A A Shortage of of Superheroes: Healthcare s Cybersecurity Staffing. October 2017

Transcription

1 A A Shortage of of Superheroes: Healthcare s Cybersecurity Staffing Challenge Staffing Challenge October

2 Table of Contents Introduction... 3 Short on Superheroes... 4 Cyber Skills Most in Demand... 5 Undergraduate Underproduction... 6 Compensation Competition... 6 Strategies to Overcome the Cyber Skills Shortage... 7 Hire Low and Grow... 7 Build Your Cyber Brand... 8 The Automation Paradox... 9 Finding Experienced Talent... 9 Engage a Managed Compliance Services Provider (MCSP) Retention Strategies Conclusion About Meditology

3 Introduction The shortage of qualified workers to fill cybersecurity roles in healthcare organizations is a significant problem faced by C-level executives. This gap in available and affordable qualified talent weakens an organization s ability to secure sensitive patient data and meet ever-increasing privacy and compliance standards. While, cybersecurity skills are short everywhere, the healthcare industry has unique challenges in recruiting people with cybersecurity skills. Healthcare organizations are considered late arrivals to technology recruiting which has resulted in compensation rates that are typically less than other industries. While the challenges are great, the mission to secure highly-sensitive patient data provides a unique value-proposition to employees. A cybersecurity worker in healthcare is at the front lines in protecting a patient s most sensitive and personal information from malicious use. In recruiting cybersecurity workers, we are extending an invitation to become a protector, possibly a superhero, in securing the most sensitive information in patient care. However, this important role as the patient s information guardian is not well communicated to potential recruits. In recruiting cybersecurity workers, we are extending an invitation to become a protector, possibly a superhero, in securing the most sensitive information in patient care. Addressing the importance of cybersecurity professions is both a challenge and opportunity for healthcare organizations. This challenge is intensified as healthcare executives compete for qualified talent with other industries such as financial services, professional services and retail, which may be perceived as more exciting and challenging careers. The pressures from the regulatory environment and the ever-present, ever-increasing threat of data security breaches impacting the reputation of a healthcare network underscore the urgency in recruiting qualified personnel. Overcoming shortages of available talent interested in serving as healthcare cyber-guardians requires a variety of strategies outlined in this paper. 3

4 Short on Superheroes The shortage of cybersecurity professionals is well documented across all industries. In the 2016 Global Information Security Workforce Study, 70 percent of employers reported a plan to increase their cybersecurity staff size by at least 15 percent in In the healthcare sector, increases in planned cybersecurity staffing jumped to 20 percent. 1 The shortage problem in the healthcare industry is exacerbated by the current environment of change in which technology and patient care are converging into new service delivery models. Artificial intelligence (AI) software, cloud software, medical device monitoring, tele-medicine and the use of wireless devices to collect and retrieve patient data are all driving innovation and change in the patient service delivery model. 69% of healthcare organizations believe they are at greater risk than other industries for a data breach. - Source: Ponemon Institute According to the 2016 study on the Privacy and Security of Healthcare Data, an overwhelming majority of healthcare organizations (69 percent) and business associates (63 percent) believe they are at greater risk than other industries for a data breach. The top reasons for healthcare organization vulnerability is a lack of vigilance in ensuring their partners and other third parties protect patient information (51 percent) and not enough skilled security practitioners (44 percent). 1 In healthcare settings, more entry and sharing points of patient information exist than in many other business service delivery models such as financial services, government retail and entertainment. The need to know level 1 Ponemon Institute, (May 2016). Sixth Annual Benchmark Study on the Privacy and Security of Healthcare Data. Retrieved from pdf 4

5 of patient data is often very broad among vendors serving the healthcare organization as well (e.g. food preparation, pharmacy, specialized equipment, medical device monitoring, etc.) Each of these unique issues makes healthcare an industry full of data risks and vulnerabilities for information hacking and misuse. Indeed, healthcare is an arena in which cybersecurity professionals can become superheroes. The opportunity is in educating the emerging labor force of the skills needed to be successful in cybersecurity and the role they can play in securing patient information in a healthcare setting. Cyber Skills Most in Demand Among the scarce skills required in healthcare cybersecurity positions is the need to communicate at a high-level. The Ability to Communicate Effectively was noted as a scarce skill by over 50 percent of International firms and over 70 percent of U.S. firms responding in a 2016 survey conducted by MacAfee - Intel Security Center for Strategic and International Studies. 2 The need for strong communication skills is especially important in the healthcare industry due to the demands for information sharing and broad access to information within the healthcare network. Communicating in a well-understood, effective manner is increasingly important as the accountability reporting reaches the highest levels of the organization. As the role of cybersecurity becomes a high-level topic, the status of the CISO may be elevated as well. Increasingly the CISO may now report directly to the board of directors rather than the chief information officer (CIO). A 2015 IDC study predicted that by 2018, 75 percent of CISOs and chief security officers (CSOs) will report directly to the CEO or board of directors. 3 In the same MacAfee-Intel Security report cited above, more than 60 percent of International firms and 74% of U.S. firms surveyed noted Intrusion Detection and Attack Mitigation as a scarce skill in their organization. The increased occurrence of virus and hacking attacks of health information is evidence that the healthcare industry is becoming the new favorite among criminal data thieves. 2 MacAfee - Intel Security Center for Strategic and International Studies.(May 2, 2016). Hacking the Skills Shortage. Retrieved from 3 International Data Corporation (IDC), (2015). The State of the "C" in CISO. Retrieved from 5

6 On the positive side, Millennials surveyed in 2016 by the National Cybersecurity Alliance (NCSA) are increasingly attracted to jobs using skills needed to be successful in cybersecurity. 4 While there still exists a gap in finding potential employees with these skills, the best opportunities may be to grow the desired skill sets from within, a strategy we discuss further in this paper. Undergraduate Underproduction The expertise required in cybersecurity positions has expounded the shortage problem. For instance, 10 percent more cybersecurity roles available require specific certifications and/or security clearances as compared to other IT roles. Undergraduate degrees are required for more than 80 percent of cybersecurity roles, however there are still relatively few universities offering undergraduate degrees concentrating in cybersecurity studies. Among CISOs there is discussion about recruiting people from other technical disciplines and training them in security risk management. CISO are often open to recruiting from fields including network engineers, business analysts, bio-medical technicians and other fields. Many CISOs believe the best approach may be hiring low-level employees and training them on the specific risks found in a healthcare environment. This approach is discussed in further detail in this report. Compensation Competition In any scarce market, prices rise. The competition across all industries for qualified cybersecurity talent requires that healthcare organizations offer competitive or more attractive compensation offerings. Healthcare organizations that pay a competitive rate and demonstrate they value security personnel as a key risk management function, will be better able to retain and grow their staff. 4 National Cybersecurity Alliance (2016). Securing Our Future: Closing the Cybersecurity Talent Gap. 6

7 Strategies to Overcome the Cyber Skills Shortage To overcome these recruiting challenges, healthcare organizations must increase the value proposition the security and compliance department offers the entire provider network. Any employee involved in securing a patient s private information provides a critical role in providing high-quality patient care. A cybersecurity worker is at the front lines in protecting a patient s most sensitive and personal information from malicious use. We are inviting these specialized technical workers to become a protector, or a modern-day superhero, in securing the most sensitive information in patient care. This important role as the patient s information guardian is not well communicated within the healthcare industry. Addressing the importance of cybersecurity staff is both a challenge and opportunity for healthcare organizations. This challenge is intensified as healthcare executives compete for qualified talent with other industries such as financial services, professional services, entertainment and retail. In researching the cybersecurity shortage, we identified six strategies cited as being effective in recruiting and retaining highly-valued cybersecurity professionals. Each approach is explored below with a specific focus on how to apply these strategies in a healthcare setting. Five of these approaches to overcoming the cybersecurity shortage problem relate to recruiting, the final discussion focused on retention and growth of this group of healthcare heroes. Build Your Cyber Brand Engage an MCSP Hire Low and Grow Overcoming Cyber Skills Shortages Locate Experienced Talent Retain the Best Automate and Train Hire Low and Grow The most cost effective and perhaps quickest way to develop a cybersecurity team is to hire low-level staff members early in their careers and train them. Pairing up new hires with experienced mentors and trainers is a critical success factor for effectively growing cybersecurity professionals from the ground up. Developing formalized training and mentoring programs not only helps to get resources up to speed on core skills required for the role, but also demonstrates a supportive environment and focus on continual career development that helps retain talent over time. Coaching and mentoring also supports the ability to identify areas of interest for team members and provide opportunities to evolve and grow security skills to broaden the value and capabilities of the security team. Organizations should expect a certain percentage of attrition as some young workers will receive training and leave the organization; however, the percentage that stay will further develop into managerial staff that will enhance your organization s ability to respond to cyberthreats. 7

8 Build Your Cyber Brand Healthcare has unique challenges in educating security and compliance employees in the value they bring in patient care. The CISO/CPO/Compliance Officer can view this an opportunity to brand career development and their staff s unique skill set. Effective branding strategies include setting the culture and identity of the department, offering a well-communicated growth path, delivering high-value training programs and tie-back to overall patient service delivery. Employee retention for younger workers can be improved by emphasizing the intrinsic benefit their work brings in securing patient data. Potential and existing employees should understand the impact of their work. Patient data protection is relatable to everyone. Proper data security protects a mother, a father, children and communities challenged by disease and impairment. Doctors and care-giver trust is upheld when safeguarding patient information is taken seriously. Securing this patient data can protect people from financial attacks as well as protecting their personal information from untended release. For example, in August 2017, a vendor servicing Aetna insurance clients, notified patients of their HIV diagnosis in windowed-envelopes, thus increasing the possibility of untended release of a patient diagnosis to anyone handling the mailed letter. 5 Just a few weeks later in September 2017, Equifax announced that 143 million customers may have had their personal financial information compromised in a breach attack. 6 Security employees can be reminded of the significant role they offer in safeguarding sensitive information by the Aetna and Equifax breach examples. Data monitoring, security and protection is literally life-giving if a patient is dependent upon a medical device. A person living with an implanted device (such as a pacemaker) is dependent on the information flows to monitor and control critical life support functions. These are just a few examples of the impact cybersecurity workers have on our society. Positioning the cybersecurity and security department s role as a protector not only of patient information but the overall healthcare network s brand as a trusted provider is worth C-level s time and attention. Reaching out to peers within the Human Resources and Marketing areas of your organization can be helpful in establishing an effective brand for your department, as well. Propose ideas such as a job-shadowing program with local high-schools or colleges to expose young people and the community to the importance data security plays in delivery patient care. Some healthcare networks offer Community Education which can include parental outreach or just general information on how your organization is working to protect patient information. These community outreach programs may help the CISO in identifying recruiting opportunities with local colleges and training programs, while also bolstering the brand image of the healthcare organization within your community. 5 Ellison, A. (August 25, 2017). Aetna reveals customers HIV status in envelope window, Becker s Hospital Review. 6 Bernard, T.S., Hsu, T., Perlroth, N. and Lieber, R. (September 7, 2017). Equifax Says Cyberattack May Have Affected 143 Million in the U.S., New York Times. 8

9 As the NCSA report revealed, healthcare is becoming known as desired field for high-school students who are just exploring cybersecurity as a career option. This is the right time to develop job shadowing programs and parent outreach within the community to further extend your organization s brand as a leader in patient security on all fronts. The Automation Paradox Artificial intelligence and data automation have valuable roles in managing and identifying patient data security risks. Automation, however, may not directly translate into fewer humans to manage the cybersecurity function. Automated systems may more accurately manage specific security tasks; however, people are still needed to run and manage these automated systems. Some of the best uses of automation in cybersecurity tasks include monitoring for irregularities and machine learning to identify new attack patterns. Automated systems may accurately manage specific security tasks; however, people are still needed to run and manage these automated systems. Many organizations are leveraging a combination of technology implementation (automation) and outsourcing the maintenance and monitoring of these functions to third parties. Some of these functions include Security Incident and Event Monitoring (SIEM), Data Loss Prevention (DLP), privacy monitoring, third party risk management, cloud security and intrusion detection and prevention. While automation will play an important role in data security, these technologies do not replace the need for cybersecurity workers. Even executives of artificial intelligence software services are supporting the idea that security analysts will still have an important role in detecting risk. According to AI software firm, PatternX CEO Uday Veeramachaneni, The goal is to change the economics of security... But there will always be a need for a security analyst to make sense of it. 7 Finding Experienced Talent Healthcare executives want to hire qualified security personnel, but it is challenging. CISOs and hiring managers often look to hire experienced cybersecurity professionals from outside the industry, which can work but still requires adjustments and retraining. Often, cybersecurity personnel recruited from other industries such as government and financial services do not always understand the priorities of the healthcare system in setting cybersecurity policy. For example, security controls in a government setting may often be overly restrictive and unable to support information sharing required 7 Vizard, M. (March 16, 2016), How Automation will affect Cybersecurity Jobs, Dice.com, Retrieved from 9

10 to treat patients across the continuum of care. Similarly, in financial services, the willingness of end-users to enter passwords and have multi-factor authentication to access data is much greater than in a healthcare environment. Finding the right fit outside the healthcare industry may work in filling top-level cybersecurity roles, but preparations should be made for on-the-job training of younger workers. In department training and promotion programs help cybersecurity professionals learn the specific nuances of healthcare data flows and security needs. The internal IT department is a great place to look for talent as they have a built-in understanding of information flows within a healthcare setting. However, providing appropriate security training is important for organizations hiring from within. In the 2017 ISC report on cybersecurity professional skills, 63 percent of IT professionals surveyed said their organizations face a cybersecurity shortage, but only 34 percent of respondent say their companies will cover the cost of security training. 8 The ISC report also infers that there is a disconnect between the skills desired by the CISO and the skills the frontline IT hiring manager and CIO look for in making a hiring decision. The CISO level tends to focus on highlevel communication and analytical skills at the top of the list, while the hiring manager looks for cloud computing and risk assessment skills as key skills. This disconnect of perceived needed skills underscores the issue of appropriate investment in training and the immediate need to address technical security risks. Engage a Managed Compliance Services Provider (MCSP) When qualified security candidates are scarce, having a third-party MCSP engaged brings instant access to a wider range of skill sets than your healthcare organization can offer alone. Outsourcing some information security and compliance functions will help scale the organization s capacity for handling new, unanticipated security tasks. An MCSP vendor will provide an immediate expansion in staff resources and coverage of many gaps and vulnerabilities within the organization s data security network. 8 (ISC 2 ) (2017). IT Professionals Are a Critically Underutilized Resource for Cybersecurity. 10

11 Specifically, outsourcing the tasks involved in meeting government compliance requirements makes sense. Compliance activities involve time-consuming monitoring and remediation activities, require knowledge of everchanging government and industry regulation in the healthcare industry as well as require expertise in fraud and data intrusion detection. Vendor risk management is also tied into government compliance requirements as hundreds of vendors typically have detailed access to sensitive patient information. Many of these vendors are unfamiliar with government requirements to secure patient information. Bringing on an MCSP with detailed knowledge of the healthcare delivery system and related government requirements and security risks, will greatly expand the security team s effectiveness and capacity. New trends in tele-medicine and remote equipment monitoring expound the need for additional security processes and protocols. A MCSP is a good partner to engage in identifying potential security gaps and bringing security protocol options for securing new types of medical devices. Engaging a MCSP with a proven record in the healthcare industry will allow your information security and compliance staff to plan, manage and communicate more effectively at the higher levels within and across your healthcare network. This increased efficiency typically results in a decrease in the overall cost of compliance and risk management. Here are some of the most common functions healthcare organizations outsource effectively to a third-party MCSP: 11

12 Retention Strategies Recruiting firms in the IT industry are providing sage advice that benefits healthcare organizations in understanding how to retain employees. 9 Here are few suggestions for healthcare organization IT managers to help ensure retention of their valued information guardians: 9 Billar, Todd. VAR Staffing. Top 10 Tips to Improve Employee Retention. tips-to-improve-employee-retention/?wpnd_cid=c5ae4325d31807b9 12

13 Conclusion Indeed, in this era of broad cyber information sharing, the healthcare industry is truly seeking superheroes that can protect and secure it from outside risks. Cybersecurity personnel are among the scarcest talent available in any industry, but especially in healthcare. While there are indicators that young people are becoming interested in technical careers within the healthcare industry, a great need exists now to fill positions related to data security and protection. A strategic talent acquisition and staffing plan can include both near-term and long-term solutions. In the near term, hiring a MSCP partner that understands healthcare is an effective strategy to address pressing compliance, privacy and security requirements. Third-party partners have greater access to the skills sets needed to respond and protect against to these security threats unique to the healthcare industry. Outsourcing many of the tedious compliance, risk management and vendor management functions will also free up resources so you can scale your security program quickly. For long-term staff growth and retention, expanding the CISO s reach across the organization and working alongside Human Resources and Marketing in branding, training and community outreach will help uncover and retain some of the most promising talent for the future. Using a combined approach of outsourcing, training and developing a long-term strategy to identify, grow and retain security talent, the shortage of cybersecurity talent can be effectively addressed. CISOs that view the cybersecurity challenge as an opportunity to groom young people into rewarding careers will also reap the intrinsic rewards of helping the greater good. After all, you are superheroes, too. 13

14 About Meditology Meditology Services LLC is a healthcare-focused advisory services firm with core principles of quality, integrity, loyalty, and value. Our executive team has an average of 15 years of consulting and operational experience in healthcare with provider and payer clients nationally of varying size and complexity. We understand the importance of relationships and derive much of our business from a long list of satisfied clients who value the quality of our work products combined with the professionalism, approach, and innovative solutions we bring to our engagements. Meditology services clients across the U.S. with offices in Atlanta, Philadelphia, San Diego, Denver, and Nashville. Meditology Services LLC 5256 Peachtree Road, Suite 190 Atlanta, GA info@meditologyservices.com Tel. (404)