Help Wanted: Security SpecialistsHealthcare needs staff with the right skills Demand for qualified information security professionals is beginning to grow in healthcare.
The HITECH Act, which established tougher penalties and broader enforcement of enhanced versions of the HIPAA privacy and security rules, is proving to be a powerful catalyst for ramping up information security. Plus, as more organizations digitize more information, especially patient records, they're taking extra steps to ensure that data remains private.
More healthcare organizations are carefully assessing whether they've taken adequate steps to avoid information security breaches. And with that assessment, some organizations are considering beefing up their staff of information security and risk management experts.
"The need within healthcare is for 'hands-on' technical and security skills," says Sharon K. Welna, associate director, information systems compliance and project planning, at the University of Nebraska Medical Center, Omaha. "We need professionals who can understand the new regulations and how they will impact the organization as well as manage the convergence of information in a digital format and integration of digital information on networks."
The Dark Ages
Until recently, healthcare has largely been "in the dark ages, when it comes to recognizing the importance of information security," says Kate Borten, CISSP, CISM, president of Marblehead Group, a healthcare security consulting firm. Too many organizations, she says, have simply designated someone already on their IT staff to handle information security rather than hire and invest in professionals with proper security credentials.
"There is also significant push back against security best practices by doctors and physicians and other computer users," she adds. "We are like Rodney Dangerfield in healthcare. We get no respect!"
A recent survey by the Healthcare Information and Management Systems Society found only about half of hospitals has a full-time chief information security officer.
But as more organizations digitize more information, including investing in electronic health records, Borten is hopeful that they'll begin hiring skilled information security professionals and providing advanced security training.
Roles to fill
In addition to hiring chief information security officers, hospitals and other organizations are looking for other specialists, including:
- Chief privacy officers;
- Network security specialists;
- Risk managers;
- User access managers; and
- Niche experts, including those who work on application security as well as security architecture and engineering.
"These last two are hard skill sets to find, but critical to success," says Roy R. Mellinger, vice president for IT security and CISO at WellPoint Inc., an Indianapolis-based insurance company that owns Blue Cross and Blue Shield plans.
Many hospitals and other healthcare organizations are educating and training their IT staff on best security practices as well as hiring qualified security individuals who have academic degrees and technical certifications.
Mellinger seeks job candidates who have earned recognition as a Certified Information Systems Security Professional (CISSP), offered by the International Information Systems Security Certification Consortium, or have earned the Global Security Essentials Certification s(GSEC), offered by the Global Information Assurance Certification.
In addition, the Healthcare Information and Management Systems Society offers a healthcare-specific certification called Certified Professional in Healthcare Information and Management Systems (CPHIMS).
The key attributes that Mellinger says he looks for when assessing information security job candidates are:
- Grasp of technology;
- Desire to continually learn and expand understanding;
- Ability to demonstrate how technology can meet specific business needs;
- Commitment to a long-term career in the information security profession; and
- Possession of good communication and customer service skills.
To help fill their organizations' need for security professionals, both Mellinger and Welna are reaching out to recent college graduates specializing in information security and IT. They're also using social networks to help attract seasoned security professionals from other industries, such as banking and government.
To prepare to comply with the HITECH Act, "a lot of us have been engaged in reviewing existing staff roles and identifying job functions that have security ramifications and accordingly setting budgets for appropriate training and education and hiring security professionals," Welna says.
She predicts that demand will remain strong for information security professionals, especially those who have expertise in application and network security, audits, risk management and policy and regulatory requirements.