Healthcare: InfoSec Skills WantedHIPAA Omnibus Fueling Demand
As a result of the HIPAA Omnibus Rule, which broadens the number of organizations that must meet privacy and security requirements, demand for information security professionals in healthcare is higher than ever.
And coming up with the resources to adequately staff health data security and privacy initiatives isn't easy for some organizations - including many health information exchanges - with tight budgets.
HIPAA Omnibus clarifies that business associates and their subcontractors must comply with federal security and privacy regulations, and they can be held liable for breaches. Plus, the rule expands the definition of a business associate to include health information organizations (that run health information exchanges), e-prescribing gateways or others that provide data transmission services to a covered entity and that require routine access to the health information. Also included are vendors who offer a personal health record to one or more individuals on behalf of a covered entity, such as a hospital or clinic. So the number of health-related organizations feeling security skills pressure is growing.
Meanwhile, healthcare providers that are ramping up their IT efforts - such as rolling out electronic health records to qualify for financial incentives under the HITECH Act - already know the availability of experienced health tech talent is tight. But those who are also trying to bolster data security and privacy efforts to comply with HITECH as well as HIPAA Omnibus could end up scrambling for know-how.
"We've seen an increased level of need in the healthcare space for security and privacy expertise," says John Reed, senior executive director at Robert Half Technology, which provides contract and full-time tech staffing services. "People are trying to get their arms around all the changes in the regulatory space, from the Affordable Care Act to HITECH and HIPAA."
Smaller organizations typically lack the resources to beef up their staff, so they're looking to hire consultants and contractors, Reed says. Plus, they're trying to stretch internal resources by bolstering their staffs' data security and privacy skills.
Among those in need of privacy and security talent are HIEs, most of which are now directly liable for breaches and compliance under HIPAA Omnibus.
"It's not that health information exchange organizations haven't been paying attention to privacy and security already, but the set of requirements are getting more complex," says Harry Rhodes, director of health information management solutions at the American Health Information Management Association. That's not only because of HIPAA Omnibus, but also due to additional Privacy and Security Framework guidelines announced last March by the Department of Health and Human Services for HIEs that have received federal grants (see: HIEs Get Privacy, Security Guidance).
However, while the need for security and privacy expertise is increasing, HIEs, as well as many other smaller healthcare organizations, struggle to do their best with shoestring budgets, Rhodes says.
"Most HIEs are working with limited funding and grants," Rhodes says. "They are looking for people who can multi-task," such as an IT person who can do data integration but understands security and privacy. "The problem with that is when the person doing IT has a long list of responsibilities, security is on the bottom of the list, and he spends only 20 minutes on Thursdays dealing with that," Rhodes adds.
Devore Culver, CEO of Maine's state-designated HIE, HealthInfoNet, says his operation depends mostly on contractors for its security.
HealthInfoNet won't need to make many changes to comply with HIPAA Omnibus, he says. "We have always assumed that we were responsible for delivery of and enforcement of security standards that are at a level equal to or greater than 'covered entities,'" he says. "For example, we established an operating policy in 2011 that our management of protected health information would always incorporate encryption for PHI data at rest and in motion."
HealthInfoNet's primary security resources, including perimeter defense and intrusion detection, are provided by outside contractors, he says. "We also contract for third-party, unscheduled penetration 'attacks' on a bi-annual basis and routine assessment of policy and physical security architecture."
HealthInfoNet's internal staff focuses on weekly audits of user activity and unusual access activity.
Still, like many other HIEs and smaller healthcare organizations, staffers at HealthInfoNet - including Culver - sometimes wear multiple hats.
In addition to leading the HIE, Culver notes, "I am the privacy and security officer for the organization."
Tips for Vetting Talent
For healthcare organizations looking to bolster their security bench strength, Reed suggests considering security experts from other industries, including financial services. Banking has heavy compliance demands as well as a high need for securing sensitive data. "There's crossover in the technical skills both industries demand," he says.
Reed also suggests looking at the credentials that professionals bring. "Certifications like CISSP or COBIT are good benchmarks to look for," he says. And as for job candidates looking for security gigs, "having good credentials gives them an edge."
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.