The healthcare sector needs to more effectively compete against other industries that are urgently seeking experienced cybersecurity professionals, says Lee Kim of the Healthcare Information and Management Systems Society.
"We definitely need more qualified cybersecurity personnel, not just to address ... sophisticated attacks, but also in terms of simply having enough people on staff so organizations can do the foundational risk assessment to see what's happening, see where the risks are and how to address them - instead of having large vulnerabilities that look like something akin to Swiss cheese," she says in an interview with Information Security Media Group. HIMSS recently released a position paper on cybersecurity needs in the healthcare sector.
"Unfortunately for many organizations, they are short-staffed and/or they lack qualified people," she says. "This is why, in part, some of the preventable breaches happen."
Two critical issues - salaries and opportunities for career development - often put healthcare organizations at a disadvantage when it comes to recruiting information security professionals, Kim says.
"In terms of salary ... if you're a job seeker for the healthcare sector compared to the financial sector - the financial sector is so much more used to a serious treatment of cybersecurity ... they're used to having robust cybersecurity teams and paying them ... very attractive rates for what they do day to day," she says. "Wages in healthcare are sometimes lower than what you might find in the financial or other mature critical infrastructure sectors, with respect to cybersecurity. That's a bit of a barrier."
In addition to attracting those with the necessary experience, education and credentials, Kim says, "you also have to make sure you are helping them grow professionally in the sense that they do have the opportunity to take training classes by very good and reputable entities in the field," she says. "It's not simply you hire someone who has a great resume and they can stop learning and are able to combat the threats. Unfortunately that's not what we're seeing. We need to make sure they keep learning even once we attract them."
Signs of Progress?
Fortunately, many healthcare entities are starting to realize that cybersecurity "is a real threat ... with very significant outcomes and very real risks to the organizations, whether it reputational, financial, patient safety or otherwise," she says. "So organizations - some for the first time - are hiring chief information security officers and/or a lot of cybersecurity personnel to increase their staffing."
But, she adds, "there's still room for growth in terms of how we ensure they stay with us once they develop more skill and sophistication, as opposed to walking across the street to that financial services firm that can pay them so much more."
In the interview (see audio link below photo), Kim also discusses:
- Why HIMSS recommends that the Department of Health and Human Services create a cybersecurity leader role;
- Why the healthcare sector needs to develop and adopt an industry-specific information privacy and security framework;
- What the cybersecurity priorities of the Trump administration should be.
Before joining HIMSS, a not-for-profit professional organization for health IT professionals, as its director of privacy and security, Kim practiced law in the areas of IT, healthcare technology, intellectual property and privacy and security. She also previously worked in the healthcare technology field. She is a licensed attorney in the District of Columbia and Pennsylvania and is admitted to practice before the Federal Circuit and the U.S. Patent and Trademark Office as a registered patent attorney.