Hospitals struggle to recruit and retain cybersecurity staff

Hospitals face some serious resource challenges as they look to improve their cybersecurity, and it’s only partly about money.

Hospitals have a difficult time hiring and keeping talented cybersecurity pros, says Wes Wright, chief healthcare officer of Ordr, a cybersecurity firm.

Healthcare leaders have said financial constraints have made it more difficult to invest in cybersecurity, even as they acknowledge it’s a necessity. But hospitals and health systems continue to struggle to hire enough talented cybersecurity pros.

About 3 out of 4 healthcare IT professionals (74%) said hiring qualified cybersecurity staff remains “a significant workforce challenge,” according to a report released by HIMSS earlier this year.

Wes Wright, chief healthcare officer of Ordr, a cybersecurity firm, understands the dilemma for hospitals. He’s also held IT roles at Sutter Health and Seattle Children’s.

Like other healthcare leaders, Wright says hospitals typically can’t match the pay of companies in other sectors.

Beyond that, other companies are willing to offer more money while allowing people to work remotely, a change triggered by the COVID-19 pandemic.

“I have at least three friends for really significantly sized healthcare organizations that are CISOs (chief information security officers) that don't live in the area,” Wright tells Chief Healthcare Executive. “They're remote.”

With other sectors offering better pay and the ability to live wherever they want, Wright says, “There’s a lot of that talent poaching.”

“Now the idea of having remote CISOs and even remote CIOs, five years ago, you never would have seen that,” Wright says. “It's changing pretty quickly in healthcare.”

• Read more: Why hospitals struggle with cybersecurity: ‘We aren’t doing the basics’

Wright is careful to say that many cybersecurity staffers working in healthcare possess top notch skills. But many hospitals and healthcare organizations are struggling to recruit and retain workers, leaving staff in many cases undermanned.

As Wright says, “You can only spread peanut butter so far.”

Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, says all industries are having trouble filling cybersecurity jobs.

“It's a worldwide issue in cybersecurity in general, and healthcare is no different,” Steinhauer tells Chief Healthcare Executive®. “And they're more vulnerable because of the sensitivity of the data that they have, and the need for availability of their systems to provide patient care.”

• Read more: The 10 largest health data breaches of the first half of 2024

But the pay gaps in healthcare create a formidable obstacle. Lee Kim, the senior principal of cybersecurity and privacy at HIMSS, has said that talented cybersecurity pros can make tens of thousands of dollars outside of healthcare.

At the 2023 HIMSS Conference, Kim said health systems must invest more in attracting and keeping top cybersecurity professionals. Hospitals also need to show staff a path to grow, she said.

“You can’t go after talent that is the cheapest,” Kim says.

In HIMSS’ latest survey of cybersecurity leaders, most said their budgets have improved recently. Healthcare organizations are spending an average of 7% of their IT budgets on cybersecurity, up from 6% in past years, the HIMSS report states.

Limor Kessem, a senior cybersecurity consultant for IBM Security, told Chief Healthcare Executive® that the healthcare industry finds it difficult to get skilled cybersecurity professionals, but other sectors are struggling as well.

"It's a problem for healthcare, and it's a problem for everyone else as well," she says.

More than half of organizations that have suffered a breach are seeing staffing shortages, a 26% increase over last year, according to IBM's new report on the cost of breaches.

• Read more: Health Department must change ‘woefully inadequate’ approach to cybersecurity, senator says

John Riggi, national advisor for cybersecurity and risk for the American Hospital Association, has said the government should do more to help bolster the cybersecurity workforce in healthcare. During a cybersecurity panel at the HIMSS Conference in 2023, Riggi said the government should appeal to military veterans to pursue jobs in cybersecurity. Since veterans already have shown a commitment to service and devotion to their country, they could be assets in cybersecurity and they are motivated by more than money.

Travis Moore, a nurse who is director of the healthcare category at Indeed, the job hunting site, said more healthcare organizations are showing willingness to allow people flexibility in where and how they work.

“I think that that is a much different way of thinking than we had several years ago in healthcare where it was like, ‘This is the job,’” Moore said.