The mythical cybersecurity chameleon

Clyde Hewitt, Vice President of Security Strategy, CynergisTek -

An Analysis of the Healthcare Industry’s Cybersecurity Skill Requirements

Introduction

It’s difficult to imagine a healthcare ecosystem with only one type of physician to follow patients through life, from pediatrics to treating adults with broken bones, cardiology, diabetes, oncology, and geriatric conditions. Our lifecycle, plus advancements in different fields of patient care and medicine, has driven physicians to specialize, and that move has led to better patient care.

Many outside the security career field believe that security staff are interchangeable and can perform all functions well. Much like physicians, however, security roles have evolved to include many specialties, each requiring different skills and experience. Healthcare providers and their vendors need to understand how cybersecurity specialization impacts the structure of their security management program, balances the workload, and can be leveraged to address the staffing shortage.

Discussion

Given the complexity of today’s security environment, cybersecurity professionals have developed specialties – following the physician model from 500 years ago. These specialties act as spokes of a wheel in Deming’s Plan-Do-Check-Act cycle. The senior security official, sometimes called the Chief Information Security Officer (CISO), is the hub of the wheel and manages the various activities. The CISO must understand the legal, regulatory, and contractual obligations as well as key stakeholders’ expectations.

Plan

Planning is the first step in the security wheel and starts with the findings from the risk analysis. Security architects turn security requirements into programs, but not all architects are the same. Architects may specialize in software development, networking, or server/workstations. Larger organizations with a continuous improvement cycle may hire full-time architects, but smaller organizations may be best served by outsourcing the need.Cybersecurity

Do

Security engineers implement an architect’s design and are expected to be the skilled technologists that install and operate systems. Once security technology is installed, the security operations teams will monitor operations, logs, and respond to alerts. Staffing a 24x7 response team takes a minimum of five FTE, so this function is well-suited to outsource to a managed security services vendor.

Security managers coordinate these functions. These functions supporting the “DO” quadrant typically require close coordination between installation vendors, security engineers who configure systems, and operations who must develop procedures and run the books. Operational thresholds need to be set based on system performance to tune out false positives and identify actual anomalies which can indicate an attack.

Check

The cornerstone of any mature security management system is measurement. Measurement should not be limited to technical activities such as login and monitoring access to patient records, but other activities including performing analysis of patch management, off-boarding effectiveness, biomedical equipment compliance, vendor management, and training compliance rates. Patch management process maturity, which is validated through regular internal-external vulnerability scans and penetration tests, requires very technical resources. These roles are left to security analysts who gather data from various sources, identify trends, perform root cause analysis, and report findings. Analysts are also needed to review patient record access logs for abnormal behavior. Security auditors are used to validate that the security management documentation trail is being maintained, including ensuring that risk treatment actions are assigned and completed – an especially important task if there is a breach.

Finally, compliance analysts monitor how the workforce follows policies, procedures, and contracts, then recommend corrective actions if they are not meeting published expectations. The compliance analyst also has a role with vendor management, specific to pre-contract activities needed to ensure that “satisfactory assurances” are obtained within the organization’s published risk appetite.

Act

Security threats are always evolving to attack control weaknesses. Data obtained by the security analysts will help influence the risk analysis and support new initiatives. Risk managers with a deep understanding of the environment are best positioned to conduct the risk analysis, help individual departments identify realistic risk treatment options, develop budget estimates, and then prioritize all organizational risk into a comprehensive package for the executive leadership team. Risk managers need not only a deep understanding of security controls, but also need to understand the healthcare environment. Not all risks are obvious, so it is important for risk managers to know the environment and ask the tough questions.

Program managers help guide the organization through the budgeting, acquisition, implementation, and operations of new systems. Program managers do not need a deep understanding of the technology but do require a working knowledge of the terms and concepts.

Conclusion

Healthcare organizations who want to respond to the changing threat environment will need to adopt the principle of continuous improvement. Regardless of the size of the organizations, it is unrealistic to expect one or even a few individuals to have the collective set of skills needed to perform all functions. The search for one or two people who are skilled in all the above security functions is probably a futile effort.

Healthcare organizations are finding it harder to find the right talent than to find funds. The problem is only getting harder. Forbes reported in 2016 that there are over 1 million unfilled cybersecurity positions, a number that is increasing to 1.5 million by 2020. For this reason, those same organizations should consider outsourcing tasks to part-time resources when appropriate and quit chasing the mythical cybersecurity chameleon who can do everything.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.