Providence is building a global IT enterprise by employing thousands of people in Hyderabad, India, to support the U.S.-based operations for multiple functions, including cybersecurity.
"Cybersecurity is a journey and it's not a journey that you can really solve if you're a U.S.-based health system by just throwing U.S.-based talent at the problem," said Adam Zoller, the Renton, Wash.-based health system's chief information security officer, during an interview on the "Becker's Healthcare Podcast." "This is a 24 hour, seven days a week problem. Attackers are always coming after your system, so one thing that's really benefited us at Providence is our investment in global operations."
The team in India supports the health system's cybersecurity hours during evening hours in the U.S., which has boosted staff satisfaction and helped bridge the cybersecurity talent gap. Many organizations have rotating evening and night shifts for cybersecurity personnel, which can make recruiting more difficult for a skillset in shortage.
"When my shift team in the U.S. is asleep, [the team in India] is awake and they're defending our network," said Mr. Zoller. "In the morning, they hand off operations to my team in the U.S. and it's a constant cycle of global cybersecurity operations. That's done wonders for us from a staff retention standpoint, and we've been able to attract really top talent globally to work at Providence."
Mr. Zoller said if the health system only hired U.S.-based cybersecurity experts to monitor the organization constantly, they would burn out quickly. The global operating model helps fulfill the system's goal of employee wellness in addition to securing operations. Mr. Zoller also sees artificial intelligence technologies as having a role in cybersecurity in the future to help find vulnerabilities in code that's been written, or alert cybersecurity experts of potential issues.
Sophisticated cybersecurity defenses are expensive, but so are the ramifications of a ransomware attack. Health systems in recent years have lost hundreds of millions of dollars during downtown time and recovery from ransomware attacks, and their reputations also took a hit.
"Cybersecurity is a cost center for an organization, and there is a fine balance that you have to walk between pouring more money and resources into solving cybersecurity as a problem space. What are the risks? What's the dollar value of the risks that you're solving for?" said Mr. Zoller. "Every dollar that you spend on security is a dollar you take away from patient care in some fashion or take away from innovation or from reducing technology or process debt."
Mr. Zoller recommended health systems start thinking about how they can expand operations globally, even if they're a regional system, and gain executive buy-in from the executive team to invest in cybersecurity as a risk problem.
"Be sure as a system executive that you're talking with your security leaders about how you quantify risk and what's an acceptable level of risk for an organization to operate within.," said Mr. Zoller. "As a risk reduction function, you will never truly be able to eliminate all cybersecurity risks out of your system. You have to be comfortable with accepting some level of operating risk with cybersecurity."