- Having a well-trained healthcare cybersecurity workforce is critical for covered entities, especially as organizations continue to implement new technologies. However, a recent (ISC)² report found that there is an increasing cybersecurity workforce gap.
The Global Information Security Workforce Study (GISW) found 70 percent of employers around the globe want to increase their cybersecurity staff size by 15 percent this year. For healthcare specifically, employers plan to expand staff by 20 percent or more – higher than any other industry surveyed.
(ISC)² Director of the North America Region Dan Waddell told HealthITSecurity.com that organizations need to look for candidates with more diverse skill sets, but also expand beyond traditional recruiting techniques.
The GISW is likely the largest information security workforce study of its kind, Waddell explained. (ISC)² has been conducting the biannual report since 2004, and had over 19,000 respondents for the most recent survey.
For healthcare cybersecurity, Waddell stated that the industry has a very large target on its back.
“Today what we are seeing is there are a lot of small and medium-sized healthcare offices, doctors, ‘mom-and-pop shops,’ that just do not have the expertise on staff to be able to prevent or respond to the attacks that are happening,” he said. “Healthcare has the target because of the information that it holds within the various patient records.”
Selling information on the Dark Web also helped fuel the supply-and-demand aspect with healthcare records, he added. Malicious threat actors would try and steal information and then sell it for a profit. Ransomware is the new attack vector, and has really taken off in the last year, Waddell noted.
“What you're seeing is, these small and medium-sized healthcare offices, since they do not have the qualified cybersecurity staff on hand, their first knee-jerk reaction is to simply pay the ransom,” he said. “And that is not the first response people should be taking.”
Once an organization takes that step, its reputation on the Dark Web and with other bad actors is that it will pay the money, Waddell warned. The cyber criminals know they have a good target that is paying money.
He noted one particular aspect in the report, which was that 9 percent of healthcare respondents needed to increase their staff between 16 and 20 percent. Furthermore, 30 percent said it needed to increase by more than 20 percent.
Healthcare does not have the staff to properly to respond to ransomware attacks, Waddell stated.
Closing the cybersecurity skills gap
A holistic approach to information security is essential for any industry, not just healthcare, Waddell advised.
“Traditionally, there's been a reaction to install the latest gadget, the latest piece of software, the latest device,” he said. “And that is not working.”
Instead, the response must include the people, the process, and the technology.
“Cybersecurity is everyone's job,” stressed Waddell. “What you really need to focus on is, again, a multifaceted approach where you are training your users. They're the first line of defense.”
“Organizations need to train the users how to recognize a spear phishing attempt, and in addition, to be able to have a sound cybersecurity strategy that you can recover from such an incident.”
When staff members are properly trained in how to respond to a potential ransomware attack, it might not be necessary to pay the money, he added.
“Rather than paying that ransom, if you had educated cybersecurity staff that knew that doing a simple thing such as routine backups,” Waddell said. “Restoring from a backup should be your very first response to a ransomware attack.”
“Rather than paying the ransom or rather than crossing your fingers and hoping it'll go away, just very simple information security strategies that (ISC)² members are very well-versed in,” he continued. “Organizations should be able to apply those technical controls in the event that that human firewall fails, because inevitably, they will fail.”
Users can be trained on how to spot a ransomware attack, and that will lower an organization’s risk, Waddell explained. However, even if users know what a ransomware attack or phishing attack looks like, technical controls must also in place or entities are “missing the mark.”
“It's really looking across the board and lowering your risk by applying various controls across the human element and also the technical element as well,” Waddell said.
While each healthcare organization needs to determine whether paying a ransom is the best approach for its own operations, Waddell asserted that this is why having a properly trained staff member in place is so critical.
“If those folks don't have the qualified people on staff, to their defense, they just may not know,” he proposed. “They don't know. Having that qualified person, or being able to go to a managed security provider, to be able to provide that expertise is a really good line of defense.”
How federal cybersecurity efforts can maintain progress
Earlier this year, the Health Care Industry Cybersecurity Task Force published a report to “address the growing challenge posed by cyberattacks.”
The Task Force was created under the Cybersecurity Information Security Act of 2015, with representatives selected by the Secretary of Health & Human Services, in coordination with the Department of Homeland Security and the National Institutes of Standards and Technology.
The Task Force highlighted six key imperatives in a report sent to Congress, several of which are going to be essential in healthcare improving its cybersecurity approach, Waddell observed. First, developing the healthcare workforce will be critical.
“It’s important to really make sure that the folks that are part of the federal workforce understand the complexity of the problem, and are able to present holistic solutions to be able to solve that problem,” he explained. “The challenge that we have, not only in federal but really across the board, is our adversaries only have to be right once. It costs them pennies on the dollar to be able to launch these types of attacks.”
“By developing that healthcare workforce, and making sure that [those workforce members] have the training, the skills, and the experience to be able to put in place that strategy, is a great move,” Waddell continued.
Increasing cybersecurity readiness was another key imperative from the Task Force report, he said. This includes cyber resiliency and being able to respond, detect, and recover from an attack.
Improved cybersecurity awareness and education is one of the ways that the report noted how cyber resiliency can be strengthened.
“There's a lot of work to do, but the good news is that there's now a really sound strategy within the Cyber Security Task Force document,” Waddell said. “There are some really sound recommendations that can make a difference.”
With the (ISC)² report quoting a 20 percent increase since 2015 in the cybersecurity workforce gap, Waddell said that having those numbers go down by next report takes place is just the beginning.
“We're actually seeing some of these solutions, particularly around cybersecurity awareness and education, that are working,” he stated. “We can then take that and then advance and scale up.”
“These big numbers, the only way we're going to help address the gap is to take the things that are working now with respect to the education that's out there. That’s not only (ISC)² but other partners as well, and be able to scale that up.”