certified. There are some pretty good documents out for HIPPA compliance:

At a recent seminar I attended on Compliance, they indicated that all compliance guidelines describe similar requirements
Common elements:

- risk assessment
- policy, process and technical control
- measurement of effectiveness
- adjustment and adaptation
- rise and repeat

COSO, COBIT, HIPAA and FFIEC compliance require similar processes. It was also stated that you should look at the compliance regulations above you and try to implement them (i.e. HIPAA was drawn from ISO 17799). Also one should look at the other compliance regulations, like Sarbanes-Oxley, since they have tighter, more specific, requirements.


If GIAC comes up with a HIPAA cert COUNT ME IN! As part of my network security duties I have to deal with auditors for HIPAA as well as SOX. I'd love to do a GIAC HIPAA cert for the challenge because I know if it's like your other training it will be top notch and very tough...and rewarding in the end. That being said thanks for starting this whole GIAC cert thing. The training I've received from SANS events in the last two years is second to none and the instructors have been amazing.

As an employee of an IT service provider, I find myself working in a number of medical offices. While I use best practices and common sense, I’m pretty sure that it would not be enough if there was a serious audit (are there ever any less than serious audits). Even though my boss clearly does not believe in the value of certifications, a GIAC HIPAA certification would be something that I would consider pursuing, because the reputation that GIAC has for focusing on real world aspects of the industry would give me piece of mind that I am really doing due diligence.

I would personally pursue this certification path if it became an option. I think that as compliance issues become more visible due to the increasing threat of negative consequences (perceived or real), the need/desire for credible compliance professionals will also increase.

Along the same lines, has SANS considered developing a SOX/GLBA certification? I like the concept of the GSC, but I think that to truly call oneself a "compliance expert," you should be as knowledgeable of major compliance requirements as possible. Perhaps the legal courses could be part of this "platinum" level certification as well?

I'm very interested in seeing this possibility. While my organization is not a covered entity, they provide the EMR system for all of the hospitals statewide. I was chosen because of my background and my certifications SANS and ISC2. They felt these lent a level of credibility to their program that they did not have already. At any rate, even though we are not a "Covered Entity" however, as they provide the EMR and use PHI for permissible research, they are contractually obligated by their constituents who are "Covered Entities" to abide by the rule. Therefore, in the realm of service providers, I believe the HIPPA cert would be most valuable - for credibility's sake as a selling point to the check writers and actionable skills to the ones holding the cert. The mixture of the exams between legal interpretation and technical implementation how-to would be interesting to hone. In my case, as an officer in the company, I will be working directly with the in house legal counsel to create action items (and plans for implementation) from her take on the rule(s).

In the end, I'll take the course and I am certain that it would be a no brainer for me to sell this to the board for myself and at least a majority of the staff under me (and even some of the informaticians as they deal with PHI daily.)


I would take a wait and see approach with these HIPAA audits and the certification. Until this first audit was conducted most of us in health care security felt that HIPAA Security was dead on arrival. Some real progress was made with HIPAA Privacy but the implementation of HIPAA Security has been an abysmal failure thus far, largely due to pushback by physicians, lack of adoption by the clinical application vendors, and no enforcement. Most of the major clinical vendors are still providing applications that are woefully inadequate from a HIPAA perspective. It would not be uncommon at all for one of these vendors to implement a major system on your network that they are responsible for managing and maintaining where they use telnet to manage it with a shared account and a standard default password that is the same for all of their customers. They systems might have everyone full control file shares, blank SA passwords, be running a "gold" version of the operating system that has never been patched, with no anti-virus software or personal firewall, or even be running a version of an operating system that's so old that the OS vendor doesn't even support it anymore. Almost none of the vendors encrypt the EPHI stored by their systems and rarely do they encrypt it over the network. This vendor problem is so bad that in our environment we have had to create a dedicated vendor management team of 5 people within our information security department to work hand-in-hand with the major vendors just to get them to implement the most basic security controls ( e.g. patching, anti-virus, audit logs, removing unnecessary services, etc.)

Back to your question, I don't think a HIPAA certification would do any good at this point unless the health care community (providers, vendors, payors, physicians, etc) decides to take HIPAA Security seriously, and so far, I see no sign that such a change of heart is occurring.

I was looking at the HIPAA Certificate that GIAC offers because the company I worked for had a lot of medical clients. I spoke with one of them to get a better understanding of what HIPAA means to them. They were very conscious of HIPAA in relation to the privacy but on the technical side they were not as worried because there were no "HIPAA police." The client did tell me that if someone could come in and help them develop a HIPAA compliance plan at a reasonable cost they would certainly be interested. I think this would be a great place for consultants to find new clients. I have moved into consulting for financial institutions so I am not interested in the HIPAA cert. at this time but it is definitely a growth area in the back of my mind. I think the best thing SANS could do for HIPAA is to help map the guidelines into practical actionable steps. I could not find any free information on the practical implementation of HIPAA so I was starting the process of creating something before I moved to my new employer.

I do work for a covered entity, within IT Security. I would say I probably would not take a week long course/cert, from SANS, on HIPAA. I probably would do a one day course or stay sharp. I thought about this overnight, and I keep coming back to the idea that SANS/GIAC should not try to be all things to all people. Perhaps my perception is incorrect, but when I think of the SANS courses I have had, I think about getting great detail on technical security topics. I don't consider regulatory compliance, particularly as ethereal as HIPAA, as one of SANS' core competencies. My humble advice is to stick to your "hedgehog principle", do technical security, and be the best at it.

That being said, I think this is an excellent opportunity to partner with the HIPAA Academy and get some additional visibility. If you look at, you will see that Certified HIPAA Professionals (CHP) can be given credit toward another cert - Certified HIPAA Security Specialist (CHSS). The point that I would like to make is that credit is given to cert holders for CISSP/SSCP, SCNP/SCNA, CISA/CISM and Security+. Wait! Where is GIAC GSEC? I would hold that up against the other certs any day. I think this represents an opportunity for SANS to be listed and affiliated with the HIPAA Academy.

I work for a non-profit hospital, and the lack of understanding of the HIPAA security rule is a problem. Trying to hire security personnel with any exposure to HIPAA is difficult, usually I'm lucky if I can get a high-level definition of HIPAA, and most HIPAA training is currently geared to management and clinical staff not technical security staff. A course that specifically addressed HIPAA and was geared towards my technical security employees could be valuable. I would absolutely consider sending my staff so they are better able to asses and understand risks in our environment. For consultants, I could see the cert being more valuable as it could show competence in the area, you would be amazed how many consultants and vendors who I talk to who are not familiar with the HIPAA security rule and how it may or may not relate to the work they are providing our hospital. Honestly though, until HIPAA becomes more actively enforced and a real threat to hospitals, the budget and upper management support required to fully implement what is learned in training won't change.

It is true that Piedmont Hospital in Atlanta was the first and so far only covered entity to get a HIPAA audit. Honestly, before this happened I always said that HIPAA compliance is more of a state of mind that a measurable and definable security posture. I assume that you are considering a full course and not just the existing 1 day GIAC HIPAA Security Implementation (GHSC) offering. One of my co-workers has obtained this certificate after taking the course from James Tarala. I remember she told me that she enjoyed the class and learned a lot. I am a perhaps a little biased against consultants but even so, I can not say that I would sit more upright in my chair should a SANS certified HIPAA consultant tell me what I need to do versus a non-SANS certified HIPAA consultant. Please do not misunderstand, I am a big fan of SANS and have achieved several certifications along the way. I expect that I will continue to take SANS as my annual training for years to come. That being said, I do not feel that full blown HIPAA 6 day class would be a very valuable course offering at this time. It may be the case after the fallout from Piedmont Hospital everyone becomes more motivated to comply. If so, then there may be enough of a motivated audience to sustain this offering.

I have taken a HIPAA Academy class (Chicago in 2003). He is a huge 'fan' of SANS and reprinted \\ quoted a bunch of SANS material in his course books. The course did not help me in my compliance efforts. He also wanted to sell the class mice with fingerprint readers built in. I was one of the contributing authors to the SANS SBS HIPAA book. Since the rule is not black and white, I feel we had a hard time going a good job with the book. SANS would have the same problems with a full HIPAA course and certification. There was a recent (March 07) HIPAA audit at Atlanta's Piedmont Hospital; it was big news in the HIPAA world but I do not think it has led to more enforcement or much more HIPAA compliance. I do not think SANS needs another HIPAA certification. HIPAA is not a technical issue, it is a policy, procedure, training and management issue. The people who are in charge of HIPAA are in compliance, not IT so they are not technical.

In any case, the HIPAA Academy offers a few certification courses in HIPAA, why does he want SANS to have one?


To your question about how important the cert would be for internal, I think it is helpful to have at least one person with the cert. I hold the GHSC, and not that I need to pitch you on your own content, but the fact that studying for the GHSC forced me to read version 2 of your HIPAA Security Step-by-Step is a more wonderful thing. I'm not just biased because one of our former CSOs, Sheldon Borkin, was a contributing author, I simply think the book is really thorough, well thought out, and well explained. I currently peruse at least parts of it once per year as part of the Evaluation standard.

To your question about whether or not a consultant should have a HIPAA cert, it would depend on scope. At 2005 SANSfire in Atlanta, I had James Tarala for the GSNA course and saw that he did work for the healthcare industry. I have no doubts that he would make a *wonderful* consultant. Basically, if a covered entity needs help with the overall approach (albeit kinda late for a company to realize this), I do think that it would be helpful to have someone certified to help with overall risk assessment methodologies, putting together policies and procedures, awareness and training, etc. There are also various levels of compliance, like anything else. Someone who's touting that they can help with HIPAA compliance to the level that would allow the entity to do work for CMS would catch my eye compared to someone who's simply touting to help with HIPAA compliance. Trying to be careful to NOT suggest that more granular = better (I see you NewsBites editors blast FISMA on a regular basis), I'd simply rather have an outside person or team that is capable of really diving into the details as it's easier to decide that certain findings are insignificant, rather than have findings missed in the first place. We tend to bring in consultants (like some of the speakers at the Application Summit in DC this summer) to do penetration testing and source code reviews, so I'm mostly indifferent to someone with a HIPAA cert as I think we understand the big picture and get help for some specifics.

Allegedly it was Piedmont Hospital in Atlanta that was the first one hit and I also heard that Vanderbilt Hospital had the same audit done. Allegedly HHS dispatched the OIG who handed over 42 questions, which are mostly straight forward from the HIPAA Security framework. So I'm using those questions also as part of Evaluation to ensure that our risk assessment methodologies and process cover all of the questions. To my earlier point about granularity, I'd be interested to know how just how picky and detailed the OIG was in these audits.

When I took the G7799 course in San Diego this year (I took the course also as part of the Evaluation standard to measure our current, HIPAA Security based risk assessments against ISO 17799), one of the interesting remarks from Glen Sharlun was that for those of us looking for additional guidance on the "how" of HIPAA compliance, consider using the PCI Data Security Standard and replacing "payment card information" with "PHI." I just got my GPCI last Saturday and am considering proposing some updates to existing policies and procedures to be in line with DSS 1.1.

I just reread my note to you. Am I a walking SANS brochure, or what :-) I look forward to drinking more of your kool-aid at the Insider Threat DLP summit in Orlando in December.

It could be very useful. It seems that almost everything that we do around here now has either HIPAA, SB1386, or some other related statute or regulation come to the forefront when trying to figure out required security levels. However, I don't see it as more than a one- or two-day course, and would be of interest primarily to managers and auditors. I suspect it would get more play in the OnDemand or AtHome training than at the conferences, though a scattering of classes there might be good. I think it would be useful for SANS as a whole, but that depends on who else out there covers this kind of thing.

I work at a large hospital and they can barely force themselves to care about HIPAA. The Piedmont audit doesn't even force a yawn from general counsel. Any attempts at compliance are for appearances only ( i.e., "But we're trying, Mr. Fed"). It's all about cost reduction and increased margins...and we're a not-for-profit. A GIAC HIPAA certification would be way ahead of the curve for us because they won't spend the money.

So, I think the idea is great, but don't expect a long line of people trying to get in the class unless the timing of availability coincides with a major, earth-shattering legal/financial loss for health care. Like I say, funding for InfoSec in health care is only one major lawsuit away, but I'm not holding my breath.

As a consultant to the health care industry and as part of a company that is active in the standards work by CCHIT, CMS, etc., I am not sure if it would not be a bad thing. But I am not sure what, if any difference, there would be in a HIPAA certification vs. a general 'best practices' certificate UNLESS there was an emphasis on the standards being imposed by the various agencies, including privacy concerns, and the management of patient data. I can think of some twists that might make this certificate unique, SUCH AS many covered entities are not unique in the information that they handle -- some is ePHI and some if related. Examples -- long term care that involve community-based services and fiscal account management on behalf of residents, foster homes (for the want of a better word) that manage health data for the juveniles BUT also may operate a non-public school and carry an educational record electronically as well, welfare eligibility systems that are not covered entities in and of themselves but access that information. There can be lots and lots of interesting twists in this realm.

Regardless, if SANS develops such as a program, I would like to be part of it.