Cyber Expert Staynings: New Regulation May Help Boards of Directors Prioritize Cybersecurity
According to Cyber Seek—a tech job-tracking database from the U.S. Commerce Department and the trade group CompTIA—there are about 464,420 total cybersecurity job openings in the U.S. As healthcare organizations are continuously seeing increases in ransomware attacks, this shortage of cyber talent can put healthcare organizations at risk—but why is there such a shortage and what can healthcare organizations do to promote a better understanding of why cybersecurity professionals are vital to leadership?
Richard Staynings, healthcare technology and cybersecurity strategist, thought leader, expert witness, and chief security strategist for New York City-based Cylera, sat down with Healthcare Innovation Managing Editor Janette Wider to discuss the cybersecurity talent drought specifically in healthcare.
Why do you think that there is such a lack of cyber security talent in healthcare organizations, specifically?
I think there are a number of factors that have contributed to the current situation. Firstly, market demand has taken a very steep rise over recent years. So, there's been a latent recognition of the fact that we need more security professionals, particularly in our hospitals, than was the previous situation. That's been brought around by changes in risk posture, changes in the negative impact of cyberattacks like restitution fines and damages, which makes failure to implement cybersecurity much more costly, and therefore, much more relevant to boards of directors than it was previously.
The second factor is that healthcare has historically had a cybersecurity deficit compared to financial services and other industries that 20 years ago recognized the significance of cybersecurity in order to protect their business, their business reputation, their business value, and their bottom lines. It's immediately apparent if I transfer a million dollars out of someone's account in a bank, that money is gone. It's less apparent if I transfer a million patient records out of a hospital that they have been stolen. And in many cases, things like identity theft take many years before the FBI and others are able to triangulate multiple people that have had their identity stolen back to the original source. If that source is a hospital, then the CEO is probably retired by that point, and someone else is sitting in the big chair. So, we have this latency in healthcare, which is making it difficult to understand the true significance and impact of breaches when they occur, particularly if they don't have the cybersecurity capabilities in the first place to recognize that they've actually had an attack. And for the last 20 years, many hospitals have lost massive amounts of PHI, and were totally ignorant of the fact that anyone had stolen it, but this is getting better.
How can healthcare organizations promote a better understanding of the need for cybersecurity professionals to leadership?
We need to do a better job of educating CEOs and boards of directors on the need for cybersecurity. It's an education process. Many board members of health systems can't even spell cybersecurity, let alone understand it. So, there's a generational gap there. We're beginning to get some diversity of talent into healthcare, now we're seeing more women on boards of directors, we're seeing more minorities, and we're seeing more technology and cross industry specialists, not just the retired general and the chairman of the local business board or whatever it is. We’re beginning to get people that are coming in from other industries and the people that can spell cybersecurity onto boards. But it's still not a priority because there are so many other priorities in healthcare, particularly with COVID.
What will drive hospital CEOs and boards of directions to prioritize cybersecurity?
New regulation. We saw some minor updates to The Health Insurance Portability and Accountability Act of 1996 (HIPAA) through The Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Omnibus Rule. Perhaps it is going to take changes to the Joint Commission, which deals with patient safety, to say cybersecurity is now one of your major concerns around patient safety. It's no longer about people slipping on a wet floor or other clinical errors as a result of failures in healthcare. Maybe we need a new regulation that manages privacy and security and healthcare systems. Regulation was what drove cybersecurity back in the early 2000s and late 90s. I'm not a big fan of regulation, but perhaps that's what it's going to take. There seems to be, even though we've got ever rising litigations against healthcare entities, the message doesn't seem to be getting through. CEOs tend to be more short term now than they ever were before. They're there for three, four, five years, and then they're out. They take their bonuses with them, and they’re gone scot-free on to their next role in another hospital.
There's this mentality that it won't happen on my watch. A year ago, I heard CEOs say, ransomware is kind of worrying, but it probably won't happen on my watch. I'm a small hospital system. No one's going to come after me. They plainly don't understand that ransomware is a broadcast attack, and it is phishing, spam, whatever that is sent out, and they're just waiting for a user to click on it, click on a link, and then they've got you.
Maybe we need to change liability. Make CEOs personally liable for more of what goes on in their hospital networks. That won't be popular at all with hospital CEOs, but they've got directors’ insurance now, which basically absolves them from any wrongdoing whatsoever. We've also seen a growth in insurance that many are using as a form of risk mitigation and risk transference to the insurance company, rather than deal with the fundamental problems of the lack of or inadequate security to protect against the ransomware attack.
What can someone specifically in a CISO role do to improve leadership’s understanding?
What we need is CISOs that understand the business and can transfer and relate cybersecurity risks to enterprise business risks and to represent those to the board directors that are the ultimate arbiter of risk. Do you accept a risk? Do you mitigate a risk? Do you transfer a risk? Do you ignore the risk? And I think there's been far too much ignoring risks that have taken place to say it's not significant. We don't trust what our security team is telling us. We don't trust what our external auditors are telling us. We'll take a risk. We'll deal with this next year because we don't have the budget this year to deal with it. And often they're caught with their pants down around their ankles. They get hit by ransomware. Their bet didn't pay off and they get caught.