The healthcare industry is suffering from a cybersecurity workforce shortage as it has been harder for organizations to recruit, train and retain skilled cybersecurity employees, but hospital and health system chief information security officers told Becker's that this can be alleviated if organizations start to look outside the box for talent and provide greater incentives for cybersecurity training.
The healthcare cybersecurity talent shortage continues to persist while cyberattacks on hospitals and health systems continue to get more sophisticated and frequent. Politico reported that the number of people caught up in healthcare data breaches this year is already approaching 2022 levels, with healthcare organizations reporting 330 breaches that have affected 41.4 million individuals through July 10.
The entire year of 2022 had 52 million individuals affected by healthcare breaches, showing that this year could quickly outpace last year, meaning hospitals and health systems must find ways to fill open roles on their cybersecurity team to ensure their critical infrastructures are protected.
Becker's asked three chief information security officers how healthcare can work to fill these roles:
Brandon Nolan. CISO of Hoag (Newport Beach, Calif.): We have to take care of our people better, as finding and keeping talent is incredibly challenging.
Our people need reasons to stay more than just a salary and benefits. They need to know that the organization cares about their well-being and is supporting their ability to have a great balance between work, life and continuing education.
We need to provide training incentives to stay abreast of new challenges we are facing and be exposed to the latest thinking and intelligence to keep our people happy.
We have to make sure we have the right partners in place so our people aren't sleeping with their phones on their pillow at night or constantly on call when they are on PTO.
We also need to have the right training budget set aside for continuous education to keep patient data and critical life support systems safe from threat actors and criminals. Our people are investing their own time and effort after hours, sacrificing their time with family and friends to keep us safe. We must support them and give them the resources they need to be successful in their career.
We need to open up intern opportunities and look to raise awareness and partner with local colleges to bring in more diverse talent and provide unique opportunities for them to be curious and investigate if healthcare security is right for them.
Glynn Stanton. CISO of Yale New Haven (Conn.) Health System: Embrace that a large part of your job as CISO is to be an educator. That's true if you are educating clinical staff on phishing awareness or your technical teams on incident response.
Build relationships with local schools and colleges so you can hire, and then commit to giving them that ongoing education and development.
Acknowledge that new grads may only stay for two years, so having that repeatable onboarding and training plan is key to reduce the time for them to become effective in the role.
Randy Yates. Vice President and CISO of Memorial Hermann Health System (Houston): Outsource the support and maintenance of systems to a third party so team members can perform cybersecurity work and not tech upkeep duties.
Identify internal resources who have valuable tech skills that can be rewired into a security mindset and transfer into the cybersecurity team.
Use managed services to deliver services that require special expertise to operate and for which resources are hard to find.