Healthcare Jobs: Security Has the EdgeCISOs Seek Security Expertise Over Industry Experience
"Most certainly, I look for direct IT security experience over industry experience as most security methodologies are the same across disciplines," says Christopher Paidhrin, security compliance officer at Southwest Washington Medical Center in Vancouver, Wash. "It ultimately comes down to the individual's capacity to apply knowledge and not just in understanding that a problem exists."
Paidhrin and other chief security officers say they're on the lookout, in particular, for security engineers with solid backgrounds in networks, firewalls and systems. They need engineers who have in-depth knowledge of both risk management and compliance.
"It is imperative that an applicant have solid familiarity with security concepts and terminology -- the ability to talk the talk." Paidhrin says. "But just as important is their proven capability to problem-solve in real-time --the ability to walk the talk."
Credentials ImportantTerrell Herzig, information security officer at UAB Health System in Birmingham, Ala., emphasizes experience and education in hiring security candidates. He believes that credentials like the Certified Information Systems Security Professional (CISSP) offered by ISC2, or a master's degree in IT or security will go a long way toward demonstrating a level of commitment to the profession.
"These credentials are paramount, as candidates holding this background have been subjected to the highest standards of moral, ethical and legal behavior, which is critical in this field," says Herzig, who heads security for a 1,000-bed hospital and numerous outpatient facilities throughout Alabama.
Integrity and ethics are essential for candidates seeking healthcare industry jobs because security specialists must protect sensitive patient information, security leaders say. And their actions can help ensure compliance with such regulations as the HITECH Act, which established tougher penalties for HIPAA privacy and security infractions.
"A candidate therefore must be above reproach, the embodiment of trust, a role model of character and service," Paidhrin says.
Expertise in Other SectorsBecause healthcare is behind other industries when it comes to implementing information technology and assuring data security, many security leaders say they're open to hiring new staff members from other, more heavily automated, sectors, including banking and government.
"Out of approximately 5,700 hospitals nationwide, close to 30% do not have firewalls or basic security measures," says Robert Myles, director of information security at Texas Health Resources, a 13-hospital system based in Arlington. "We are still way behind as an industry and have no established base of best practices within information security."
Another reason why experienced security professionals from the banking and government sectors are highly desirable, Myles says, is because those sectors are highly regulated, as is healthcare.
"These individuals bring fresh perspectives and understand the threat landscape and value of information better with their experience being in the trenches," says Myles, who heads a team of about 30 security professionals.
Herzig also says his most successful security hires have been from the government and banking sectors.
"Their diverse background helps in explaining to the medical staff the value and importance of security and why we need certain controls in place," he says.
Lots of HomeworkBut once they make the transition to healthcare, Herzig says, security professionals face a steep learning curve on the ins and outs of their new industry. They must learn about a new set of regulations, including HITECH and HIPAA. They must understand the security threats and vulnerabilities that hospitals, clinics and others face. And they must figure out how best to educate physicians and nurses, many of whom lack technical expertise, on how to use security technologies in their daily practices.
Security leaders say those looking to transition to a career in healthcare should:
- Use professional social networking groups to link with healthcare professionals and gain insights about the field;
- Join local chapters of IT security and privacy groups, including Information Systems Audit and Control Association (ISACA) and the International Information Systems Security Certification Consortium(ISC2;
- Join a healthcare association, such as the Healthcare Information and Management Systems Society , the American Health Information Management Association and the International Association for Healthcare Security & Safety;
- Find a mentor. Most senior healthcare IT security professionals are generous with their time and expertise, Paidhrin says, because they want to see others succeed. A mentor can help identify open positions, he says, and "they will most likely sponsor or recommend you if you are the right fit for the position."
- Earn professional certifications, including the Certified Information Systems Security Professional (CISSP) offered by ISC2, Global Information Assurance Certification (GIAC) provided by SANS Institute and the CISCO Certified Network Professional (CCNP) credential;
- Complete university-level courses about the business of healthcare to gain industry expertise.