Topics
More on Risk Management

What to look for when hiring healthcare cybersecurity pros

Cybersecurity is not computer science or computer engineering, it is a business discipline that requires people from all backgrounds and majors.

Bill Siwicki, Managing Editor, Healthcare IT News

Healthcare has special challenges securing information and devices. The consequences of a successful hack can be, at their worst, extreme results on people's health and well-being. Medical records are worth more on the black market than identity data, and thus make health records particularly vulnerable to theft and ransomware attacks.

As a result, healthcare organizations hiring entry-level and senior security professionals should have certain abilities and areas of expertise in mind when studying job candidates, knowledge that differs based on the level of the job.

"For entry-level cybersecurity roles, candidates need to understand networks, applications, devices and how to secure them," said Bret Fund, co-founder of SecureSet Academy, a cybersecurity education organization. "Differences will come once they're in a role. In finance, for example, you're looking through transactions and reviewing payment gateways. In healthcare, your focus changes to ransomware, exfiltration of data, and device security on a large scale."

[Join Your Peers at HIMSS' Healthcare Security Forum! Register Today]

Cybersecurity is not computer science or computer engineering, it is a business discipline that requires people from all backgrounds and majors, said Mansur Hasib, program chair for cybersecurity technology at the University of Maryland University College, and author of the book "Cybersecurity Leadership."

"There are four things that determine someone's success: knowledge, attitude, skills and habit," Hasib said. "Attitude and habit determine success far more than anything else. Therefore, entry-level people should demonstrate they are excited about the mission of an organization and stress their attitude and habits to hiring managers."

Entry-level candidates also should show passion for perennial learning and desire to innovate because cybersecurity is "people-powered perpetual innovation," he added.

Senior positions, like the chief information security officer, require more skills, more knowledge and different degrees of each. 

"Experience will be the key factor in dealing with the challenges and threats that are unique to healthcare," Fund said. "CISOs and CSOs of tech companies will find it more complex than their previous roles. Given the choice between a senior security leader from a large tech company and a senior security leader with healthcare experience, hospitals will choose the healthcare background because the job requires a deeper understanding of the implications of breaches."

Since prospects for senior-level positions have a job history to discuss, these candidates should be able to rattle off stories that demonstrate how they have used their knowledge, attitude, skills and habits to deliver mission success, Hasib said.

"How did they enable an organization to maximize business benefits while minimizing business risks?" he explained. "They should share stories of how they fostered an innovation culture."

Both education and experience are critical to the success of a candidate coming into a senior-level position. What they know and what they've been through and succeeded at will demonstrate to a healthcare organization their competence.

"We are seeing more creative and uncommon threats on the rise, particularly in the healthcare space," Fund said. "Candidates should have a fundamental understanding of how to recognize and mitigate from their education, while their experience provides wisdom and maturity to combat threat actors in an effective manner."

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com