How do I become a HIPAA Security Specialist
Learn the Source Material
The VERY FIRST step to becoming a HIPAA Security Specialist – read the law. The HIPAA Security Rule is very vague (I think, purposefully), but learning each part (including the Administrative, Physical, and Technical as well as the Information Sharing/Business Associate aspects). I pulled this directly from the HHS.gov website:
“The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.”
Work Through a Pretend Assessment
Once you get a good handle on the wording of the law (and what it views as “required” vs. “addressable”), get your hands on a fairly detailed HIPAA Security Assessment form and read through each question. As you’re reading through them, try to think of solutions in your past experience that could have met the requirements of the question.
Here is an example of a good, thorough HIPAA Security Assessment Tool from HealthIT.gov: Security Risk Assessment Tool
Get into a Role
Look to expand your career into roles that encompass HIPAA Security responsibilities. HIPAA based security programs, while they aren’t as granular as NIST Cyber Security Framework or NIST Risk Management Framework or other framework-based security programs, they still have tons of responsibilities and work that needs to be done in compliance, security operations, vulnerability management, strategy, etc…
Way More than Technology
You’ll find that, while the Legislation is fairly vague, the underlying concepts behind each line of legislation can be pages deep. You’ll also start to see that, yes, HIPAA Security Rule is talking about protecting information, but it never assumes that the information is digital. AND processes, plans, and strategies are spoken of more than technologies.
This should paint a picture of the broader picture of Information Security – that it’s not about technology (necessarily.) It’s about protecting information – which takes processes, plans, strategies, as well as technologies to accomplish.