Media

Resources

Politics
Diversity, equity and inclusion
Financial Decision Making
Telehealth
Patient Experience
Leadership
Point of Care Tools
Product Solutions
Management
Technology
Healthcare Transformation
Data + Technology
Safer Hospitals
Business
Providers in Practice
Mergers and Acquisitions
AI & Data Analytics
Cybersecurity
Interoperability & EHRs
Medical Devices
Pop Health Tech
Precision Medicine
Virtual Care
Health equity

Cybersecurity in health systems hampered by lack of talent | HIMSS 2023

April 17, 2023

Article

Organizations are struggling to find and keep skilled cybersecurity pros, and that’s emerging as a top concern of health IT leaders.

Chicago - Most healthcare cybersecurity professionals point to one glaring problem impeding efforts to protect health systems: a lack of cybersecurity staff.

Lee Kim of HIMSS talks about cybersecurity during the opening day of the HIMSS Global Health Conference & Exhibition. (Photo: Ron Southwick)

Roughly three in five healthcare cybersecurity professionals identified the dearth of staff as their biggest challenge, according to the recently released HIMSS Healthcare Cybersecurity Survey.

“The number one struggle is in terms of recruiting qualified healthcare cybersecurity professionals,” says Lee Kim, the senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society (HIMSS).

Kim talked about the difficulty health systems are having filling positions for cybersecurity professionals on Monday during the first day of the HIMSS Global Health Conference & Exhibition.

Read more: Cybersecurity in healthcare: Even with progress, vulnerabilities remain

It’s not only difficult for health systems to find talented cybersecurity professionals. It’s tough to get them to stick around. Two-thirds of healthcare cybersecurity pros (66.5%) said retention is a significant problem.

Part of the problem centers on compensation, Kim says. Health companies and health systems typically don’t match what other sectors pay, so, as Kim says, talented cybersecurity pros can go literally across the street to find a position that pays tens of thousands of dollars more.

Kim urged health systems to invest more in attracting and keeping top cybersecurity professionals, who can see a path to grow and would be dedicated to the organization. “You can’t go after talent that is the cheapest,” Kim says.

If healthcare organizations don’t cultivate people with passion who care about the organization, Kim says, “Unfortunately, your cybersecurity program may fail without that buy-in … because then they just realize that they are a number and they're just simply doing the job, as opposed to having a career within your organization.”

Read more: The 10 biggest health data breaches in the first quarter of 2023

Health system IT and cybersecurity leaders need to make a business case for investing more in cybersecurity. After the dearth of cybersecurity pros, health leaders in the HIMSS survey cited the lack of budget as their second leading concern. Most of those surveyed said their cybersecurity budgets were increasing compared to the previous year, or at least holding steady.

Health systems should be spending more time training their staff on cybersecurity, Kim says. The HIMSS survey found many IT pros said training was occurring only sporadically, or annually.

“Another really surprising trend is that not all of us are receiving security awareness training, including cybersecurity professionals,” Kim says.

On the upside, only a relatively small number of healthcare cybersecurity professionals (12.58%) says their organizations were hit with a ransomware attack last year. While that’s welcome good news on its face, Kim says a number of factors are at play that signal health systems shouldn’t put cybersecurity on the back burner.

Law enforcement agencies have seen a recent drop in ransomware attacks, but Kim says much of that has to do with the decline of crypto currency.

Also, ransomware groups are learning that the healthcare industry, while hardly invulnerable, is not necessarily as easy as in the past, Kim says.

Still, the HIMSS cybersecurity report said ransomware attacks remain a threat. “It is likely that ransomware operators will change tactics and leverage social engineering and artificial intelligence to infiltrate healthcare organizations and other targets that are perceived to be of high value,” the report stated.

During her presentation, Kim cited another reason why cybercriminals will continue to target hospitals and health systems: Many will consider paying the ransom. The survey found 55% of IT pros said they didn’t know if their organization would consider paying the ransom.

Paying a ransom carries significant risk, Kim says, because systems don’t know if the attackers will actually release all the data, or they could simply sell it later on the dark web.

“There’s no honor among thieves,” Kim says.