Talent Shortage: Many Health Care Orgs Are Operating without Qualified Security Staff

- April 27, 2017

As it is, many industries are finding it incredibly difficult to fill job openings for security positions. A study published earlier this year from the Information Systems Audit and Control Association (ISACA) found that a quarter of all businesses have open positions that remain unfilled for as long as six months.

Almost a third of businesses (27 percent) have positions that they simply cannot fill at all.

Hospitals, despite having perhaps the most sensitive data and plenty of vulnerable targets, may be feeling this shortage more than any other industry. In a keynote speech at the Source Boston conference, Joshua Corman, I am The Cavalry founder and Director at the Atlantic Council, said as many as three-quarters of “health care delivery organizations” lack even a single qualified security person.

That is a lot of unpatched, vulnerable yet connected medical devices, many of which are tasked with life-saving tasks.

“There’s no one there to apply patches, receive threat intelligence, or respond to emergencies,” Corman said. “It’s basically nurses and medical technicians. There’s no one there.”

This is despite many headlines stating that hospitals and health care companies have been victims of malicious attacks. Hospitals in California and Kentucky experienced extensive ransomware attacks. And countless hospitals, insurance providers and health care companies have experienced data breaches of varying size.

Adding to the challenge is a dominant focus on data protection and privacy because of HIPAA regulations. Corman also noted that legacy equipment does not make matters easier. Specifically, Windows XP—despite being an end-of-life product—is everywhere in health care.

In addition to concerns from security experts like Corman, the FDA has been focusing acute attention on the growing risk of vulnerable medical devices.

And last year former Senator Barbara Boxer (D-Calif.) penned a letter to FBI Director James Comey stating that hospitals and health care agencies who become victims of ransomware attacks, going unchecked by law enforcement or cybersecurity meaures, are creating a “perverse incentive” for hackers.