Healthcare providers are operating in a time of extraordinary pressure. Whether it's recovering their operations from a devastating pandemic year or it's the pace that their organization is embracing a rapid digital transformation aimed to optimize and modernize their systems. The last thing healthcare organizations needed this past year was an increase in ransomware and other types of attacks — but that's precisely what they experienced.
Increased reliance on the digitization of business processes, coupled with the increase in threats targeting healthcare providers, and cybercriminals who work 24x7 and tend to target attacks when they know security staffing coverage is lower, like weekends and holidays, has intensified the need for skilled cybersecurity healthcare professionals. The demand appears to be outpacing the supply of available security professionals.
A survey from ISACA and HCL Technologies found 61% of respondents describing their cybersecurity teams as "understaffed" and 55% stating that their organization has cybersecurity positions that are going unfilled.
The demand for cybersecurity professionals appears to be hitting the healthcare industry especially hard. A survey conducted by Black Book Market research found that, on average, cybersecurity roles in health systems take 70% longer to staff than other positions in IT.
Even as the pandemic subsides in places, digital attacks on healthcare organizations, whether ransomware or Covid-19 and vaccination-related phishing attacks, show no sign of abating, but there are steps healthcare organizations can take right now to help close their cybersecurity skills gaps:
One: Develop security talent in-house. It's not easy finding, let alone attracting, security talent. In the Cyber Security Talent Report: Addressing the Skills Gap recruiting firm Hays US found 55% of respondents surveyed believe that they can develop cybersecurity talent internally.
Within many organizations, hidden security talent does exist. It's just a matter of finding and cultivating that talent. For instance, those who work in application development, infrastructure, and other technical roles are often interested in moving to security. There are many ways to help them make that shift, including mentoring and training programs and providing reimbursement for their professional training and development.
By providing the training and career path, your organization is solving its cybersecurity challenges and helping to close the cybersecurity skills gap overall.
Two: make security a team effort. Most healthcare organizations, except for some of the largest organizations, don't have sizable and dedicated security teams. Many smaller healthcare providers don't have any dedicated security staff at all. When this is the case, security becomes everyone's job. While security should always be a part of everyone's job, there's no other choice when there's no dedicated security team.
In these situations, it's imperative to make sure those who work in various roles, such as operations, application development, and management, and others are also trained on the aspects of security that are a part of their job.
Three: Improve existing cybersecurity talent retention. According to the Dice Tech Salary report, the demand for cybersecurity roles grew significantly in 2020, with cybersecurity analysts experiencing the most significant salary growth during the year. Cybersecurity Analysts experienced an average salary increase to $103,106 in 2020, up 16.3% year over year.
This sounds obvious, but apparently, it isn't. For whatever reason, many organizations don't offer competitive salaries for security professionals, whether it's because they are not aware of the current value or just trying to keep the budget down. But if healthcare organizations want to attract in-demand talent, they have to pay competitively.
While 55% of organizations responding to Hays US's survey said they could develop security talent in-house, only 39% believe they can retain their cybersecurity staff. To improve these retention efforts, Hays US recommends organizations examine how they help their employees to manage their careers, including conducting regular reviews and address feedback. "Additionally, people managers are also key to retention, so ensure that managers are strong in areas such as motivating and inspiring their team members, managing careers, and setting clear goals," the report stated.
Four: Consider placing someone in charge of security. Healthcare organizations are facing attacks from focused, coordinated, professional, and sometimes sophisticated attackers. But many healthcare organizations don't have a focused and coordinated security program because they don't have a dedicated security officer. Many more healthcare organizations should consider if this could change, and a dedicated security manager is put in place to lead security strategy, defense implementation, and incident response.
Five: Keep hiring standards reasonable. Many organizations don't pay competitively, but they overlook quality talent by demanding certifications that aren't necessary for many security positions. Or they have demands for the experience that isn't possible, such as asking for many years working on technology that's only been available for a couple of years or labeling a position that requires a few years of experience as an entry-level position. Look for talent in unusual places and experience, such as someone with several years of IT experience, someone self-taught, or right out of school.
Six: Automate what can be automated. Automation is the friend of tightly staffed healthcare security teams. The good news is that it's never been easier to automate some aspects of security. For instance, it's common now that many aspects of security checks for application development are automated, as can be many system vulnerability assessments. So can many patch updates (but be careful with specific medical systems). Of course, not everything can be automated, but if it can be safely and effectively automated, then healthcare organizations should automate. After all, organizations have cloud-first policies today – why not have an automated first policy?
Seven: Partner where it makes sense. During the easiest of times, cybersecurity is hard. It's hard getting things right when everything is aligned: staff, the backing of executive leadership, a proper budget, and the right tools. Unfortunately, most healthcare providers don't operate in a world where everything is aligned. Filling the gaps between where the organization is and where it needs to be is where choosing the right partners is crucial. Perhaps it's cost-prohibitive to set up 24x7 monitoring, or the talent required to do so isn't readily available.
For many healthcare organizations choosing to partner with a managed detection and response partner can help fill the gap with experts who are on call 24x7 to proactively identify threats and make sure that a potential breach doesn't quickly become a serious incident.
The demand for cybersecurity professionals will not let up any time soon, and neither will attacks targeting healthcare providers. But there are steps healthcare providers can take to manage their way through these challenges, extend the staff's capabilities, and mitigate the risks to their systems, data, and patients.