Demand for Health InfoSec Pros GrowsEHR Implementation Creates a Need
When the HITECH Act electronic health record incentive program kicked off in 2009, the Department of Labor predicted a shortage of 50,000 health IT professionals in the coming years. As more organizations roll out EHRs, in part because of the billions of dollars in HITECH incentives now available, demand for information security expertise, in particular, is rapidly growing.
See Also: Building the Modern SOC
"The healthcare industry is undergoing a technology revolution, and there's a talent war - from custom application developers, stretching all the way to security," says Bill Liguori, partner at Leadership Capital Group, an executive recruitment firm. "There's a great push to acquire this talent; you can't deliver healthcare applications unless they're secure."
Information security talent in healthcare is in short supply, says Eric Cowperthwaite, chief information security officer at Providence Health System in Seattle.
"Across the board, information security demand has outstripped the supply of people with the skills and expertise to do the work" he says. "There is zero percent unemployment in info-sec. But when it gets to healthcare, the supply is even tighter, and the work more demanding. The complexity of health delivery, patient safety issues, regulatory issues - that's what make healthcare unique and not easy to understand."
Meeting the Demand
To meet demand, some healthcare organizations should consider hiring security professionals from the financial services and hospitality sectors, Liguori says. Like healthcare, financial services companies are highly regulated, he notes. And healthcare's current transition to the digital world is similar to the hospitality industry's shift to online booking of reservations.
Information security professionals who are seeking to advance their careers should consider healthcare because of the wealth of opportunities available, head hunters say. But to increase their chances of getting hired, especially if they lack healthcare industry experience, they should consider getting educated on key regulatory issues as well as other healthcare topics.
"Many colleges these days offer courses, and even certification and degree programs, related to healthcare security, privacy and compliance," Cowperthwaite says. "Understanding the complexity of the regulatory environment should be a plus."
He also advises those who aspire to a leadership position, such as CISO, to consider earning a master's in healthcare administration if they lack knowledge about the healthcare market.
Small Organizations, Big Talent Needs
The demand for information security professionals, especially those qualified to take on leadership roles, is strongest among smaller and midsize organizations that are ramping up their records automation, says Beverly Lieberman, president of the executive recruitment firm Halbrecht Lieberman Associates.
One chief security information officer at a large healthcare organization, who asked not to be identified, says he gets contacted frequently by recruiters looking to fill security leadership positions at small- to mid-sized healthcare systems.
"All of us are getting this kind of attention," the CISO says of his peers at other large healthcare organizations.
But not all midsized and smaller organizations are focusing on recruiting security professionals from larger healthcare providers. Many simply can't afford the more experienced talent, especially when their skills are in hot pursuit. So they're look at other avenues, including developing their own staff.
"At smaller organizations, they usually can't afford a dedicated security person, so you'll often see the person who heads up security is also the network person," Lieberman says.
Sometimes, the person who heads up technology or oversees the network at a small to mid-sized organization also has an analyst on board with a security background, she says.
"If you're at a smaller organization, there is often a dependency on people who can wear multiple hats, dealing with IT and IT security," adds Judy Kirby, president of Kirby Partners, a health IT recruitment firm.
Many smaller organizations depend on outside consultants to get a new IT system launched - including setting up security, she notes. But they eventually realize the need to maintain security and risk management by training existing staff on security issues or recruiting a security specialist from a similar organization, she adds.
Developing security staff and keeping them well-informed on the latest demands in healthcare isn't easy. "This is a field that's constantly changing - from the devices that need to be secured, cloud computing, new regulations, and all the implications," Lieberman says.
Hiring StrategyWhen it comes to management-level information security positions, Providence Health System seeks out those with experience working in healthcare delivery environments, Cowperthwaite says.
"If I'm going to send [an information security] manager out to talk to another manager in the organization, if that [information security manager] doesn't have a healthcare background, that's a problem," he says.
For junior-level positions, "we prefer our practitioners have some background in healthcare, but it's not necessary," Cowperthwaite adds.
In some cases, Providence has shifted staffers from the IT department to full-time information security positions, providing them with training in areas such as risk management, he says. "We have also hired people from other healthcare organizations and from non-profit and charitable organizations that have similarities" to non-profit Providence, he adds.
Also, Cowperthwaite recently hired someone from a web development company who was finishing up a degree in information security. "This person filled a junior role even without a healthcare background," he explains.
Demand Growth to Continue
Demand for information security talent in healthcare will continue to grow in the months, Kirby predicts.
"When organizations are chasing meaningful use incentives and are dealing with other projects like ICD-10 [billing codes], dollars are short and resources are squeezed," she says. "But once ICD-10 and [HITECH] meaningful use settle down, many of these organizations will see criticality in security," she predicts. In particular, they'll need experts to focus on breach prevention, encryption of mobile devices, and improved HIPAA training and compliance.
But even those healthcare organizations that are relatively well-staffed for information security must keep an eye on continual skills development and resource planning, Kirby stresses. "People get sloppy and overworked when they're stretched thin," she says. "Outstanding team members are in top demand," and are at risk of jumping ship to other employers, she adds.