Low pay hin­ders health­care’s hunt for cy­ber cops

Modern Healthcare - - NEWS - By Joseph Conn

Low pay and lack­lus­ter re­cruit­ing for cy­ber­se­cu­rity tal­ent con­tinue to ham­per health­care sys­tems’ ef­forts to pro­tect their pa­tients’ and mem­bers’ sen­si­tive in­for­ma­tion.

Data in­se­cu­rity starts with the work­force, cy­ber­se­cu­rity ex­perts say. But com­pe­ti­tion with other in­dus­tries for top tal­ent is fierce.

“Last year we saw over 6,000 cy­ber­se­cu­rity job post­ings in the health­care in­dus­try,” said Matt Sigel­man, CEO of Burn­ing Glass Tech­nolo­gies, a job mar­ket re­search or­ga­ni­za­tion. There were 82,900 com­puter se­cu­rity jobs across all U.S. in­dus­tries in 2014, with an 18% job growth over 10 years, ac­cord­ing to the U.S. La­bor Depart­ment.

Com­mon re­cruit­ment strate­gies in health­care put it at com­pet­i­tive dis­ad­van­tage, Sigel­man said.

In other in­dus­tries, head­hunters look for ad­vanced tech­ni­cal knowl­edge. But in health­care, “those skills were em­pha­sized a lot less,” he said.

Health­care “peo­ple were ask­ing for busi­ness skills like project man­age­ment, staff man­age­ment, HIPAA, ask­ing peo­ple to wear a bunch of hats on the same head. That sig­nif­i­cantly re­stricts the pool (of can­di­dates) to peo­ple who have health­care ex­pe­ri­ence,” Sigel­man said.

An­other prob­lem is low pay. The av­er­age salary for a cy­ber­se­cu­rity pro across all in­dus­tries last year was $90,435; in health­care it was $76,033, he said.

Michael Ebert, a part­ner at KPMG, said he came out of two re­cent health­care board meet­ings at which mem­bers ap­proved pump­ing up fund­ing for cy­ber­se­cu­rity. But “I don’t see it con­sis­tently out there,” he said.

Health­care em­ploy­ers are more in­clined to in­vest in cy­ber­se­cu­rity tech­nol­ogy than peo­ple, said Lee Kim, di­rec­tor of pri­vacy and se­cu­rity at Health­care In­for­ma­tion and Man­age­ment Sys­tems So­ci­ety.

“We’re hear­ing or­ga­ni­za­tions say­ing cy­ber­se­cu­rity is a pri­or­ity, but we’re not see­ing it in terms of staffing up,” said Lor­ren Pet­tit, vice pres­i­dent for health in­for­ma­tion sys­tems at HIMSS. Many of those who are in the hunt for tal­ent are hav­ing a tough time, ac­cord­ing to ex­perts, and a plu­ral­ity (40%) of re­spon­dents to a Mod­ern Health­care read­ers’ sur­vey dis­agreed strongly or some­what when asked if there

is a strong tal­ent pool of well-trained cy­ber­se­cu­rity work­ers.

De­spite nu­mer­ous head­line-grab­bing breaches, in­clud­ing the ex­trac­tion by hack­ers of 78 mil­lion mem­bers’ data from An­them in 2015, a re­cent HIMSS sur­vey showed or­ga­ni­za­tions didn’t bud­get more for se­cu­rity in 2016 than they did in 2015, Kim said.

Find­ing and train­ing 50,000 new health­care cy­ber­se­cu­rity work­ers “would be a good goal over the next three to four years,” said David Finn, health IT of­fi­cer for Sy­man­tec, a Moun­tain View, Calif., se­cu­rity firm.

“Health­care has been un­der­fund­ing se­cu­rity for a decade or more,” Finn said. “We haven’t made the in­vest­ment and not just in dol­lars. Se­nior ex­ec­u­tives still don’t see se­cu­rity as part of daily op­er­a­tions and daily rou­tines, he said.

Last Oc­to­ber, Brown Univer­sity launched its first class in an ex­ec­u­tive mas­ter’s de­gree pro­gram in cy­ber­se­cu­rity with 27 stu­dents. They have back­grounds in more than a dozen dif­fer­ent in­dus­tries.

But only one has ties to the health­care in­dus­try— in­di­rectly—by work­ing for a tech­nol­ogy com­pany “that is very much a sup­plier of IT ser­vices for health­care,” said Alan Usas, pro­gram di­rec­tor. “It’s odd, given the na­ture of the health­care busi­ness, we haven’t seen health­care.”

In­ter­moun­tain Health­care was one of health­care’s ear­li­est devel­op­ers of a se­cu­rity op­er­a­tions cen­ter. Its staff of around 20 main­tains con­stant sur­veil­lance of all the in­te­grated de­liv­ery net­work’s IT sys­tems.

The Salt Lake City-based sys­tem re­cruits in­terns from the com­puter science pro­grams at three Utah uni­ver­si­ties to work in the cen­ter. That helps de­velop a pipe­line of tal­ent.

“It’s a great way for th­ese younger peo­ple to get some ex­pe­ri­ence in se­cu­rity,” said Marc Probst, CIO at In­ter­moun­tain. “We’re hav­ing those folks for about a year. Ma­chines watch the sys­tems, and the se­cu­rity oper­a­tion cen­ter per­son­nel watch the ma­chines. It’s been great for us.”

Probst said In­ter­moun­tain’s ex­pe­ri­enced cy­ber­se­cu­rity work­ers, who can earn 30% more by go­ing out­side health­care, are be­ing poached “all the time.” In­ter­moun­tain plans ac­cord­ingly.

“We get good peo­ple and train them up and get the ser­vices from them,” he said. And when they leave, “We con­grat­u­late them and bring up the next one.”

test­ing, even at the ex­pense of time, be­cause the risks of us­ing a de­fec­tive de­vice are far too high.

“If a patch breaks some­thing, you im­pact the health­care of the pa­tient, and you could po­ten­tially im­pact pa­tient safety. Whereas, if you neg­a­tively im­pact the fi­nance in­dus­try you’re only im­pact­ing money,” Welna said. “Our test­ing has to be a lit­tle bit more de­lib­er­ate than I think you need in other in­dus­tries.”

The pro­cess of en­sur­ing a provider’s en­tire fleet of de­vices is patched is also com­pli­cated by an abun­dance of dif­fer­ent op­er­at­ing sys­tems run­ning on dif­fer­ent man­u­fac­tur­ers’ de­vices, said Dr. Dale Nor­den­berg, ex­ec­u­tive di­rec­tor of the Med­i­cal De­vice In­no­va­tion, Safety and Se­cu­rity Con­sor­tium, a not-for-profit or­ga­ni­za­tion that eval­u­ates de­vice se­cu­rity. MDISS is in the pro­cess of build­ing a cy­ber­surveil­lance net­work with risk pro­files and threat in­tel­li­gence that could help providers spend their re­sources where they are needed most.

At some point, de­vices get old enough that se­cu­rity patches are no longer avail­able. Ide­ally, health­care providers re­place de­vices be­fore that hap­pens, but it’s not al­ways pos­si­ble.

“There isn’t a good so­lu­tion right now. There’s no sil­ver bul­let,” Nor­den­berg said. “The en­vi­ron­ment is very het­ero­ge­neous, and the chal­lenges in­clude many gen­er­a­tions and many ven­dors.”

Col­leges, gov­ern­ment agen­cies and busi­nesses spon­sor the an­nual Na­tional Col­le­giate Cy­ber De­fense Com­pe­ti­tion to nur­ture the tal­ent pipe­line. The sce­nar­ios tack­led by the stu­dents have in­cluded health in­sur­ance hacks. MID-AT­LANTIC COL­LE­GIATE CY­BER DE­FENSE COM­PE­TI­TION

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.