Low pay hinders healthcare’s hunt for cyber cops
Low pay and lackluster recruiting for cybersecurity talent continue to hamper healthcare systems’ efforts to protect their patients’ and members’ sensitive information.
Data insecurity starts with the workforce, cybersecurity experts say. But competition with other industries for top talent is fierce.
“Last year we saw over 6,000 cybersecurity job postings in the healthcare industry,” said Matt Sigelman, CEO of Burning Glass Technologies, a job market research organization. There were 82,900 computer security jobs across all U.S. industries in 2014, with an 18% job growth over 10 years, according to the U.S. Labor Department.
Common recruitment strategies in healthcare put it at competitive disadvantage, Sigelman said.
In other industries, headhunters look for advanced technical knowledge. But in healthcare, “those skills were emphasized a lot less,” he said.
Healthcare “people were asking for business skills like project management, staff management, HIPAA, asking people to wear a bunch of hats on the same head. That significantly restricts the pool (of candidates) to people who have healthcare experience,” Sigelman said.
Another problem is low pay. The average salary for a cybersecurity pro across all industries last year was $90,435; in healthcare it was $76,033, he said.
Michael Ebert, a partner at KPMG, said he came out of two recent healthcare board meetings at which members approved pumping up funding for cybersecurity. But “I don’t see it consistently out there,” he said.
Healthcare employers are more inclined to invest in cybersecurity technology than people, said Lee Kim, director of privacy and security at Healthcare Information and Management Systems Society.
“We’re hearing organizations saying cybersecurity is a priority, but we’re not seeing it in terms of staffing up,” said Lorren Pettit, vice president for health information systems at HIMSS. Many of those who are in the hunt for talent are having a tough time, according to experts, and a plurality (40%) of respondents to a Modern Healthcare readers’ survey disagreed strongly or somewhat when asked if there
is a strong talent pool of well-trained cybersecurity workers.
Despite numerous headline-grabbing breaches, including the extraction by hackers of 78 million members’ data from Anthem in 2015, a recent HIMSS survey showed organizations didn’t budget more for security in 2016 than they did in 2015, Kim said.
Finding and training 50,000 new healthcare cybersecurity workers “would be a good goal over the next three to four years,” said David Finn, health IT officer for Symantec, a Mountain View, Calif., security firm.
“Healthcare has been underfunding security for a decade or more,” Finn said. “We haven’t made the investment and not just in dollars. Senior executives still don’t see security as part of daily operations and daily routines, he said.
Last October, Brown University launched its first class in an executive master’s degree program in cybersecurity with 27 students. They have backgrounds in more than a dozen different industries.
But only one has ties to the healthcare industry— indirectly—by working for a technology company “that is very much a supplier of IT services for healthcare,” said Alan Usas, program director. “It’s odd, given the nature of the healthcare business, we haven’t seen healthcare.”
Intermountain Healthcare was one of healthcare’s earliest developers of a security operations center. Its staff of around 20 maintains constant surveillance of all the integrated delivery network’s IT systems.
The Salt Lake City-based system recruits interns from the computer science programs at three Utah universities to work in the center. That helps develop a pipeline of talent.
“It’s a great way for these younger people to get some experience in security,” said Marc Probst, CIO at Intermountain. “We’re having those folks for about a year. Machines watch the systems, and the security operation center personnel watch the machines. It’s been great for us.”
Probst said Intermountain’s experienced cybersecurity workers, who can earn 30% more by going outside healthcare, are being poached “all the time.” Intermountain plans accordingly.
“We get good people and train them up and get the services from them,” he said. And when they leave, “We congratulate them and bring up the next one.”
testing, even at the expense of time, because the risks of using a defective device are far too high.
“If a patch breaks something, you impact the healthcare of the patient, and you could potentially impact patient safety. Whereas, if you negatively impact the finance industry you’re only impacting money,” Welna said. “Our testing has to be a little bit more deliberate than I think you need in other industries.”
The process of ensuring a provider’s entire fleet of devices is patched is also complicated by an abundance of different operating systems running on different manufacturers’ devices, said Dr. Dale Nordenberg, executive director of the Medical Device Innovation, Safety and Security Consortium, a not-for-profit organization that evaluates device security. MDISS is in the process of building a cybersurveillance network with risk profiles and threat intelligence that could help providers spend their resources where they are needed most.
At some point, devices get old enough that security patches are no longer available. Ideally, healthcare providers replace devices before that happens, but it’s not always possible.
“There isn’t a good solution right now. There’s no silver bullet,” Nordenberg said. “The environment is very heterogeneous, and the challenges include many generations and many vendors.”