Help Wanted: Security Specialists

Healthcare needs staff with the right skills Demand for qualified information security professionals is beginning to grow in healthcare.

The HITECH Act, which established tougher penalties and broader enforcement of enhanced versions of the HIPAA privacy and security rules, is proving to be a powerful catalyst for ramping up information security. Plus, as more organizations digitize more information, especially patient records, they're taking extra steps to ensure that data remains private.

More healthcare organizations are carefully assessing whether they've taken adequate steps to avoid information security breaches. And with that assessment, some organizations are considering beefing up their staff of information security and risk management experts.

"The need within healthcare is for 'hands-on' technical and security skills," says Sharon K. Welna, associate director, information systems compliance and project planning, at the University of Nebraska Medical Center, Omaha. "We need professionals who can understand the new regulations and how they will impact the organization as well as manage the convergence of information in a digital format and integration of digital information on networks."

The Dark Ages

Until recently, healthcare has largely been "in the dark ages, when it comes to recognizing the importance of information security," says Kate Borten, CISSP, CISM, president of Marblehead Group, a healthcare security consulting firm. Too many organizations, she says, have simply designated someone already on their IT staff to handle information security rather than hire and invest in professionals with proper security credentials.

"There is also significant push back against security best practices by doctors and physicians and other computer users," she adds. "We are like Rodney Dangerfield in healthcare. We get no respect!"

A recent survey by the Healthcare Information and Management Systems Society found only about half of hospitals has a full-time chief information security officer.

But as more organizations digitize more information, including investing in electronic health records, Borten is hopeful that they'll begin hiring skilled information security professionals and providing advanced security training.

Roles to fill

In addition to hiring chief information security officers, hospitals and other organizations are looking for other specialists, including:

  • Chief privacy officers;
  • Network security specialists;
  • Risk managers;
  • User access managers; and
  • Niche experts, including those who work on application security as well as security architecture and engineering.

"These last two are hard skill sets to find, but critical to success," says Roy R. Mellinger, vice president for IT security and CISO at WellPoint Inc., an Indianapolis-based insurance company that owns Blue Cross and Blue Shield plans.

Many hospitals and other healthcare organizations are educating and training their IT staff on best security practices as well as hiring qualified security individuals who have academic degrees and technical certifications.

Mellinger seeks job candidates who have earned recognition as a Certified Information Systems Security Professional (CISSP), offered by the International Information Systems Security Certification Consortium, or have earned the Global Security Essentials Certification s(GSEC), offered by the Global Information Assurance Certification.

In addition, the Healthcare Information and Management Systems Society offers a healthcare-specific certification called Certified Professional in Healthcare Information and Management Systems (CPHIMS).

Desirable attributes

The key attributes that Mellinger says he looks for when assessing information security job candidates are:

  • Grasp of technology;
  • Desire to continually learn and expand understanding;
  • Ability to demonstrate how technology can meet specific business needs;
  • Commitment to a long-term career in the information security profession; and
  • Possession of good communication and customer service skills.

To help fill their organizations' need for security professionals, both Mellinger and Welna are reaching out to recent college graduates specializing in information security and IT. They're also using social networks to help attract seasoned security professionals from other industries, such as banking and government.

Gearing up

To prepare to comply with the HITECH Act, "a lot of us have been engaged in reviewing existing staff roles and identifying job functions that have security ramifications and accordingly setting budgets for appropriate training and education and hiring security professionals," Welna says.

She predicts that demand will remain strong for information security professionals, especially those who have expertise in application and network security, audits, risk management and policy and regulatory requirements.

About the Author

Upasana Gupta

Upasana Gupta

Contributing Editor, CareersInfoSecurity

Upasana Gupta oversees CareersInfoSecurity and shepherds career and leadership coverage for all Information Security Media Group's media properties. She regularly writes on career topics and speaks to senior executives on a wide-range of subjects, including security leadership, privacy, risk management, application security and fraud. She also helps produce podcasts and is instrumental in the global expansion of ISMG websites by recruiting international information security and risk experts to contribute content, including blogs. Upasana previously served as a resource manager focusing on hiring, recruiting and human resources at Icons Inc., an IT security advisory firm affiliated with ISMG. She holds an MBA in human resources from Maharishi University of Management, Fairfield, Iowa.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.