How Health Systems Can Develop & Retain Cybersecurity Staff

Many young people do not want to work in health information technology (IT) or cybersecurity. But this week, the Healthcare and Public Health Sector Coordinating Council (HSCC) released a tool kit to aid in recruiting and retaining skilled cybersecurity workers in healthcare.

The guide, “Healthcare Industry Cybersecurity Workforce Guide: Recruiting and Retaining Skilled Cybersecurity Talent,” is designed to address the increased demand for cybersecurity experts in healthcare — especially as cyberthreats continue to grow.

“Attracting and retaining cybersecurity talent is a major challenge in all industry sectors,” said Greg Garcia, executive director for cybersecurity at the HSCC. “But as medical and wearable healthcare technology become more connected, patient safety will increasingly rely on cyber safety, and a skilled workforce is essential to finding that balance.”

The workforce guide highlights four key areas to help hiring managers and chief information security officers develop their cybersecurity workforce:

• Hire students
• Transition IT staff to cybersecurity responsibilities
• Develop and manage professional development programs for executive-track cybersecurity personnel
• Outsource critical functions not otherwise resourced within the enterprise

Members of the HSCC Cybersecurity Working Group developed the guide with best practices useful for maintaining a strong cybersecurity talent base. The guide is aimed at small to mid-sized health systems and those without extensive cybersecurity resources.

The members of the workgroup assigned the Workforce Development Task Group to assess the risk to critical healthcare infrastructure due to issues with recruiting, training and retaining cyber professionals.

The task group discovered that there are two “buckets” for cybersecurity education and training.

The first bucket is the cybersecurity training necessary for a healthcare professional to do their job. Healthcare executives need to have cybersecurity awareness to take administrative steps to protect personal health information.

The second bucket involves technical personnel, such as those who manage data, IT, network and application security and device management roles.

“It is this technical segment of the healthcare workforce that this resource is intended to address — to help healthcare organizations, particularly those with tight budgets and lacking onboard cybersecurity expertise, adopt impactful methods and programs for recruiting, retaining and training more skilled and available cybersecurity human resources,” HSCC wrote.

Cybersecurity Student Staffing Pipeline

• Goal: Students develop cybersecurity skills through work, internship or externship. The organization needs to make them effective members of the mission of cybersecurity. The students must be allowed to perform work and be viewed as cybersecurity professionals.
• How to Succeed: Organizations can contact higher education institutions to find students looking for staffing or internship opportunities. Health systems can also leverage university credit hours as internship compensation for students. Students can use work hours to fulfill graduation credit requirements. Success will be reached if the student is hired into a full-time cybersecurity job after graduation.

Converting IT Staff to Cybersecurity Staff

• Goal: To develop a plan of success and cybersecurity awareness for IT professionals to transition from traditional IT roles to cybersecurity roles.
• How to Succeed: Addressing the basics could lead to success. The guide argues that it is affordable to train and prepare employees to pursue the Certified Information Systems Professional certification. Using resources and programs to get IT experts more acclimated to cybersecurity could help them better understand the work. Health systems can also develop a basic cybersecurity awareness around existing IT staff and to create a cybersecurity career roadmap within the organization.

Developing and Retaining Cybersecurity Staff

• Goal: To enhance the skill set of existing cybersecurity staff to augment capabilities and enable growth and support through education, mentoring programs and outreach.
• How to Succeed: Continuous leadership and skill set development and educational training, such as courses on security program and vulnerability management, ethical hacking and penetration testing, could lead to retention. Executives could also provide information on resources for mentoring and support to discuss successes and failures within the practice. The guide states that comparing successes and failures helps build more powerful business cases and drives more discussions about risk tolerance.

Outsourcing Cybersecurity Functions

• Goal: To compensate for a lack of skill sets or resources when it is difficult to obtain a fully staffed and functional cybersecurity team.
• How to Succeed: Health system executives should evaluate the cybersecurity staff’s skills and determine where gaps exist. Organization leaders should define the metrics of success for outsourced cybersecurity staff performance.

Get the best insights in digital health directly to your inbox.

Related

3 Trends Plaguing Healthcare Cybersecurity & How to Fight Them

Your MRI Is Hacked: Transfer $100K in Bitcoin, Please

How HHS Says Health Systems Can Manage Cybersecurity Threats