Healthcare Jobs: Security Has the Edge

CISOs Seek Security Expertise Over Industry Experience
Healthcare Jobs: Security Has the Edge
There's good news for security professionals interested in moving from other business sectors to healthcare. When selecting new staff members, many healthcare security leaders say they put more weight on candidates' security expertise than their industry-specific knowledge.

"Most certainly, I look for direct IT security experience over industry experience as most security methodologies are the same across disciplines," says Christopher Paidhrin, security compliance officer at Southwest Washington Medical Center in Vancouver, Wash. "It ultimately comes down to the individual's capacity to apply knowledge and not just in understanding that a problem exists."

Paidhrin and other chief security officers say they're on the lookout, in particular, for security engineers with solid backgrounds in networks, firewalls and systems. They need engineers who have in-depth knowledge of both risk management and compliance.

"It is imperative that an applicant have solid familiarity with security concepts and terminology -- the ability to talk the talk." Paidhrin says. "But just as important is their proven capability to problem-solve in real-time --the ability to walk the talk."

Credentials Important

Terrell Herzig, information security officer at UAB Health System in Birmingham, Ala., emphasizes experience and education in hiring security candidates. He believes that credentials like the Certified Information Systems Security Professional (CISSP) offered by ISC2, or a master's degree in IT or security will go a long way toward demonstrating a level of commitment to the profession.

"These credentials are paramount, as candidates holding this background have been subjected to the highest standards of moral, ethical and legal behavior, which is critical in this field," says Herzig, who heads security for a 1,000-bed hospital and numerous outpatient facilities throughout Alabama.

Integrity and ethics are essential for candidates seeking healthcare industry jobs because security specialists must protect sensitive patient information, security leaders say. And their actions can help ensure compliance with such regulations as the HITECH Act, which established tougher penalties for HIPAA privacy and security infractions.

"A candidate therefore must be above reproach, the embodiment of trust, a role model of character and service," Paidhrin says.

Expertise in Other Sectors

Because healthcare is behind other industries when it comes to implementing information technology and assuring data security, many security leaders say they're open to hiring new staff members from other, more heavily automated, sectors, including banking and government.

"Out of approximately 5,700 hospitals nationwide, close to 30% do not have firewalls or basic security measures," says Robert Myles, director of information security at Texas Health Resources, a 13-hospital system based in Arlington. "We are still way behind as an industry and have no established base of best practices within information security."

Another reason why experienced security professionals from the banking and government sectors are highly desirable, Myles says, is because those sectors are highly regulated, as is healthcare.

"These individuals bring fresh perspectives and understand the threat landscape and value of information better with their experience being in the trenches," says Myles, who heads a team of about 30 security professionals.

Herzig also says his most successful security hires have been from the government and banking sectors.

"Their diverse background helps in explaining to the medical staff the value and importance of security and why we need certain controls in place," he says.

Lots of Homework

But once they make the transition to healthcare, Herzig says, security professionals face a steep learning curve on the ins and outs of their new industry. They must learn about a new set of regulations, including HITECH and HIPAA. They must understand the security threats and vulnerabilities that hospitals, clinics and others face. And they must figure out how best to educate physicians and nurses, many of whom lack technical expertise, on how to use security technologies in their daily practices.

Security leaders say those looking to transition to a career in healthcare should:

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.