Hospitals have not been spared from recent ransomware attacks on corporations across the globe. Wreaking havoc and collectively costing companies hundreds of millions of dollars in expense and lost revenue, these attacks have healthcare organizations on guard for what may happen next.
The results of a recently released HIMSS Cybersecurity Survey tell a story of healthcare providers making cybersecurity a business priority and working quickly to improve network security. Yet, most providers still report being vulnerable to attacks and only moderately prepared to defend against them, the results say.
According to Rod Piechowski, HIMSS senior director, health information systems, the HIMSS cybersecurity community has grown from 200 members to nearly 1,500 over the past year. “People are making the time to take this seriously and to learn more about it,” he said.
Cybersecurity positions have a different focus than privacy positions
The recognized importance of cybersecurity in the healthcare field is creating opportunities for individuals interested in healthcare cybersecurity and privacy careers. Cybersecurity specialists focus on ensuring the confidentiality, integrity and availability of information and assets, and this effort means defending and protecting against cyber-attacks and other compromises, said Lee Kim, HIMSS director of privacy and security. “Cybersecurity skills are in demand. There is never a dull moment. The threat landscape changes by the day, by the hour,” Kim emphasized.
On the other hand, positions that focus on privacy are “much more compliance driven,” she explained. “You're concerned about HIPAA (Health Insurance Portability and Accountability Act) compliance. You're concerned about breach notification,” Kim said, as healthcare organizations must comply with laws and regulations that require notification of individuals affected by a breach. Rather than fending off cyber-attacks, these specialists concentrate on the privacy impacts of health information technology, including electronic health records (EHRs) or patient portals, particularly when this information is shared outside of the organization. “Privacy specialists also focus on privacy policies, whether they are internal to their organizations or pertain to the patients whom they serve,” Kim said.
A STEM-related degree and experience is required
Kim and Piechowski agreed that an individual interested in a cybersecurity or privacy career should have at least a bachelor’s or master’s “STEM” degree – relating to science, technology, engineering or math – and at least a few years of information technology (IT) experience. “The more rigorous the degree program, the better,” Kim said, adding that there are information technology degree programs with a concentration in information security. While Kim said the healthcare field welcomes individuals from other industries who have strong security backgrounds, Piechowski added that having a healthcare background can be helpful, too, because these individuals understand the industry’s nuances.
Having exposure to the big IT picture within an organization is also important, Piechowski said, “because security involves many different aspects of technology and operations. Knowing the terminology and how information flows through the organization’s systems is very important to understanding security issues.”
In addition to academic degrees and experience, continuing education and certification programs can help professionals advance. Among many providers in this field, (ISC)2 offers a cybersecurity and privacy certification for healthcare professionals, and ISACA, AHIMA and others offer various programs relating to security. Kim said. Certifications in specific areas of security are available to those experienced in the field, with topics ranging from computer forensics, incident response, ethical hacking, risk assessment and management, and more. “This ‘paper’ can be very important, especially when getting the attention of hiring managers,” Kim explained.
Field attracting professionals from other industries, as well as clinicians
As security threats become more common and severe, many organizations are looking to extend the usual “out of the box” precautions, such as having firewalls and anti-virus protections, to gain expanded intelligence about threats and vulnerabilities and how they can be mitigated. To do this work, hiring managers in the healthcare field are looking for individuals with more extensive cybersecurity experience, even from the military or other industries such as finance. Some healthcare organizations supplement their internal staff with outside consultants or other resources, Kim explained.
Increasing numbers of clinicians, as well, are becoming involved in cybersecurity, Piechowski said. “There's tremendous value to having that kind of background. For example, if you know how to speak to other clinicians, you can make a better case for why security's important and how to help them be more secure in their environments,” he explained. Kim said cybersecurity consultants who also have clinical backgrounds are in high demand.
Opportunities abound for those with various aptitudes and passions
There’s room in the cybersecurity field for many different kinds of professionals, approaches, aptitudes and passions. “If you are passionate about managing details or ensuring confidentiality, there's a place for you. If you are someone that is intrigued by the thrill of the hunt, there's a place for you. If you like puzzles, there's a place for you,” Piechowski said.
Kim said she has talked to a number of folks who have transitioned their careers to cybersecurity in search of better career prospects. “I think that everyone finds it very intriguing. Certainly cybersecurity's profile has been raised due to the news, TV and movies. The interesting thing about cyber is that it's not the same job day in and day out. It's very dynamic, and there are many opportunities.
“Once you get a few years under your belt, you can walk right across the street to a larger and more established company that pays a substantial amount more for better hours. The cybersecurity field is interesting and lucrative. And even though it can be somewhat technical, it is not beyond the reach of most people that have an acumen to learn how computers work.”