The Cyber Workforce Shortage Hinders Healthcare Supply Chain Security
Supply chain security is a critical issue in the healthcare industry where the consequences of a compromise are potentially catastrophic—including, literally, the loss of life.
Healthcare organizations rely on more suppliers than one might realize to meet their patients’ needs and maintain operations. These suppliers include providers of software, medical devices, pharmaceuticals, surgical and safety equipment, lab systems, and more. If these suppliers—or the materials they provide to hospitals—are compromised in a cyberattack, it can pose significant ramifications for patients, physicians, and others
A recent Ponemon report found that 50 percent of surveyed healthcare organizations admitted to experiencing at least one cyberattack against their supply chain in the past 12 months. Of those affected by a cyberattack, 70 percent admitted the incident impacted patient care—specifically citing “procedures and test delays that resulted in poor outcomes such as an increase in the severity of an illness (54 percent),” longer length of hospital stay (51 percent), and even a rise in mortality rates (23 percent).
It’s evident that healthcare organizations need to do more to shore up their supply chain security, which may involve putting security requirements into every request for proposal and contract, setting tight controls on purchases, and conducting vulnerability testing of medical devices and technology solutions, among other steps.
A key factor that can get lost in the discussion is the importance of people. People in general are often described as the weakest link in security, but cybersecurity personnel are an organization’s greatest security asset when properly skilled and deployed. Having the right people in the right positions is critical to success.
The healthcare industry, however, is suffering from a cybersecurity workforce shortage, much like organizations in every sector. The challenge now is to recruit, train, and retain capable cybersecurity workers.
The Risks of a Diminished Cyber Workforce
The risks stemming from a shortage of cybersecurity workers can manifest themselves in several ways—all of them with potentially devastating consequences.
An overworked, short-staffed team could rush a recently delivered product into production, possibly introducing vulnerabilities into the network from the product’s software or hardware. A supplier under pressure to meet customer needs might take shortcuts in production, which are not caught when the product arrives.
Hospitals and other healthcare entities are heavily regulated. Short-staffed cybersecurity teams could be constantly grappling with updating protocols and upgrading systems to adhere to new regulations and guidelines. Unfortunately, compliance does not equal security, and this same team might also be juggling incident response and security maintenance alongside other duties.
Healthcare organizations may make up for the lack of in-house staff by contracting with a managed security service provider (MSSP), which might have worker shortage problems of its own.
Although managed services can significantly help an organization, it’s also important to focus on building up internal IT and security staff through recruitment and retention. That can be a challenge considering the competition for tech talent, but there are ways an organization can make its positions more attractive and rewarding.
Build Cyber Teams from the Ground Up
A good place to start to address the recruitment and retention challenge is by leveraging the passion and dedication of people who are interested and appropriate for entry level positions.
Cybersecurity can suffer from the same circular problem that blocks prospective employees in other fields—offering entry level positions that require several years’ experience. This can eliminate recent college grads, self-taught programmers, and others who have enthusiasm, talent, and aptitude but lack a resume of accomplishments because they’re just starting out. Meanwhile, people who have three or five years of experience are not interested in a job described as entry level.
Organizations need to be open to creating actual entry level positions that can be filled by people with beginner qualifications, and then facilitating their advancement through mentoring and training. This approach can help fill positions that currently stand empty, while rewarding—and retaining—enthusiastic workers by offering them a viable career path.
Adding more structure to apprenticeship programs can also help. CyberUP, for example, is a national, non-profit organization designed to help organizations fill cyber roles using apprenticeship programs that are subsidized by the U.S. government.
In a similar fashion, Diversity, Equity, and Inclusion (DE&I) organizations tap into a workforce supply that has, historically, been unrecognized for decades. Women in Cybersecurity (WiCys) is a great example of an organization that helps women with professional development and job placement opportunities.
Lastly, healthcare organizations need to focus on retaining cybersecurity personnel through effective interpersonal and management skills. Survey after survey has found that employees’ job satisfaction depends on the positive professional and personal aspects of their work environment.
Are they being professionally challenged on the job? Do they feel they are growing both professionally and personally? Have they established personal connections with colleagues? And do they feel the organization has their best interest at heart? Once an organization has recruited promising employees, ensuring these aspects are being met will make it more likely that they stay.
Developing Cyber Talent Can Help Supply Chain Security
The cyber threat landscape continues to evolve and become more hazardous—and in no sector more so than in healthcare, where the security of the supply chain has become one of the biggest risks. The cyber skills shortage has been around for years and persists, and as a result, cyberattacks continue to plague healthcare organizations.
Yes, healthcare organizations can outsource cybersecurity efforts, but that is not a sufficient trade-off for having on-prem, skilled security professionals. These individuals with boots-on-the-ground can make meaningful contributions to supply chain security programs, identify potential security gaps across the organization and its suppliers, address vulnerabilities, and work with cybersecurity providers to increase efficiency. Outsourcing should not be looked at as a replacement but as a supplement to full-time security staff. Instead, recruiting, training, and nurturing in-house security professionals should be the priority.
Dave Stapleton, CISSP, is chief information security officer at CyberGRX and a former government security analyst who helped build and implement the U.S. Federal Risk and Authorization Management Program (FedRAMP).
© 2023 David Stapleton