Sheraton Boston Hotel
September 11-13, 2017 | Boston, 2018 x2, MA

Healthcare cybersecurity challenges: Effective resourcing and talent retention

By Michael Figueroa, CISSP

Michael Figueroa, CISSP, serves as Executive Director of the Advanced Cyber Security Center (ACSC) in Boston. Figueroa, a featured speaker at the Healthcare Security Forum on Sept. 12, shared his insights about the current state of cybersecurity in the health sector.

Get involved. Join us for our #HITsecurity Twitter chat on Aug. 24, 2 p.m. Central Time to discuss your cybersecurity insights and connect with other industry experts.

Add Chat to Calendar

What tips do you have for small and rural healthcare providers to improve their security posture?

The ACSC is committed to helping all New England organizations improve their cybersecurity posture. One of the first words of advice for small and rural healthcare providers is you are not alone. As cybersecurity threats increase in frequency, it’s more important than ever before to maintain a persistent security collaboration to build a stronger community defense. Even if you are in Springfield or Stockbridge, MA, you can still take advantage of the insights and policies developed by your larger, urban counterparts.

Beyond collaboration, healthcare providers will improve security by applying stronger business-oriented practices to how they conduct security. Those include:

  1. Focus on what you can best influence. Healthcare providers are less challenged in knowing what they need to do than having the resources to do absolutely everything. The inconvenient fact is they can only make do with what they have on hand and what they can best improve. When organizations face obstacles they are ill-equipped to face, they can quickly spiral into an unproductive pattern as they try to get around the problem. Rather than dwell on constraints, organizations need to adjust to the conditions based on what they can best achieve.
  2. Apply an organization-oriented security framework. Rather than getting bogged down in a technology-centric approach that favors idealistic planning over execution, apply a framework that emphasizes responsive defense strategies that puts the needs of patients, healthcare providers and staff ahead of technology. Engage executives in constructive conversations about operational priorities with relation to available resources. When more is necessary, those conversations will aid in understanding the operational impact of not acting and will help business executives participate in security decision-making, consequently distributing ownership over the results.
  3. Promote a culture of patience. When adversity occurs, the worst response is chaos and panic. Developing a communications workflow that provides structure in how the organization responds to new security events and establishes an active collaboration with executive decision-makers will empower the organization to adapt to change rather than panic about its rigidity. Failures may still occur, but being realistic about the organization’s capabilities will improve its ability to respond.

With a cybersecurity talent shortage, what are your suggestions for recruiting and retaining qualified healthcare cybersecurity personnel?

Recruiting and retaining qualified cybersecurity personnel is a challenge across all sectors. While the common belief is security practitioners quickly jump from job to job for higher salaries, we found that candidates are still attracted to soft benefits. Unlike people in other professions, security practitioners constantly face adverse conditions, making them more prone to negative satisfaction. Organizations that counteract the opposing factors with strong positive influences will do best in keeping talented people engaged. One key strategy is to give security staff the freedom to explore the problem spaces with limited oversight. Appealing to the puzzle solving personality innate to many security professionals will give them the sense they are valued for what they are able to solve versus what they are able to detect. Another is to allow security practitioners to collaborate with those in other organizations openly. To overcome the organizational perception that sharing security failures may open it up to reputational risk, ACSC requires members to sign a legal participation agreement that provides blanket non-disclosure over all member information sharing.

At the ACSC, we are conducting a number of activities to help, such as conducting research on how workforce demand is changing over time, implementing sponsored internships that provide students with real-world cybersecurity experience before they graduate, and collaborating with New England academic institutions to develop effective cybersecurity curriculums. We are working to expand the New England cybersecurity talent pool and provide the care-and-feeding necessary to retain it locally.

Find out how other industry leaders are creating proactive cybersecurity cultures at the Healthcare Security Forum in September.

View the Agenda

Learn more about the 2020 Event


Subscribe for updates