Health­care strug­gling to re­cruit top cy­ber­se­cu­rity pro­fes­sion­als

Modern Healthcare - - NEWS - By Joseph Conn

Michael Minear, chief in­for­ma­tion of­fi­cer of UC Davis Med­i­cal Cen­ter in Sacra­mento, Calif., has a ta­lented se­cu­rity staff, and as a re­sult, has suf­fered some con­se­quences.

“We had a team of five, and two of them got poached,” Minear said. “It took a year and a half to re­place those two.” That’s not an un­usual ex­pe­ri­ence.

The mar­ket for cy­ber­se­cu­rity work­ers is red hot and that’s putting heat on the health­care industry, which has lagged other in­dus­tries in in­for­ma­tion-tech­nol­ogy spend­ing.

But af­ter a spate of mas­sive cy­ber­se­cu­rity at­tacks this year, the industry is scram­bling to shore up its de­fenses. Its ef­forts, how­ever, are ham­pered by stiff­en­ing com­pe­ti­tion for ex­pe­ri­enced cy­ber­se­cu­rity pro­fes­sion­als.

“There is in­fi­nite de­mand” for ex­pe­ri­enced cy­ber­se­cu­rity work­ers across many in­dus­tries, said Dan In­bar, chair­man of Home­land Se­cu­rity Re­search Corp., a Wash­ing­ton, D.C., con­sult­ing firm. “The sup­ply is 10% of the de­mand—from the De­fense Depart­ment to banks to cy­ber­se­cu­rity com­pa­nies.”

As a re­sult, cy­ber­se­cu­rity pro­fes­sion­als are fetch­ing a 9% pay premium over other IT work­ers, ac­cord­ing to Burn­ing Glass Tech­nolo­gies, a Bos­ton-based hu­man resources tech­nol­ogy and sup­port ser­vices provider.

Ac­cord­ing to Burn­ing Glass, there were nearly 50,000 job post­ings in 2014 for work­ers with a Cer­ti­fied In­for­ma­tion Sys­tems Se­cu­rity Pro­fes­sion (CISSP) des­ig­na­tion, the pri­mary cre­den­tial in cy­ber­se­cu­rity work, which re­quires a min­i­mum of four to five years of field ex­pe­ri­ence. But the num­ber of open­ings rep­re­sents three-fourths of all cy­ber pros with a CISSP des­ig­na­tion, even though glob­ally the num­ber of CISSP de­signees has nearly dou­bled since 2010.

“Say­ing you’re go­ing to fill those 50,000 jobs play­ing mu­si­cal chairs with 65,000 peo­ple doesn’t re­ally work,” said Burn­ing Glass CEO Matt Sigel­man. Those CISSP jobs pay an av­er­age of $93,000 a year and carry an $18,000 premium over en­trylevel se­cu­rity po­si­tions that re­quire the ba­sic cre­den­tial, Sigel­man said. Health­care cy­ber­se­cu­rity spe­cial­ists need to be fa­mil­iar with tech­nol­ogy as well as the fed­eral Health In­sur­ance Porta­bil­ity and Ac­count­abil­ity Act, mak­ing an al­ready- rare set of job skills even more scarce, Sigel­man said.

Cy­ber­se­cu­rity job post­ings are up 91% since 2010, with 238,000 such jobs listed in 2014, in­clud­ing 7,915 in health­care and so­cial as­sis­tance or­ga­ni­za­tions, such as drug and al­co­hol abuse clin­ics, Sigel­man said. Health­care is one of the in­dus­tries show­ing the great­est growth in cy­ber­se­cu­rity job open­ings. (See chart.)

The de­mand is, in part, a re­ac­tion. Ac­cord­ing to the of­fi­cial “wall of shame” fed­eral web­site, since Septem­ber 2009, there have been 1,345 breaches re­ported in which 500 or more pa­tient records were in­volved. A to­tal of 153.9 mil­lion health records have been ex­posed. That num­ber ap­proaches half of the U.S. pop­u­la­tion.

Four out of the five largest breaches on the list were hacks, all of which oc­curred in 2015, ac­count­ing for 75% of all records ex­posed. The largest hack was re­ported by An­them and in­volved a whop­ping 78 mil­lion records that af­fected not only mem­bers, but through re­cip­ro­cal pay­ment agree-

“We had a team of five, and two of them got poached. it took a year and a half to re­place those two.”

Michael Minear CIO UC Davis Med­i­cal Cen­ter

ments, some mem­bers of ev­ery other Blues plan in the coun­try as well.

For ed­u­ca­tors and train­ers in cy­ber­se­cu­rity, that means busi­ness is boom­ing.

Pub­licly funded Univer­sity of Mary­land Univer­sity Col­lege, an out­growth of the Univer­sity of Mary­land, claims more than 8,000 stu­dents have en­rolled in its 13 cy­ber­se­cu­rity pro­grams at the cer­tifi­cate, un­der­grad­u­ate and master’s de­gree lev­els. Of those, 4,500 stu­dents have grad­u­ated since the pro­gram started in 2011, said Robert Lud­wig, as­sis­tant vice pres­i­dent of me­dia re­la­tions for the col­lege.

Last year was the first year they’ve ac­tu­ally seen grad­u­ates go out in the mar­ket, Lud­wig said, but it’s been tricky keep­ing track of where they’re headed. He said an alumni ros­ter of 2,000 grad­u­ates shows only about 2% seem to be em­ployed in jobs that are clearly health­care-re­lated.

Minear says the breaches have upped the ante.

“I work in health­care, but now I feel I work at the NSA,” he joked, re­fer­ring to the Na­tional Se­cu­rity Agency, the topse­cret De­fense Depart­ment agency that spe­cial­izes in crack­ing codes and elec­tronic spy­ing.

Af­ter read­ing a 2008 ar­ti­cle about a breach in­volv­ing un­en­crypted backup tapes of records at an­other univer­sity health­care or­ga­ni­za­tion with “a very good CIO,” Minear started on a path to “en­crypt every­thing,” from data in mo­tion to data at rest.

“We’ve in­vested about $11 mil­lion in se­cu­rity tech­nol­ogy over that six or seven years, and in our se­cu­rity plan, we have to spend $4 mil­lion to $8 mil­lion more,” Minear said.

That fund­ing will in­clude com­bin­ing cy­ber­se­cu­rity mon­i­tor­ing op­er­a­tions at UC Davis and other UC Health cam­puses. The plan is to cre­ate a se­cu­rity op­er­a­tions cen­ter.

SOCs, as they are called, en­able cy­ber­se­cu­rity per­son­nel to watch over a num­ber of or­ga­ni­za­tions, just as tel­era­di­ol­ogy al­lows a sin­gle ra­di­ol­o­gist to per­form imag­ing reads for mul­ti­ple hos­pi­tals. This cuts costs and cre­ates ef­fi­cien­cies, se­cu­rity ex­perts say.

Matt Eversole, chief op­er­at­ing of­fi­cer of in­for­ma­tion tech­nol­ogy at 23hos­pi­tal Mercy Health, said his health sys­tem is ex­plor­ing a SOC.

He expects in the next two years the sys­tem will need to dou­ble its cy­ber­se­cu­rity work­force from 17 to 34.

Eversole said his sys­tem, based in Cincin­nati, re­cently lost its chief in­for­ma­tion se­cu­rity of­fi­cer, who re­signed to be­come a con­sul­tant.

“It took me three months to re­cruit a re­place­ment,” but that was about the time ex­pected for a po­si­tion of that level, he said. And the pay was within range.

“We did pay higher, but not much higher,” he said.

Cy­ber­se­cu­rity pros are fetch­ing a 9% pay premium over other in­for­ma­tion tech­nol­ogy work­ers, ac­cord­ing to Burn­ing Glass Tech­nolo­gies.

GETTY IMAGES

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.