What to Look for When Hiring Healthcare Cybersecurity Pros

By Bill Siwicki and posted on Healthcare IT News on Tuesday, September 5, 2017

Cybersecurity is not computer science or computer engineering, it is a business discipline that requires people from all backgrounds and majors.

Healthcare has special challenges securing information and devices. The consequences of a successful hack can be, at their worst, extreme results on people’s health and well-being. Medical records are worth more on the black market than identity data, and thus make health records particularly vulnerable to theft and ransomware attacks.

As a result, healthcare organizations hiring entry-level and senior security professionals should have certain abilities and areas of expertise in mind when studying job candidates, knowledge that differs based on the level of the job.

“For entry-level cybersecurity roles, candidates need to understand networks, applications, devices and how to secure them,” said Bret Fund, co-founder of SecureSet Academy, a cybersecurity education organization. “Differences will come once they’re in a role. In finance, for example, you’re looking through transactions and reviewing payment gateways. In healthcare, your focus changes to ransomware, exfiltration of data, and device security on a large scale.”

Cybersecurity is not computer science or computer engineering, it is a business discipline that requires people from all backgrounds and majors, said Mansur Hasib, program chair for cybersecurity technology at the University of Maryland University College, and author of the book “Cybersecurity Leadership.”

“There are four things that determine someone’s success: knowledge, attitude, skills, and habit,” Hasib said. “Attitude and habit determine success far more than anything else. Therefore, entry-level people should demonstrate they are excited about the mission of an organization and stress their attitude and habits to hiring managers.”

Entry-level candidates also should show passion for perennial learning and desire to innovate because cybersecurity is “people-powered perpetual innovation,” he added.

Senior positions, like the chief information security officer, require more skills, more knowledge and different degrees of each.

“Experience will be the key factor in dealing with the challenges and threats that are unique to healthcare,” Fund said. “CISOs and CSOs of tech companies will find it more complex than their previous roles. Given the choice between a senior security leader from a large tech company and a senior security leader with healthcare experience, hospitals will choose the healthcare background because the job requires a deeper understanding of the implications of breaches.”

Since prospects for senior-level positions have a job history to discuss, these candidates should be able to rattle off stories that demonstrate how they have used their knowledge, attitude, skills, and habits to deliver mission success, Hasib said.

“How did they enable an organization to maximize business benefits while minimizing business risks?” he explained. “They should share stories of how they fostered an innovation culture.”

Both education and experience are critical to the success of a candidate coming into a senior-level position. What they know and what they’ve been through and succeeded at will demonstrate to a healthcare organization their competence.

“We are seeing more creative and uncommon threats on the rise, particularly in the healthcare space,” Fund said. “Candidates should have a fundamental understanding of how to recognize and mitigate from their education, while their experience provides wisdom and maturity to combat threat actors in an effective manner.”

Healthcare Cybersecurity Professionals in High Demand by Tom Clark, VP of Operations for DCA

Cybersecurity professionals within the healthcare industry are in high demand and jobs are growing at a rapid pace. According to Forbes.com, the cybersecurity industry will grow from $75 billion in 2015 to an estimated $170 billion by 2020. In addition, the demand for the cybersecurity workforce is expected to rise to 6 million by 2019.

With cyberattacks becoming more common over the past two years in healthcare, HIT executives and hiring managers are in the hunt for skilled cybersecurity professionals. However, right now the demand for these experts outstrips supply. The good news is that supply could change over the next couple of years as more colleges are now offering degrees in cybersecurity. In addition, many new options exist for current professionals to augment their skill sets, including certificates from technical training companies.

A career in the healthcare sector can mean a six-figure salary, job security, excellent benefits, and upward mobility. Jobs that require HIT cybersecurity know-how will usually have a range of titles and range of median salaries:

Chief Information Security Officer: $223,334
Cybersecurity Network Engineer:  $ 92,793
Cybersecurity Architect: $110,451
Cybersecurity Analyst: $ 90,120
Sr. Software Engineer: $ 99,900
Security/IT Director: $105,112
Security Consultant: $ 93,529

* Median Salaries from Payscale.com & Healthcare IT News, January 2017

Additionally, to be considered for a position, there are a number of core skills needed by everyone entering the cybersecurity workforce including:

– Communication Skills
– Knowledge of Scripts & Programming Tools
– Ability to Work in a Team Environment
– Ability to Assess Client’s Security Needs
– Working Knowledge of Malicious Codes
– Ability to Recognize Intruder Techniques
– Working knowledge of Common Network Protocols

Cybersecurity will continue to be a major concern for healthcare executives in 2017 after two years of steadily increasing cyber threats that resulted in a record number of patient records compromised, health organizations extorted financially and hospital operations disrupted. With that in mind, there’s no better time to enter the healthcare cybersecurity field since you will be among the most sought after professionals in the tech sector.

If you’re currently in the cybersecurity space, have you received a number of job offers lately? Please comment below.

Interview with Jamie Parent, CIO, VP IT Operations, Rush University Medical Center, Chicago

June 23, 2016

Jaime Parent, Associate CIO, VP IT Operations, Rush University Medical Center & Assistant Professor, Rush University Interviews with DCA

Why did you choose a career in Healthcare IT?

I get bored very easily and there is absolutely no boredom in Healthcare IT, nor Healthcare in general.  Often times, I do not own my own agenda and on any given day servers crash, phones go out, etc. But I’ve been around long enough now that very little surprises me.  Technology changes so fast and now academic medicine is arguably changing at the same rate and speed.   Healthcare IT is not for the faint of heart but these rollers coaster rides are a blast.

To what or whom do you attribute your success? Did you have a Mentor(s)?

My terrific wife Tracy has been my hero for many decades now.  Without her, I would simply be a misanthropic outcast.  Another source of success for me is having a son with autism (Bryan).  He is now 29 and works at the Rush University Warehouse; his/our continuing challenges are outweighed by the joy of his/our successes.  If a group of dads can have their softball team lose to state rivals, then take them to a restaurant mall on a Saturday night, well, you can manage a surfeit of personalities all throughout Healthcare.   God had some good reasons to put Bryan in our path.

As a CIO, is cybersecurity one of your largest concerns right now? What measures are you taking to deter cybercrime and data breaches?

Healthcare is wide-open for security breaches and is a reflection of the on-demand services that are demanded by clinicians, students, faculty and visitors.  While we have some excellent technologies to protect our environment, nothing is absolute.  Social engineering continues to be our biggest vulnerability which is why cybersecurity training for all personnel is your best defense weapon.  No technologies will work if Johnny or Mabel put their username and password on a sticky note on the front of their monitor; not even the best technology can plug that hole.

You combined your current experience as an IT executive with your past experience as an Air Force Colonel to create the EN-Abled Vet program.  How does your internship help veterans reintegrate into civilian life and IT careers?

We created a 13-week fast track on the job training internship that makes veterans competitive in the Healthcare and general Healthcare IT marketplace.   Fortune 500 vendors have stepped up to provide free on-line training, with special kudos to EPIC who offers free Epic certification opportunities for up to 5 vets per Epic customer, and 60 opportunities nationwide per year.   As confirmed by both CHIME and HIMSS, EN-Abled Vet is a unique approach to Healthcare IT career building.  For example, we will hire veteran’s spouses and other family members while a veteran is recovering from service-connected injuries.  SOMEONE has to put food on the table and a lot of well intending organizations overlook this. We pay a stipend of $12.50 per hour, 4 days a week for 13 weeks, which comes out to a total cost of $5,200 per veteran.  I would offer that cities, states and the feds pay more to veterans in benefits sitting at home watching TV, rather than being in a productive and successful internship.

You’ve had great success in bringing veterans into the HIT workforce. Has EN-Abled Vet inspired similar internships across the country?

Veterans possess a combination of skills that may be difficult to find in the today’s workforce.  Honesty, integrity, maturity, teamwork, stay until the job is done etc. are skills that anyone, anywhere would want to have as their employees.  Capitalizing on this, and after proving that this program works and is transportable, we have built a consortium of 7 health systems from Delaware to California who are in the early stages of developing their own programs. The program is pure and is essentially freeware.  Everything you need to start your own program can be found at http://en-abledvet.org.  Isn’t that something that hospitals should be doing already – giving back to the communities they serve?

What is your advice to up and coming Healthcare IT talent?

You have to be somewhat obsessed and possessed to do this stuff.   I’m hard pressed to find anyone in this field that hasn’t been yelled at at 4 AM by parents or spouses to get off that $#!# computer and come upstairs and go to bed.  Reminds me of the love of music.  If you put your mind to it, the more you will practice the better you will be.  In my case, my wife says I turned being a regular geek into a successful career geek and it’s hard to refute that.

What is your philosophy on how organizations can attract top Healthcare IT talent? 

Always keep in mind that as a not-for-profit, you will always be competing with the for-profit sector.  Most of my staff can easily find a job downtown that pays $20k+ more than their current position, so you have to be creative and engaged.  Such things as flex hours, PTO when needed, occasional parties, respect, work from home, etc. can all be effective recruiting and retaining tools.  You also have to tap into that altruistic gene.  As one developer told me, “I get a special feeling knowing the patient healthcare pages I build can help make patients get better and healthier quicker which is more inspiring than creating an insurance page or auto buying website.”  Organizations need to tap into this type of engagement for once your employee starts to return staffing firm cold calls, the slippery slope out the door begins.

Information Week Dark Reading…5 HOT Security Job Skills

Info Week Dark Reading logoMarch 24, 2016

Written by Rutrell Yasin for Information Week Dark Reading 

Cybersecurity job openings are looking for people with a blend of technical, security, and industry-specific talents — and it helps to know Python, Hadoop, MongoDB, and other big-data analysis tools, too.

Cybersecurity job postings grew by 91% between 2010 and 2014, faster than overall IT jobs.  The demand for cybersecurity professionals shows no signs of slowing down given the increasing rise of cyberattacks and threats on businesses and government agencies.

The latest increases in demand for cybersecurity professionals are in industries managing high volumes of consumer data such as finance, up 137% over the past five years; healthcare, up 121%; and retail trade companies, up 89%, according to data from Burning Glass Technologies’ report “Job Market Intelligence: Cybersecurity Jobs, 2015,” which published last summer.

Analysts with the job market analytics provider see some of the same growth trends playing out in 2016 as well, says Will Markow, senior analyst at Burning Glass, which draws from its own online database of job postings. Burning Glass analysts visit nearly 40,000 online jobs sites, using advanced text analytics to extract over 70 data fields covering information such as job title, occupation, employer, industry, required skills, credentials, and salary.

“The cybersecurity job landscape is still large and growing rapidly. It is no longer a niche market within IT,” Markow says. “It is taking up an ever-increasing amount of the IT job market, over 10 percent now. In the federal government, cybersecurity accounts for over 30 percent of [the job] demand.”

In the wake of high-profile cyberattacks on a wide range of industries such as Anthem Blue Cross Blue Shield, Home Depot, Target, and the US Office of Personnel Management, the role of the chief information security officer (CISO) has risen in stature in many large corporations and federal agencies. The senior-level executive is typically responsible for aligning security initiatives with enterprise programs and business objectives.

“It would be easy for [people to think] the CISO role is most in demand or desirable. However, the CISO search draws the most candidates to them because they are at the top of the pyramids,” says Lee Kushner, president of L J Kushner & Associates, a recruitment firm specializing in the information security industry.

The biggest demand is more for folks with blended technical domains.  “I think there is a general challenge to find people with depth of technical security skills that really help make the CISO’s program more consumable and productive,” Kushner says.

Here are five of the professional skills most in demand today for cybersecurity jobs:

1.       Threat Intelligence/Security Operations Center Professionals

Many large corporations are investing in incident response and threat intelligence professionals and technologies to make sense of attack and threat information, Kushner says.

“That is an area that is still picking up,” prompting organizations to beef up security monitoring capabilities, Kushner says. “One of the hotter areas you might see is people who can lead the development and functionality of internal security operation centers.”

Typically, large companies have outsourced security operation centers, or SOCs, to managed security service providers or professional services companies. “But I see a lot of organizations bringing their core components – Level 2 and 3 analysis — in-house and outsourcing low-hanging fruit to managed service providers,” according to Kushner.

“It is a huge developing trend that is gaining more traction as people are dumping more money into protecting themselves,” he says.

Within these SOCs, organizations are blending incident response, threat intelligence, and monitoring all into one scenario. This requires a cadre of specialists steeped in the discipline of information security. “They require a certain level of thinking, mindset, and discipline that is semi-ingrained in the development of security professionals and maybe things that are inherent to who they are as people,” he says.

2.       Product Development: Security software and security infrastructure developers

Technology companies and companies building internal technologies for their own use or to sell to other companies, are looking for people with solid software and infrastructure development backgrounds. These professionals work with product development teams during the design and development of the products. The goal is to help establish a solid security architecture and a security perspective during the design, build, and review process.

These positions are in very high demand, but short on supply, Kushner notes. Product security, in most cases, is about blending the application security discipline and the infrastructure discipline. Marrying those two worlds is a difficult task and requires very unique skills. Some of the technology is not necessarily public-facing, he says: some of the development work is in authentication technology or encryption.

3.       Cloud Security Specialists

As many organizations move IT applications and hardware to private, public, and hybrid clouds, understanding how that is done in a secure way is very important. Being well-versed in cloud security architecture or having firsthand knowledge of how to architect security for cloud transformation is an important and rare skill, according to Kushner.

“We’ve seen some very strong demand for cybersecurity architects, many of whom are on the forefront of work in cloud-related technologies,” Burning Glass’ Markow says. “Some of the architect roles are the highest paying in cybersecurity today, offering salaries well over $100,000 on average.”

They require diverse skillsets, but also require the most experience and education. As a result, employers are pulling from a small pool of workers.

Burning Glass has started to look at pathways companies can take to move InfoSec professionals into these new architecture roles, Markow says. For instance, some of the potential paths include using people from other cybersecurity engineering roles or software engineering who have either a strong cyber or a strong cloud component. Employers might have workers in their organization who have 80% of the skills they need either on the cloud side or cybersecurity engineering side. They can identify those workers and help them to develop the other 20% of skills they need to qualify for some of the cloud architecture roles, he says.

4.       Cybersecurity/IT Auditors

Another trend is the emergence of hybrid jobs, which entail skills that require a combination of IT security and financial skills or healthcare, depending on the industry, Markow says. They require a bundle of skills employers didn’t have to look for in the past.

Take the cybersecurity auditing position. Cybersecurity auditing is one of the fastest-growing roles within cybersecurity, growing 132% between 2010 and 2014, Markow says.

“We found IT auditor roles, which are most common in finance and insurance companies, at this point are the hardest to fill. They remain open the longest, about 43 days on average, which is three days longer than the average for all cybersecurity roles.”

Cybersecurity auditors perform auditing and risk management assessment, which means checking the viability of security infrastructure, looking for holes, and reporting findings to management. Auditing and risk assessment are combined with traditional IT skills such as programming and networking, creating a hybrid role that pulls from disparate functions.

5.       Big Data Analysis

Big data analysis is one of the fastest-growing sought-after skills in the cybersecurity field.

Demand for analysts who are knowledgeable about Python, a programming language based on C and C++ languages, has grown 300% between 2010 and 2014, according to Markow. Python supports rapid application development, allowing analysts to quickly create and customize tools.

There is also a healthy demand for people who understand the Apache Hadoop open-source programming framework for big data analysis and MongoDB, which delivers fast query speeds across large volumes of data.

The trend for Infosec analysts who can manage and manipulate large data sets and that is only going to increase as the Internet of things takes up adoption. “This isn’t a trend that is going to go away any time soon, Markow notes. “So employers are going to have to build the workforce that has the skills they need while workers and students will have to build these skills to remain relevant in the market,” he advises.