In today’s cybersecurity climate, there is only a very small percentage of hospital executives who still believe that they are well protected from cybersecurity threats.
It is clear that the majority of executives today have reached a different conclusion, especially considering metrics derived from hundreds of annual security assessments conducted by CynergisTek and the 2019 HIMSS report that found over 82% of hospitals have reported serious security incidents, up from 75% in the previous 2018 report (PDF).
With such statistics, we need to recognize that the primary challenge is not identifying a problem but finding a cost-effective solution.
The environment is ripe with new technology, each claiming to be the next “silver bullet” that will protect healthcare organizations from cybercriminals. But we also see many of these same solutions sitting on shelves months or years after purchase. The common element with these conditions appears to be a shortage of qualified cybersecurity professionals.
The solution must start with collaboration between the key stakeholders in human resources, compliance and IT. While there is no one quick fix, these teams can work together to find solutions.
Here are six recommendations to help adapt and address the cybersecurity workforce shortage:
1. Understand cybersecurity skillsets. Recruiting qualified cybersecurity professionals requires a recognition that cybersecurity and IT are different career fields, each with several sub-specialties. These specialties range from designers (security architects) and builders (security engineers) to operators (security operations) and assessors (analyst). Organizations also need leadership positions that can manage security projects and teams. Some of the skills overlap with traditional IT roles, but the primary focus needs to be broader than technology and align people and process to protect systems outside the traditional IT sphere of influence, including medical devices, personal Bring Your Own Devices, as well as partners, vendors and even wearables used by patients.
2. Develop future career paths for cybersecurity professionals. Applicants for the cybersecurity positions are looking for a career ladder that allows them to grow professionally as they gain new experience and certifications. The executive team should facilitate the development of a career ladder for each track with job descriptions, desired experience, and certification requirements. It is not necessary to fill all these positions, but it is important to let applicants know that there is a future career path as the organization matures. By not acknowledging an opportunity for growth, organizations will find their employees moving to other opportunities in order to advance.
3. Perform a salary survey. The executive team should direct HR to perform a salary survey that leverages the new job descriptions. The 2018 (ISC)2 Research Study claims there are almost 3 million open cybersecurity positions worldwide, a number that is increasing rapidly as cyberattacks continue to target an ever-increasing number of connected systems. This supply-demand imbalance is driving up wage expectations above a typical IT pay band. With the recent revelation that connected medical devices are major risks, this only increases the need for top talent to refocus on non-traditional technology supporting our hospitals and adds upward pressure.
4. Seek ways to train existing staff to take cybersecurity roles. There are myriad training opportunities, but only a few specialize in healthcare cybersecurity and risk management. Of these programs, The University of Texas at Austin McCombs School of Business is uniquely one of the few offering a Professional Certificate Program with a distance learning program. Entry points include experience in IT, but also other healthcare disciplines.
Since only 22% of the mandatory security elements in the HIPAA Security Ruleand the NIST Cyber Security Frameworkare purely technical, there are ample other growth areas in cybersecurity careers. For example, managing vendor and other third-party risks is one of the leading growth areas in need of new healthcare professionals. When non-security staff gets security training, consider a new salary survey as the value they add to the organization will likely require additional compensation.
5. Look to move some of the more simple security tasks into the IT departments. Security teams commonly use network vulnerability scans to identify unpatched systems and then relay that information to the IT or clinical engineering staff for remediation. By moving the IT and clinical engineering organizations up the security maturity management spectrum, CIOs can focus on improving the patch management process. Those scans are still needed to validate that the patch management program is effective, but a properly managed patch management program would have identified and remediated vulnerabilities before the scans are performed. Scans would, therefore, serve as a validation that the patch management process works, rather than to identify gaps that need to be remediated later.
In conclusion, hospitals will continue to struggle with security gaps until they can address their cybersecurity skills shortages. Addressing this need requires progressive leadership and a willingness to escape last decade’s paradigm.
Clyde Hewitt is vice president of security strategy at CynergisTek. He has thirty years of executive leadership experience in cybersecurity.