Organizations are struggling to find and keep skilled cybersecurity pros, and that’s emerging as a top concern of health IT leaders.
Chicago - Most healthcare cybersecurity professionals point to one glaring problem impeding efforts to protect health systems: a lack of cybersecurity staff.
Roughly three in five healthcare cybersecurity professionals identified the dearth of staff as their biggest challenge, according to the recently released HIMSS Healthcare Cybersecurity Survey.
“The number one struggle is in terms of recruiting qualified healthcare cybersecurity professionals,” says Lee Kim, the senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society (HIMSS).
Kim talked about the difficulty health systems are having filling positions for cybersecurity professionals on Monday during the first day of the HIMSS Global Health Conference & Exhibition.
It’s not only difficult for health systems to find talented cybersecurity professionals. It’s tough to get them to stick around. Two-thirds of healthcare cybersecurity pros (66.5%) said retention is a significant problem.
Part of the problem centers on compensation, Kim says. Health companies and health systems typically don’t match what other sectors pay, so, as Kim says, talented cybersecurity pros can go literally across the street to find a position that pays tens of thousands of dollars more.
Kim urged health systems to invest more in attracting and keeping top cybersecurity professionals, who can see a path to grow and would be dedicated to the organization. “You can’t go after talent that is the cheapest,” Kim says.
If healthcare organizations don’t cultivate people with passion who care about the organization, Kim says, “Unfortunately, your cybersecurity program may fail without that buy-in … because then they just realize that they are a number and they're just simply doing the job, as opposed to having a career within your organization.”
Health system IT and cybersecurity leaders need to make a business case for investing more in cybersecurity. After the dearth of cybersecurity pros, health leaders in the HIMSS survey cited the lack of budget as their second leading concern. Most of those surveyed said their cybersecurity budgets were increasing compared to the previous year, or at least holding steady.
Health systems should be spending more time training their staff on cybersecurity, Kim says. The HIMSS survey found many IT pros said training was occurring only sporadically, or annually.
“Another really surprising trend is that not all of us are receiving security awareness training, including cybersecurity professionals,” Kim says.
On the upside, only a relatively small number of healthcare cybersecurity professionals (12.58%) says their organizations were hit with a ransomware attack last year. While that’s welcome good news on its face, Kim says a number of factors are at play that signal health systems shouldn’t put cybersecurity on the back burner.
Law enforcement agencies have seen a recent drop in ransomware attacks, but Kim says much of that has to do with the decline of crypto currency.
Also, ransomware groups are learning that the healthcare industry, while hardly invulnerable, is not necessarily as easy as in the past, Kim says.
Still, the HIMSS cybersecurity report said ransomware attacks remain a threat. “It is likely that ransomware operators will change tactics and leverage social engineering and artificial intelligence to infiltrate healthcare organizations and other targets that are perceived to be of high value,” the report stated.
During her presentation, Kim cited another reason why cybercriminals will continue to target hospitals and health systems: Many will consider paying the ransom. The survey found 55% of IT pros said they didn’t know if their organization would consider paying the ransom.
Paying a ransom carries significant risk, Kim says, because systems don’t know if the attackers will actually release all the data, or they could simply sell it later on the dark web.
“There’s no honor among thieves,” Kim says.
Cybersecurity panel: How hospitals can protect their patients and their systems
November 18th 2024Chief Healthcare Executive® presents the final installment in our series, with experts from HIMSS, the American Hospital Association, and Providence. In this episode, our panel offers advice on how health systems can improve.