Hospitals are facing critical resource challenges as they strive to strengthen their cybersecurity measures, and it’s not just about the money.
Healthcare leaders acknowledge the necessity of investing in cybersecurity, but financial limitations make it difficult. Compounding the issue, hospitals and health systems need help hiring skilled cybersecurity professionals.
According to a HIMSS report released earlier this year, about 74% of healthcare IT professionals view hiring qualified cybersecurity staff as a significant workforce challenge.
Wes Wright, Chief Healthcare Officer at Ordr, a cybersecurity firm, understands hospitals’ dilemma. With previous IT roles at Sutter Health and Seattle Children’s, Wright sees hospitals’ difficulty competing with other sectors on salaries.
Wright explains that many companies outside healthcare offer higher pay and remote work options, a trend accelerated by the COVID-19 pandemic. “I have at least three friends in significant healthcare organizations that are CISOs who don’t live in the area,” Wright said, according to the Chief Healthcare Executive.com. “They’re remote.”
The ability to work remotely and earn higher salaries elsewhere has led to a noticeable talent drain. “Five years ago, you wouldn’t have seen remote CISOs and CIOs in healthcare. It’s changing quickly,” Wright notes.
Wright also points out that while many healthcare cybersecurity staffers are highly skilled, teams need more workers to move on. He says, “You can only spread peanut butter so far.”
Cliff Steinhauer, Director of Information Security and Engagement at the National Cybersecurity Alliance, emphasizes that filling cybersecurity roles isn’t unique to healthcare. “It’s a worldwide issue in cybersecurity, and healthcare is no different,” Steinhauer told the Chief Healthcare Executive.com. However, healthcare is particularly vulnerable due to the sensitivity of patient data and the critical need for system availability.
The healthcare pay gap presents a significant hurdle. Lee Kim, Senior Principal of Cybersecurity and Privacy at HIMSS, highlights that skilled cybersecurity professionals can earn significantly more outside the healthcare sector. At the 2023 HIMSS Conference, Kim stressed the need for health systems to invest more in attracting and retaining top talent and providing clear career growth opportunities. “You can’t go after the cheapest talent,” she says.
Despite these challenges, the HIMSS survey indicates progress, with most cybersecurity leaders reporting improved budgets. Healthcare organizations are allocating an average of 7% of their IT budgets to cybersecurity, up from 6% in previous years.
Limor Kessem, a Senior Cybersecurity Consultant for IBM Security, acknowledges that while healthcare struggles to attract skilled professionals, the issue is widespread across other sectors. “It’s a problem for healthcare, and it’s a problem for everyone else,” she says.
According to IBM’s recent report on breach costs, more than half of organizations that have experienced a breach are now dealing with staffing shortages, a 26% increase over the previous year.
John Riggi, the American Hospital Association’s National Advisor for Cybersecurity and Risk, has called for greater government support to strengthen the cybersecurity workforce in healthcare. During a cybersecurity panel at the 2023 HIMSS Conference, Riggi suggested that military veterans, with their dedication to service, could be valuable additions to cybersecurity.
Travis Moore, a nurse and Director of the Healthcare Category at Indeed notes that more healthcare organizations are becoming open to offering flexibility in where and how people work. “It’s a much different way of thinking than we had several years ago in healthcare, when it was like, ‘This is the job,’” Moore says.
