Cybersecurity Education and Workforce Development In the Healthcare
Cybersecurity Education and Workforce Development In the Healthcare Sector
Cybersecurity Education and Workforce Development in the Healthcare Sector Sri V. Bharadwaj, MS, CHCIO, CPHIMS, PMP, CISSP Safeguarding Health Information: Building Assurance through HIPAA Security – 2018 Washington, DC October 18, 2018
About UC Irvine Health Mission Discover. Teach. Heal Vision Powered by discovery and innovation, UC Irvine Health will advance individual and population health.
About UC Irvine Health Recognized as one of “America’s Best Hospitals” by U. S. News & World Report for 16 consecutive years. Ranked among top 50 “best hospitals” nationally for excellence in orthopedics and ear, nose and throat care. Earned Leapfrog Group’s Hospital Safety “A” Grade for six consecutive reporting periods.
About UC Irvine Health Our Chao Family Comprehensive Cancer Center is one of only 48 U. S. comprehensive cancer centers designated for excellence by the National Cancer Institute — and the only one in Orange County’s first hospital to be designated a Magnet Hospital by the American Nurses Credentialing Center for continued commitment to nursing excellence.
About UC Irvine Health • Orange County’s only academic medical center. • Orange County’s only high-risk perinatal/neonatal program • Orange County’s only Level I adult and Level II • Received American Heart Association’s Gold-Plus quality award for heart failure care. pediatric trauma centers, certified by the American College of Surgeons. • Recognized for sustained excellence in treatment for heart attack, heart failure, pneumonia, venous • First in Orange County certified as a comprehensive stroke center by The Joint thromboembolism and surgical care by The Joint Commission. • More than 100 of our physicians are listed as “Best Doctors in America. ” • Ranked among the nation’s top 25 leading academic medical centers by the University Health System Consortium.
About UC Irvine Health - By the numbers • • 751, 629 outpatient visits 20, 872 patient discharges 49, 136 visits to the emergency department 15, 903 surgeries (inpatient and outpatient) 4, 451 trauma patients treated annually – more than half of Orange County’s traumas 550+ primary and specialty care physicians 417 licensed beds
What is UCI Health dealing with today? A risk exists when a vulnerability can be exploited by a threat source. Vulnerabilit y + Intentional or unintentional exploitation = Risk An event that could occur Exampl e An exposure Threat Source Systems containing e. PHI are not encrypted Computer criminal Breach of e. PHI due to malicious outsiders’ actions Risks are ranked based on the impact and likelihood of the event, if it were to happen, in that business line. Dynamic Risk Environment
External Threats Internal Threats The risk exists across the entire user population: External Threat Agent distributes malicious file attachment or link through an email spam. UCI user clinks on the attachment or link and infects the user’s computer or shared drives with ransomware. Disrupts operational business, patient care, and financial impact External threat agents utilize social engineering and phishing and turns spam into a effective attack vector to infect user’s computer with RANSOMWARE. It forces victims to pay a ransom to re-gain access to their data and or systems, usually in the form of virtually untraceable forms of payment (Bit. Coin$). User-based risk is the reason for the majority of breaches and security incidents. 76% of data breaches involve stolen or exploited user Accounts
Operational Challenges – Quality Improvement for Population Based Activities Security is getting more and more complex with the possibility of breach increasing daily!
Why is Cybersecurity unique in Healthcare records are 30 times more valuable than financial records because they contain full identity profiles Highly regulated environment (HIPAA, State and Local Requirements) Endpoints are ubiquitous – laptops, desktops, medical devices Lack of investment in Cybersecurity High vulnerability due to patient safety risk
The Grassroots view from a CISO Enterprise Risk Management Physician Engagement and Trust Internal Audits Continuous Threat Monitoring and Remediation Patient Data Integrity Management Risk assessments and Gap Analysis Forensics and Investigations Local and State reporting requirements Support for Changing business models
Challenges in the Industry Lack of developed talent to meet the strategic needs of executive leadership in provider and payer organizations Required to focus beyond just cybersecurity to examine data and information through a broader healthcare lens Engage with individuals with varied, nontechnical skills, including veterans, to make a positive impact in multiple organizational roles Take a holistic approach to cybersecurity and partner with educators who to rapidly deliver professional education programs
The Acute Need for Cybersecurity Education and Workforce Development in Healthcare
The Acute Need for a Trained Workforce The global cybersecurity workforce will have more than 1. 8 million unfilled positions by 2022 despite rapid growth in security industry market according to Frost and Sullivan, and (ISC)2 Significant barriers to mitigating and remediating security incidents included lack of people (52. 4% of respondents), and lack of financial resources, (46. 6% of respondents), according to the 2018 HIMSS Cybersecurity Survey Not enough in-house expertise and a lack of security leadership makes it more difficult to reduce risks, vulnerabilities and attacks, according to the State of Cybersecurity in Healthcare Organizations in 2018
Demand for Cybersecurity Talent in the U. S. According to a March 2018 NIST Cyberseek Report, the demand for cybersecurity workforce in the U. S. is increasing: • • • 768, 096 employed in the U. S. cybersecurity workforce 301, 873 cybersecurity job openings in the private and public sectors (April 2017 – March 2018) Top three metro areas with openings: Washington, DC (43, 000 openings), New York ((19, 993) and Chicago (11, 464)
The Healthcare Cybersecurity Workforce 79 percent of respondents in a survey say it is difficult to recruit IT security personnel. Slightly more than half (51 percent) of respondents say their organizations have a CISO, according to According to the State of Cybersecurity in Healthcare Organizations in 2018. The U. S. Department of Health and Human Services Cybersecurity Task Force in 2017 said healthcare cybersecurity is in ‘critical condition’ and cited the lack of a capable security workforce. The task force identified six key imperatives to address the issues including: developing the necessary healthcare workforce capacity to prioritize and ensure cybersecurity awareness and technical capabilities, as reported in Healthcare IT News.
Cybersecurity Education and Workforce Development in the Healthcare Sector Leanne H. Field, Ph. D. Clinical Professor Director, Health Informatics and Health IT Safeguarding Health Information: Building Assurance through HIPAA Security – 2018 Washington, DC October 18, 2018
Cybersecurity Education and Workforce Development in Healthcare Leanne H. Field, Ph. D.
NIST: National Cyber Security Awareness Month https: //www. nist. gov/topics/cybersecurity/national-cyber-security-awareness-month
Cybersecurity Impacts All Organizational Functions Within Healthcare Organizations • Leadership Planning and Governance • Information Technology • Facilities, Physical System and Operations • Finance and Administration • Human Resources • Legal and Compliance • Sales, Marketing and Communications Goal: To provide the highest quality care for patients, and to safeguard their Protected Health Information! https: //www. nist. gov/news-events/news/2018/10/cybersecurity-everyones- job
Multifaceted Approaches to Developing a Healthcare Cybersecurity Workforce
• • Healthcare and Public Health Sector Coordinating Council A Public-Private Partnership that advises the U. S. Department of Health and Human Services and the Department of Homeland Security about our nation’s critical infrastructure Cybersecurity Working Group – Task Group Three (TG-3): Healthcare Cybersecurity Workforce Development – Charged with recommending how to fill acute workforce shortages in healthcare cybersecurity
Initial TG-3 Task Group Goals • Develop a White Paper to: – – • Identify best practices, academic efforts, industry training and certifications in healthcare cybersecurity (using the NICE framework and 800 -801) Make recommendations to expand the pipeline for technical and nontechnical roles Create a cyber curriculum outline for health professions schools at universities (e. g. medical, nursing, pharmacy) Develop training modules and pilot them at selected academic medical centers Integrate cyber hygiene training into interprofessional education – –
Filling the Gap: What is Needed to Develop a Healthcare Cybersecurity Workforce? • • To protect against rapidly evolving cyber threats, healthcare organizations need both technical and nontechnical cybersecurity talent working together to manage risk. We urge federal policymakers to support the cybersecurity workforce development needs in healthcare. • Through regulations or suggested guidance for academic education in healthcare cybersecurity risk management
The Technical Cybersecurity Pipeline • There are established educational pathways to gain technical cybersecurity training and to apply it to healthcare • University-based undergraduate and graduate degrees + • • Pursuit of technical certificates to gain the credentials to enter the workforce The following roles typically would meet the needs of healthcare cybersecurity risk management: • • Cybersecurity Specialist Incident Response Analyst Penetration and Vulnerability Analyst Cybersecurity Investigator/Analyst
• • A Non-Technical Healthcare Cybersecurity Pipeline Needs to Be Created! There a dearth of programs to educate and train future leaders in healthcare risk management Creating such programs will: • • • Prepare college graduates to effectively meet workforce needs in multiple, non-technical roles within healthcare organizations, the vendor community, governmental agencies and the military. Expand the non-technical pipeline by allowing a more diverse population to enter the workforce Provide avenues for existing IT or clinical personnel to gain transferable knowledge and skills to begin working in healthcare cybersecurity
A Suggested Model to Develop Talent in Healthcare Cybersecurity Risk Management • • • Post-baccalaureate, skills-based, educational programs could be developed to fill the gap in non-technical healthcare cybersecurity roles. Such programs can educate those with college degrees in a relatively short period of time. University educators and healthcare cybersecurity experts can work together to ensure that students are equipped with the knowledge, skills and competencies needed to be job-ready.
This Model Would Open Up New Opportunities ✓For technology educators and leaders in the healthcare cybersecurity industry to develop new talent to meet the strategic needs of healthcare organizations, vendors, governmental agencies and the military ✓To expand the workforce pipeline to train a variety of individuals with college degrees who come from diverse backgrounds ✓To configure a program that takes advantage of the unique talents and abilities of transitioning soldiers and veterans ✓To build partnerships and develop innovative mechanisms for ongoing support and feedback from the industry to keep programs relevant and current as threats evolve
• • Training the Existing Healthcare Workforce in Healthcare Cybersecurity New models need to be developed to equip practicing healthcare professionals (ambulatory and inpatient) with continuing education to develop role-based, cyber hygiene skills. Possible ideas: • • Incentivize healthcare personnel to attend short, online instructor-led presentations presented “in house” by healthcare cybersecurity experts Provide incentives to create “cybersecurity advocates” within hospital units and ambulatory centers in order to promote cyber hygiene Partner with innovative technology companies to develop scenariobased VR and AR training modules to deliver “on demand” healthcare cybersecurity education for healthcare professionals Include cybersecurity experts in Grand Rounds to provide ongoing cybersecurity education
Career Pathways for Healthcare Cybersecurity
Development of Career Pathways in Healthcare Cybersecurity • It is important to develop clear career pathways for nontechnical roles in healthcare cybersecurity so that individuals who want to explore and potentially enter the field can understand the opportunities. • Cybersecurity career pathways available from NIST through the workforce resource Cyberseek can be adapted to healthcare to define entry-level, mid-level, and advanced level roles. • We urge employers to accept individuals who have earned postbaccalaureate, non-technical healthcare cybersecurity credentials to enter the workforce, bringing new energy and ideas to the management of risk in healthcare organizations.
Cybersecurity Career Pathways* *https: //www. cyberseek. org/pathway. html
Career Pathways Linkages* - example *https: //www. cyberseek. org/pathway. html
Cybersecurity Manager Detail* *https: //www. cyberseek. org/pathway. html
Summary
Summary: Filling the Healthcare Cybersecurity Pipeline • Healthcare organizations need to attract more talent into healthcare cybersecurity, including those with technical training and skills. • There is a documented need to provide new ways to rapidly train a non-technical healthcare cybersecurity workforce. • Creating skills-based, post baccalaureate programs in partnership with industry may be a good way to provide rapid training in healthcare risk management for college graduates and for those who want to transfer into nontechnical roles within the healthcare cybersecurity field.
Summary: Filling the Healthcare Cybersecurity Pipeline • It is also important to: – Develop innovative ways to provide ongoing education for existing healthcare personnel – Provide clear career pathways to inform interested individuals to consider healthcare cybersecurity careers – Encourage federal policy makers to work with the Healthcare and Public Health Sector Coordinating Council to support the development of the healthcare cybersecurity workforce
Questions? Leanne H. Field, Ph. D. Mc. Combs School of Business field@austin. utexas. edu 512 -475 -8897 (office); 512 -422 -2474 (cell) and Sri V. Bharadwaj, MS, CHCIO, CPHIMS, PMP, CISSP UC Irvine Health sri@srirambharadwaj. com 949 -439 -0333 (cell)
@sarahcmoffat Sarah C. Moffat @sarahdipity 40 Linkedin. com/sarahcmoffat My Personal Mission Statement To create an open space where all feel welcomed, safe, empowered, and treasured (valuable). To be creative and inspired — as God made me — and inspire others to find their own voice and creativity, to pursue their passions, and to build a life and career that matters to them. To embolden others to discover their “why”, and help them develop the knowledge, skills, and attitudes to actively fulfill their own personal mission. Who I Am • • Creative Helpful Energetic Strategic Visionary • • Ambitious Driven Hilarious Genuine • • Curious Life-Long Learner Engaging Empowering
4 2 CAREER PATH OUTPUTS • The career paths provide a foundation for collecting and organizing requisite data to develop the ancillary products and tools such as: – Position Descriptions (PDs) – Key differentiator comparisons across grade levels within a role category – Performance management plans – Individual development plans – Interview question banks • They provide HHS with a platform to: Strengthen the workforce capability Anticipate and plan for future Support career development Provide a basis for role-based, competency-aligned performance management – Expedite the recruitment process – Increase retention – –
4 3 The Softer-Side of Cybersecurity?
4 4 The three most important soft-skill attributes cited were: • Analytical thinker (selected by 65%) • Good communicator (60%) • Troubleshooter (59%) Tied for fourth place was “strong integrity and ethical behavior” and “ability to work under pressure, ” both selected by 58% of participants.
Whole Person Development
Partners in Excellence Revolution
For more information, see nist. gov/nice
- Slides: 49