- The cybersecurity skills gap is affecting numerous industries. However, healthcare cybersecurity measures truly cannot afford to fall behind, according to ISACA Board Director Rob Clyde.
Citing data from the recent ISACA State of Cyber Security 2017 report, Clyde stressed that lackluster healthcare data security can affect individual’s lives. However, it can be difficult to ensure that the right staff members are put into positions where they can adequately manage the increasing threats.
There are two key areas that directly apply to healthcare from the ISACA report, Clyde explained. First, the Internet of Things (IoT) overtook mobile as the industry’s primary focus.
“This is right in healthcare's wheelhouse,” he stated. “It goes without saying that healthcare with its medical devices is one of the top industries that has adopted the Internet of Things to better people's lives. But as this report indicates, the industry is concerned.”
Clyde noted that 97 percent of ISACA’s organizations saw a rise in IoT usage, and proposed that the number is likely even higher in healthcare. This is definitely an area that the healthcare industry needs to focus more heavily on, and one that healthcare security professionals are very concerned about, he added.
Healthcare ransomware is also an evolving issue, Clyde noted, citing data from the report. Sixty-two percent of the respondents indicated they experienced ransomware in 2016, but only 53 percent had a formal process in place.
“The fact that [ransomware] was already a big concern before [the WannaCry] attack even occurred, makes it a huge concern now,” he explained. “This is particularly important because in the case of healthcare, when ransomware attacks and the data becomes unavailable, it can literally affect people's lives.”
Individual lives can still be affected, even when organizations have backups in place that can be used to restore functionality. The restoration process can take days, and patients do not always have that time to spare, Clyde maintained.
“It is becoming particularly incumbent upon healthcare organizations to figure out how they can in fact proactively protect against ransomware-type attacks and put in new measures that make ransomware almost impossible to affect organizations, or highly unlikely to affect them.”
Implementing next-generation tools to combat evolving threats
Cybersecurity professionals figured out that implement a technique called whitelisting, it eliminated the ability for ransomware. Previously, it was just malicious attacks, such as malware and viruses, Clyde noted. However, that same technique works against ransomware.
This technique is recommended by US-CERT and other organizations, he added. Even though it’s the top recommended technique to protect against these kinds of attacks, entities have not implemented it.
“It turned out it was very hard to manage and to ensure that there were no false positives,” Clyde explained. “Imagine if you implemented whitelisting, the doctors suddenly couldn't do their jobs because the new version of the application that they were using needed to be run and it didn't have a white list for that.”
There are always newer techniques, and next-generation whitelisting abilities, he pointed out. For example, there is application trust-listing, that can easily be managed and can also ensure that nothing gets run except trusted code.
Furthermore, users should not be downloading and running things on healthcare machines. Users need to be trained to only run healthcare applications on those devices.
“This is a great way of applying innovation as a way to actually implement better security,” he contended.
Training will also be critical to healthcare cybersecurity. The HHS Cyber Security Task Force report also noted this fact, and healthcare has lots of work to do, Clyde noted.
“Part of that is ensuring that we have good training, both awareness training for users of the healthcare systems, and we need better training for the cybersecurity professionals themselves,” he said. “Unfortunately, the bad guys are also very innovative. It takes money to keep people trained enough and up to date as to how you deal with these latest threats and techniques.”
The ISACA report also found that the vast majority of cybersecurity professionals were getting $2,500 or less per year for continuing training. There were just 27 percent who had $2,500 or more. One in four respondents were getting less than $1,000 of training per year. In healthcare, that's just not enough for those professionals to be able to keep up, he stressed.
“Part of our report really flagged a glaring gap, given the acceleration of these type of attacks, the far-reaching area of these type of attacks,” Clyde stated. “This is particularly true as we've seen it affecting the healthcare industry. On the flip side, our organizations aren't spending enough money to train and certify their security professionals.”
Closing the cybersecurity skills gap
There have been great improvements across industries when it comes to security positions, Clyde noted. Citing report data, he explained that there has been an increase of 50 percent to 65 percent of organizations that now have CISOs. This is a huge step, he stressed, and it absolutely shows progress.
However, the cybersecurity skills gap still exists. Entities struggle to hire the right individuals for the right positions.
“The long game is, ‘Let's see what we can do to encourage our young people in secondary school. Perhaps even reach them in the universities to consider cybersecurity as a field and IT in particular as a field.’ Then we get more people that are qualified coming into the workforce,” Clyde suggested.
That will take time, he acknowledged, but it needs to be done is certainly a key part of addressing the skills shortage.
In the short term, organizations might have to steal the right cybersecurity professional from another company.
“There are very few out-of-work cybersecurity professionals,” he stated. “That, by definition, means that once you steal the individual from that other company, that other company is going have to hire somebody, and the skills gap will remain.”
For the short term, ISACA urges organizations to look at cross-training individuals who are in related fields – such as IT or networking.
“These individuals can be cross-trained and very effective in a year or less,” Clyde advised. “They can be given the necessary training money and some certification money.”
“That's a very valid option in cross-training and getting people certified that are already highly technical, familiar somewhat with security, just not in the profession,” he continued. “They can be moved over and cross-trained.”
Organizations that are looking to close the cybersecurity gap, and ensure that their data security measures are enough, should take advantage of associations that specialize in these areas, Clyde recommended. Associations such as ISACA can provide necessary training that will give users the needed hands-on experience.
Live training, live situations, and then certifications can help individuals demonstrate what they are capable of and when they may need to do in adverse situations, he concluded.
“That's going be part of the answer to close this skills gap, because book learning alone is not going to get it done.”