How Jefferson Health is Tackling the Cybersecurity Workforce Shortage

March 25, 2022 - The current healthcare cyber threat landscape demands strict, sophisticated security controls and constant monitoring. But the ongoing cybersecurity workforce shortage has left many organizations scrambling to safeguard data and prevent cyberattacks with an overworked and short-staffed team.  

Even before the COVID-19 pandemic and the Great Resignation, Jefferson Health noticed cybersecurity workforce gaps. The large health system, which serves the Greater Philadelphia area and Southern New Jersey, found that its cybersecurity needs were growing faster than local schools could generate new talent.

Mark Odom, vice president and CISO of Jefferson Health, knew that his team would need to pivot and reassess its security strategies to make up for gaps in the workforce.

"Obviously, not being able to cover all the bases in security is a significant issue," Odom said in an interview with HealthITSecurity.

"It's not a Jefferson issue, and it's not a US issue—it's a world issue that we're all facing."

By investing in entry-level talent, leaning on automated technology, and reducing burnout among current staff, Jefferson Health is tackling the cybersecurity workforce shortage head-on while still acknowledging that the industry as a whole has a long way to go.

Current State of the Cybersecurity Workforce Shortage

A survey conducted by (ISC)² found that while the cybersecurity workforce gap narrowed for the second consecutive year, the global workforce still must grow by 65 percent to defend critical assets effectively.

A workforce shortage can result in employee burnout, as exemplified by the current nationwide clinician shortage. For IT and cybersecurity teams, the workforce shortage could cause remaining employees to be stretched too thin, allowing critical vulnerabilities and suspicious network activity to fly under the radar.

Log4j vulnerabilities also put significant strain on an already overburdened cybersecurity workforce, another (ISC)² report found. Because Log4j is so widely used, unpatched vulnerabilities could have catastrophic security consequences for healthcare and other sectors if not patched immediately. As a result, the cybersecurity workforce had to work overtime to secure systems and mitigate risk.

(ISC)²'s survey of 269 cybersecurity professionals working closely with Log4j vulnerabilities and remediation efforts validated the severity of the vulnerabilities, "the fallout of which will not be known for months or even years to come."

Along with technological implications, Log4j exposed the fragility of the cybersecurity workforce. Respondents reported sacrificing their vacation time and weekends to remediate Log4j vulnerabilities, which led to burnout and job dissatisfaction for some.

One in four surveyed cybersecurity professionals reported believing their organization was less secure while they worked to remediate the Log4j vulnerabilities. In addition, 23 percent of respondents said they are now behind on 2022 cybersecurity priorities.

The healthcare sector cannot afford these gaps. If network intrusions slip through the cracks and cyberattacks continue to increase, there could be serious impacts on patient safety and privacy.

"I would say the workforce gap is starting to impede some organizations' ability to move forward," Odom observed.

"I think we've kept up so far, but if we had not changed some of our strategies and leveraged some of these tools that are out there, we would find ourselves at a loss."

Reducing Barriers to Entry, Investing in Entry-Level Talent

"There is so much bright talent out there," Odom noted. "Some of my best cybersecurity resources came to me without a cybersecurity degree."

Along with the idea that an entry-level candidate must have a degree in or prior knowledge of cybersecurity, there are other glaring misconceptions about the required skillsets needed to get a job in cybersecurity, Odom suggested.

"For instance, we scare a lot of these young practitioners off with the word coding, but probably only 25 percent of our staff really codes," Odom noted.

Reducing the barriers to entry for the cybersecurity field is one way that Jefferson Health has been combatting the workforce shortage.

For example, on paper, a candidate with a business degree may not appear to be the best fit for a more technical cybersecurity role. But business degrees teach a great deal of risk management. With baseline business knowledge, an entry-level candidate can enter the cybersecurity field and pick up technical skills along the way.

Jefferson Health's strategy now involves hiring entry-level candidates, training those individuals, and establishing runways to generate a talent pipeline. The goal is to help employees progress in their careers and see a future in cybersecurity.

"I would encourage everyone to open up those entry-level positions and start onboarding those trainees today," Odom advised. "They will be your support tomorrow."

Leaning on Technology to Fill Workforce Gaps

Training entry-level employees is great for the longevity of the workforce. However, short-staffed teams will have to address a multitude of immediate cyber threats.

Jefferson Health is filling the gaps by implementing automated technology, artificial intelligence (AI) and machine learning algorithms, and cloud applications, Odom said. Using technology to fill workforce gaps allows organizations to move forward as they work on addressing the systemic issues that led to a workforce shortage in the first place.

AI works 24 hours per day, 7 days per week. Constant monitoring means that it can process large quantities of data and detect threats quickly, which could help to close workforce gaps and mitigate risks in the healthcare cybersecurity space.

A report by The Economist Intelligence Unit sponsored by Pillsbury Winthrop Shaw Pittman LLP suggested that AI technology could help healthcare organizations fill cybersecurity gaps, as long as organizations balance those benefits with proper risk management. AI still makes mistakes and requires human intervention, but it can help reduce workloads and detect anomalies to an extent.

"We are also seeing a rapid acceleration into the cloud," Odom continued. "That reduces the workload, not only on your infrastructure team but also on your security team and your monitoring tools. You don't have near as many tools and nearly as many edges to defend."

Cloud technology can drive digital transformation, enabling rapid growth and scalability. Like any other technology, healthcare organizations should evaluate and implement cloud computing tools with security and privacy in mind.

Building security into an organization's architecture via reliable technology is crucial to mitigating risk. In turn, there is less of a burden on the cybersecurity workforce.

Avoiding Workforce Burnout

"Burnout happens at a higher frequency because of the additional security workloads and the turnover in staff," Odom said.

"But how you manage burnout is no different to me today than what it was prior to the shortages."

Thoughtfully implementing technologies and processes that reduce the number of endpoints and systems that the workforce must deal with helps operations run smoothly and reduces administrative burden.

In addition, Odom emphasized the importance of giving your workforce time to follow their passions.

"I tell all my staff to leave themselves 15 to 20 percent of their time to chase the fascinating—to chase what really drives them and what got them into the profession to start with," he said.

"And what we find is, it increases our capabilities because people go and work in a space that maybe wasn't on a project plan but was just fascinating to them. They end up increasing our capabilities with long-term changes to our program."

There is not just one solution that can fix the cybersecurity workforce shortage. But a combination of investing in entry-level talent, offloading some work onto technology solutions, and reducing burnout can help healthcare organizations work through the shortage without sacrificing security.

"I wouldn't say we've dealt with it. We're dealing with it and we will be for some time," Odom admitted.

"I think we are probably at least three years away from catching up with this. This is a long game. What we're seeing today is maybe unprecedented, but tomorrow we are going to see something else, and the next day there will be something else. So, don't just focus on short-term strategies to meet your needs."