The Healthcare and Public Health Sector Coordinating Council, or HSCC, whose Joint Cybersecurity Working Group comprises 220 industry and government organizations working on strategies to security challenges to the healthcare industry, has put together a guide to developing an effective cyber workforce.

WHY IT MATTERS
In its report, the HSCC makes the point that cybersecurity "depends on a knowledgeable workforce of both technical experts who manage enterprise security, and the front-line clinicians whose constant touch of both technology and patients is the last line of defense. Cybersecurity is thus a shared responsibility. It is not just a technical job, but one that reaches across enterprise business and operational roles, and up to the C-Suite."

HSCC identifies what it calls "key rungs of the cyber workforce ladder":

• Hiring students. Hospitals can help students gain cybersecurity expertise with part-time work or internships. But beyond that, healthcare organizations must also "turn them into effective members of the cybersecurity mission, allowing them to perform work in a way that they are not viewed simply as 'students' by the organization – but viewed as cybersecurity professionals." The group suggests providers should contact local colleges and universities to learn about programs they may have for placing students in the workforce, and nots that labor costs could range from unpaid internships to $12-$18 per hour for part-time student staff.
• Transitioning IT staff to cybersecurity responsibilities. Healthcare organizations should create an action plan around cybersecurity awareness for its technology professionals and clinical engineers, according to HSCC, and enable the transition from traditional IT jobs to cybersecurity roles, including mentoring and educational support. "Training and preparation to pursue the Certified Information Systems Security Professional (CISSP) certification offered through local or regional groups such as Information Systems Security Association (ISSA) is very affordable," the report notes. "The Health Care Information Security and Privacy Practitioner (HCISP) certification is also a good option, with specific healthcare focus. Getting IT-to-cybersecurity converts acclimated to the world of cybersecurity through these programs allows them to compare what is happening at work with the total discipline set of a well-rounded cybersecurity program.
• Developing and managing professional development programs for executive-track cybersecurity personnel. Boosting the skillsets of existing cybersecurity staff can augment their capabilities and enable greater individual professional growth and support, said HSCC. For example, "send your security operations center manager to shadow a peer at another health system; send your deputy chief information security officer to shadow a CISO at another organization; encourage and plan staff-level collaboration with peers at other organizations."
• Outsourcing critical functions not otherwise resourced within the enterprise. "Not all organizations have reached a point of maturity for a fully functional and staffed organization. Some locations may have difficulty recruiting and retaining particular disciplines. For example, finding experts in the GRC discipline, the ability to fully staff a 24x7 SOC, or a full-time need for penetration testers, presents challenges for some organizations in terms of recruiting and/or retaining the right people they can also afford."

THE LARGER TREND
This past month, we spent July focused on how health systems can meet evolving needs of the healthcare workforce. For August, we're homing in on the challenges and opportunities of "Securing the Healthcare Environment."

Both imperatives are critically important. Other organizations have also put forth advice for meeting the demands of cybersecurity workforce. NIST, for example, developed its own framework for helping U.S. healthcare organizations recruit, develop and maintain effective cybersecurity professionals.

ON THE RECORD
"To adequately prepare for and mitigate the cyber threats, health providers must appoint and empower cybersecurity leadership to design and enforce an enterprise-wide strategy to protect patient lives, hospital data and operations, and cultivate a culture of cybersecurity as a shared responsibility," said HSCC researchers.

"Provider management should also ensure that cybersecurity professionals are trained to an appreciable understanding of the clinical environment in which health care providers operate. Clinicians likewise must understand the importance of the cyber professional’s job in helping them protect hospital operations and patients from the effects of cyber attacks."