In a recent study sponsored by Merlin International, 62% of health care executives reported having a cyber attack in the past year, and almost three-quarters said their organizations were too short staffed to protect against future breaches. The respondents said staffing was the biggest challenge in ensuring security of health information. Only half had a dedicated chief information security officer (CISO). HIPAA does not require health care organizations to have somebody in this position, but an individual who sets and manages an organization’s security plan is a must for larger organizations.
“I was surprised that many didn’t have a CISO,” said Brian Wells, chief technology officer for Merlin International, which sponsored the study. “I knew there was understaffing but figured that most had one. This is a key position for making progress. Without that cheerleader in charge, it is difficult to make a lot of headway in security.”
Cybersecurity staffing at all levels is a major challenge, in part because of a workforce shortage. In its 2017 Global Information Security Workforce Study, the business consulting and market research firm Frost & Sullivan forecasted a cybersecurity personnel shortage of 1.8 million individuals by 2020. “There’s an insufficient supply of people trained in security,” Wells said. “Colleges aren’t cranking out enough students, or there just aren’t enough people interested in this career.”
Caps on foreign workers coming into the country has also contributed to the problem, he said. When demand is high and supply low, the cost for these workers goes up. According to the Frost & Sullivan report, unemployment in this space is only about 2% in the United States, and the average pay is $120,000 a year. The high demand coupled with few workers allow people in this industry to continue to demand high salaries and good benefits.
“CISOs can charge a lot of money right now, and they can go somewhere and work for 4 or 5 years, build a program, and then move on to a bigger organization,” Wells said.
Though it may be tough to pay these salaries, investing in cybersecurity is a must. According to Wells, the health care industry lags behind many others in this regard. The banking sector puts 11% and 15% of its budget toward security. Health care organization, he said, spend about half of that. Many allot about 7%, but he recommends spending closer to 10% on all cybersecurity measures, including staff.
“When it comes to IT security, you need experience and training and it won’t work to just wing it or use a 16-year-old who is good with computers to help out on weekends,” he said.
Large health care organizations are likely able to hire sufficient staff, but this may not be the case for most organizations. Wells recommends 1 full-time employee dedicated solely to security work for a hospital with at least 100 beds or a medical group of about 200 physicians. Small practices do not necessarily need to hire someone dedicated to security, but they should find a local person who can handle servers, backup, firewalls, basic security, and laptop encryption, Wells said.
Filling the gap
According to the Frost report, 87% of the global cybersecurity workforce came to the field from other industries, many of which were non-technical. That means recruiting can be expanded beyond the traditional IT or cybersecurity personnel.
“You can hire a smart technical person with energy and pay for their certifications and training to learn cybersecurity,” Wells said. “It’s cheaper to hire at a lower level and train.”
To address market demand for health care cybersecurity personnel, the McCombs School of Business at The University of Texas (UT) at Austin offers a 9-week Health Informatics and Health IT Certificate Program for generalists. So far, the program has trained more than 1,200 students since its inception in 2010. Leanne Field, PhD, the program’s director, said they are working with industry experts to build a new certification using the same approach they have used with their generalist program. They have also determined that the health care cybersecurity job is not as technical as one might think.
“Based on what we’ve learned, it’s going to be a program about managing risk in large health care organizations,” Dr Field said. “We’re going to train people to work in a variety of settings including consulting organizations or directly under CISOs.”
Program staff are beginning with a pilot program they hope to complete before the year’s end, and then scale up to an online certificate that may be ready in early 2019.
This health care cybersecurity focus is an “area that has severe need that no one seems to be addressing right now,” said Kent Nutt, communications director for the Health Informatics and Health IT Certificate Program at UT Austin. The planned health care cybersecurity certificate program will train new college graduates, existing security personnel, and members of the military transitioning to civilian life to equip them to enter this workforce. The latter group has expressed interest in this emerging field and are well-suited because of their intelligence training received in the military.
“This is about healthcare organizations having well-trained teams in place that are quick to understand risk and are able to communicate and respond appropriately if there is a breach,” Nutt said.
Nutt cites a recent report by KPMG showing that more than half of 151 health care and life science leaders polled during a teleconference said they were either unaware of how to respond or that written instructions for responding did not exist in their organization.
“The McCombs School of Business at UT Austin looks forward to developing innovative, healthcare, cybersecurity programs to meet this acute workforce need,” Field noted.