One challenge we face as our connected world grows larger is ensuring that there are enough skilled professionals – both now and in the future – able to help us secure our vast networks and protect the internet. The Center for Cyber Safety and Education’s 2017 Global Information Security Workforce Study predicts there will be a cybersecurity workforce gap of 1.8 million by 2022. This shortage of cybersecurity talent is a risk to our economic and national security and to the online lives of internet users and organizations.
One industry that deals with sensitive information on a daily basis – and must prioritize the security of that information – is health care. Hospitals, doctor’s offices and other health care organizations rely on skilled cybersecurity workers to protect their patient, company and employee data, and it’s critical to their success to attract young people and new and seasoned professionals to careers in health care cybersecurity. I recently spoke with Rod Piechowski, senior director of health information systems at the Healthcare Information and Management Systems Society (HIMSS), and Lee Kim, director of privacy and security at HIMSS, about the organization’s work in cybersecurity workforce development and pursuing a career in this space.
MICHAEL KAISER: Tell us a little about HIMSS and its interest in cybersecurity and the cyber workforce.
ROD PIECHOWSKI: HIMSS has over 65,000 members representing many different stakeholders in health care. The transition from paper to digital involves much more than simply installing computers and software. The health care sector has always been responsible for protecting the confidentiality, integrity and availability of patient information; however, the health care sector has not had to deal with the barrage of cyberattacks until the last several years. So health care is a relative latecomer to the digital world, and as more hospitals and physician practices roll out the technology, the demand grows for qualified people to fill those positions. HIMSS is committed to ensuring that our members have access to the information they need to best manage information and technology, and that includes security. While security on the surface may appear to most people to be about confidentiality, the data integrity (what is most important to health care is the availability of information, but, yes, integrity is important too) part is extremely important because it directly relates to the safety of patients under the care of providers worldwide.
MK: How big is the cybersecurity workforce issue in the health care industry, and what kinds of organizations are having the greatest difficulty attracting skilled workers?
LEE KIM: The cybersecurity workforce issue in the health care industry is a pervasive challenge. Health care organizations generally look for experienced cybersecurity professionals. But, in addition to this, they also look for folks who have experience working in the health care setting (as access to the right information at the right time is critical).
Smaller organizations, such as community hospitals, rural hospitals and long-term care facilities, have more of an uphill battle in terms of attracting and retaining the right talent, whether due to compensation issues or the length of the workweek. Once a relatively inexperienced professional does gain experience at a smaller organization, he or she may seek out better opportunities with better pay and better hours (within health care or other industries).
MK: The cybersecurity workforce is not monolithic. Is there a special set of skills that you think are required for people to be successful in cybersecurity in the health care industry?
LK: Attention to detail, good work ethic, diligence, having the ability to learn things quickly and good analytical and communication skills are essential skills to have.
MK: Are you aware of any efforts by the industry at large, or major players in the industry, to create relationships with higher education institutions to ensure that graduates have the requisite skills to work in health care cybersecurity?
RP: The need for qualified cybersecurity professionals is a universal need; health care can use many of them, and the efforts so far have not been around formalizing a program to specifically address the issue on behalf of health care as much as they have been around trying to attract qualified workers. A lot of it involves raising awareness among those with qualifications that there are jobs in this field within health care. On a national basis, the National Institute of Standards and Technology has its National Initiative for Cybersecurity Education, which helps align educators and professionals align their skills with the current needs of the industry. For our part, HIMSS is certainly raising awareness and providing educational programs. In the last year we’ve seen the number of people in our cybersecurity community increase by a factor of 10, so this is a great way for people to learn more.
MK: In our recent survey with Raytheon and Forcepoint – Securing Our Future: Cybersecurity and the Millennial Workforce – when asked what type of organization they would want to protect in their careers, 45 percent said health care. What do we have to do better to better communicate the opportunities in cybersecurity in the health care industry?
LK: Cybersecurity is a field that many individuals do not understand; however, we can take steps to make sure that we have better outreach and make the outreach fun at the same time. As an example, hosting career fairs with “capture the flag” challenges and mock exercises may be an innovative idea. Also immensely helpful is when cybersecurity experts give guest lectures at local colleges to talk about the field and give students opportunities to ask questions. In brief, we need to go to where the millennials are and do a better job in communicating with them about what our field is about and what work life is like.
MK: What advice do you have for young people or seasoned professionals interested in doing this kind of work?
LK: Reach out to someone you know who works in the field, and have a discussion with them. Or, even if you don’t know someone, consider reaching out to a professional whom you would like to talk to via social media, and then ask to talk to them.
Whether you are a young professional or a seasoned professional, there is always an opportunity to work in the cybersecurity field. You can seek work as an employee of a health care organization, you can be the CEO of your own consulting firm, you can work for a vendor as a cybersecurity professional…the possibilities are endless.
Maybe you like to work with people, process and governance issues, or maybe you like to reverse engineer malware – whatever your interests may be, the cybersecurity field offers a range of opportunities.
RP: It helps to have a background and formal education in computer-related subjects. An undergraduate or graduate-level degree in cybersecurity, information technology, computer science or a STEM discipline is very helpful. Professional cybersecurity certifications also can provide skills and knowledge that today’s cybersecurity professionals need to succeed. As Lee notes in her answer above, talk to people in the field if you know someone. The basics are universal and can be applied to any industry. Health care has some specific issues that can be learned as a complement to the basics. Look around for a university program that meets your interests in the field. There are also many organizations that provide cybersecurity training, but you have to look for a program with a solid reputation for quality and up-to-date information.
Visit HIMSS’ website for more information on the organization and its work in cybersecurity and privacy, and check out the NICE Cybersecurity Framework for details on the distinct categories, specialties and work roles within cybersecurity. We’ve also created an infographic on cybersecurity careers and their many benefits (and where to go to learn more) and a primer for parents on guiding their kids toward careers in protecting the internet. For tips on how you can be safer online and protect your personal information, visit staysafeonline.org – and follow us on Facebook and Twitter for year-round cybersecurity advice and news.