Why are hospitals challenged when hiring cybersecurity professionals?

Hospital administrators are reporting challenges in hiring and retaining cybersecurity professionals needed to mitigate the new cyber threats. The issue is getting broad attention outside of healthcare, including a National Public Radio’s All Things Considered segment addressing the issue, which aired on July 26, 2017. This is due in part to reports that there are over one million open security positions that can’t be filled. The challenges are real, but they can be managed when properly framed.

Misconception #1: All cybersecurity positions require the same skills and experience

Healthcare human resources departments should recognize that there are as many different cybersecurity roles as there are different physician specialties. To recruit top talent, individuals applying for these roles need to see a career path, or ladder, showing how they will advance over time. Without an opportunity for internal advancement, top talent will seek other domains outside of healthcare. A typical career progression will allow an entry-level individual contributor to advance from security analyst, to security operations, to security engineer, to security architect. There should be security management roles defined as well that are separate from a typical information technology, or IT role.

Misconception #2: All security roles belong in the IT department

The majority of security positions will support information technology, but others security positions support physical security, biomedical engineering, vendor management, HR (background checks and workforce training), risk management, and internal audit/compliance. A career ladder needs to recognize this broad spectrum of talents and demonstrate both lateral and advancement opportunities. Specific to the CISO/CSO role, the HIPAA Security Rule requires that the senior security official have the responsibility and authority for all administrative, physical, and technical safeguards. The rule set expectations in 2003 when it stated, “The assigned security responsibility standard adopted in this final rule specifies that final security responsibility (for administrative, physical, and technical safeguards) must rest with one individual to ensure accountability within each covered entity. More than one individual may be given specific security responsibilities, especially within a large organization, but a single individual must be designated as having the overall final responsibility for the security of the entity’s electronic protected health information. This decision also aligns this rule with the final Privacy Rule provisions concerning the Privacy Official.[1]

Misconception #3: The pay bands must align with the IT pay bands

We rarely question why physicians’ pay varies widely between specialties because we understand it is based on supply and minimum skill sets. There needs to be a similar recognition that security positions also require different skill sets and make similar adjustments. Simply put, an application architect is different from a network architect, which is different from a security architect. Healthcare organizations can leverage national salary surveys specific to cybersecurity, then adjust using regional adjustors.

Misconception #4: The desire to find the “IronMan” of cybersecurity that will perform all duties

The senior security official requires a wide variety of skills that include many areas outside of the IT domain. There is talent with a pedigree outside of a typical IT department and even healthcare that can quickly step into a chief security officer role with minimal training. The basic skills needed are executive leadership, budgeting, and a good understanding of compliance, audit, and technology.

Misconception #5: Organizations need the same security skills on staff full time

Designing and implementing advanced security solutions can be best performed by individuals who have deep experience with the tools. Once the systems are fully implemented and procedures documented, individuals with less experience can be leveraged to operate the systems for the duration of the lifecycle. In these instances, it is cost effective to leverage third parties with both domain experience in healthcare and deep technical skills in the security solutions. Other security professionals with security process development and management experience are needed to assimilate the tools into the healthcare organization’s environment.

In conclusion, healthcare organizations are going to see more cyber attacks in the future. Addressing the security vulnerabilities and building a security management program requires more senior leadership, but also more and more resources that can be met with both internal and vendor-supported roles.

[1] Federal Register/Vol. 68, No. 34/Thursday, February 20, 2003/Rules and Regulations, Page 8347

About the Author

Clyde Hewitt

lyde Hewitt is an Executive Advisor at CynergisTek. He brings more than thirty years of executive leadership experience in cybersecurity to his position with CynergisTek, where his many responsibilities include being the senior security advisor and client executive, thought leader and developer of strategic direction for information and cybersecurity services, nationwide business development lead for security services, and contributor to CynergisTek’s industry outreach and educational events. Hewitt retired from the United States Air Force after serving in various senior IT technology positions, later working in the private sector in various information security management roles. Most recently, he was the Vice President & Chief Security Officer for Allscripts Healthcare where he implemented a global ISO 27001 Information Security Management System. Hewitt’s firsthand executive experience developing, implementing, and evaluating security program strategy provides him with the practical experience to contribute to CynergisTek’s thought leadership around cybersecurity and assist clients in achieving their data protection goals. Hewitt holds a Bachelor of Arts in International Relations from the University of North Carolina – Chapel Hill, a Master of Science in Engineering from the University of Arkansas, and is a graduate of the Defense Acquisition University’s Program Management Course. He is also a graduate of the Air Command and Staff College and the Air War College. Hewitt’s professional certifications include Certified Information Systems Security Professional (CISSP), ISO 27001 Lead Auditor, Level III Program Manager, and Certified in Healthcare Security (CHS).

Follow on Linkedin Visit Website More Content by Clyde Hewitt
Previous Article
What Does a Cybersecurity Workforce Look Like?
What Does a Cybersecurity Workforce Look Like?

There is consensus agreement that threats that exploit vulnerabilities in the health care cyberinfrastructu...

Next Article
What is the Value of Having a Virtual Chief Information Security Officer?
What is the Value of Having a Virtual Chief Information Security Officer?

“What is acceptable?” “What does HIPAA require?” “What are other organizations doing?” These are just a few...