Hospital administrators are reporting challenges in hiring and retaining cybersecurity professionals needed to mitigate the new cyber threats. The issue is getting broad attention outside of healthcare, including a National Public Radio’s All Things Considered segment addressing the issue, which aired on July 26, 2017. This is due in part to reports that there are over one million open security positions that can’t be filled. The challenges are real, but they can be managed when properly framed.
Misconception #1: All cybersecurity positions require the same skills and experience
Healthcare human resources departments should recognize that there are as many different cybersecurity roles as there are different physician specialties. To recruit top talent, individuals applying for these roles need to see a career path, or ladder, showing how they will advance over time. Without an opportunity for internal advancement, top talent will seek other domains outside of healthcare. A typical career progression will allow an entry-level individual contributor to advance from security analyst, to security operations, to security engineer, to security architect. There should be security management roles defined as well that are separate from a typical information technology, or IT role.
Misconception #2: All security roles belong in the IT department
The majority of security positions will support information technology, but others security positions support physical security, biomedical engineering, vendor management, HR (background checks and workforce training), risk management, and internal audit/compliance. A career ladder needs to recognize this broad spectrum of talents and demonstrate both lateral and advancement opportunities. Specific to the CISO/CSO role, the HIPAA Security Rule requires that the senior security official have the responsibility and authority for all administrative, physical, and technical safeguards. The rule set expectations in 2003 when it stated, “The assigned security responsibility standard adopted in this final rule specifies that final security responsibility (for administrative, physical, and technical safeguards) must rest with one individual to ensure accountability within each covered entity. More than one individual may be given specific security responsibilities, especially within a large organization, but a single individual must be designated as having the overall final responsibility for the security of the entity’s electronic protected health information. This decision also aligns this rule with the final Privacy Rule provisions concerning the Privacy Official.”
Misconception #3: The pay bands must align with the IT pay bands
We rarely question why physicians’ pay varies widely between specialties because we understand it is based on supply and minimum skill sets. There needs to be a similar recognition that security positions also require different skill sets and make similar adjustments. Simply put, an application architect is different from a network architect, which is different from a security architect. Healthcare organizations can leverage national salary surveys specific to cybersecurity, then adjust using regional adjustors.
Misconception #4: The desire to find the “IronMan” of cybersecurity that will perform all duties
The senior security official requires a wide variety of skills that include many areas outside of the IT domain. There is talent with a pedigree outside of a typical IT department and even healthcare that can quickly step into a chief security officer role with minimal training. The basic skills needed are executive leadership, budgeting, and a good understanding of compliance, audit, and technology.
Misconception #5: Organizations need the same security skills on staff full time
Designing and implementing advanced security solutions can be best performed by individuals who have deep experience with the tools. Once the systems are fully implemented and procedures documented, individuals with less experience can be leveraged to operate the systems for the duration of the lifecycle. In these instances, it is cost effective to leverage third parties with both domain experience in healthcare and deep technical skills in the security solutions. Other security professionals with security process development and management experience are needed to assimilate the tools into the healthcare organization’s environment.
In conclusion, healthcare organizations are going to see more cyber attacks in the future. Addressing the security vulnerabilities and building a security management program requires more senior leadership, but also more and more resources that can be met with both internal and vendor-supported roles.
 Federal Register/Vol. 68, No. 34/Thursday, February 20, 2003/Rules and Regulations, Page 8347