Put yourself in the shoes of a cyber criminal. Let’s say his name is Dave and Dave is looking to steal as much personal data — including Social Security numbers, names of relatives, past medical history, insurance information, etc. — so that he can turn around and sell that information on the black market. While some cyber criminals steal credit card info to make fraudulent financial transactions, Dave is selling to foreign states that want to use this stolen data in order to create aliases for illegal operatives. Dave knows that espionage is a billion-dollar industry, and he is determined to get his slice of the pie.
Dave might be a criminal but he’s no dummy. Dave has the perfect target in mind. He’s going to focus his efforts on the healthcare industry, which stores a gold mine of sensitive patient data online, in electronic health records (EHRs).
Dave is not alone in targeting healthcare organizations. In fact, data breaches cost the U.S. healthcare industry an estimated $6.2 billion each year, according to the Ponemon Institute. The healthcare industry is a prime target due to the highly valuable information in its possession and the relative ease with which criminals are able to access this information. Also, attractive to cyber criminals is the willingness by healthcare organizations to pay to resolve ransomware attacks. A report by IBM found that 70% of businesses that have had experience with ransomware attacks in their workplace have paid to have stolen data returned. Which is telling when you consider that the healthcare industry was the victim of 88% of all ransomware attacks in U.S. industries last year, according to Solutionary, an NTT Group security company.
Healthcare as a whole is facing several challenges when it comes to protecting infrastructure and sensitive data from perpetrators looking to do harm. The problem for most healthcare organizations begins with personnel. Like many industries, the healthcare industry is facing a cyber security talent shortage, with a deficit of skilled cyber security experts on staff to help combat the growing threat posed by cyber criminals.
The Threats: Connected Devices and EHRs
The threat to healthcare organizations is twofold. The first major concern is the threat to human health. With more medical devices now digital and connected, cyber criminals have the opportunity to disrupt care by turning off critical medical devices, compromising medicine inventory systems, or cutting off the power supply to an operating room, for instance.
The second threat deals with patient data. By accessing EHRs, cyber criminals gain access to a wealth of information that is highly valuable on the black market. This stolen information can then be used for identity or insurance fraud. Similarly, cyber criminals may alter EHRs, resulting in potentially dire outcomes for patients.
The Problem: A Talent Shortage in Healthcare
As Josh Corman, Atlantic Council Director of the Cyber Statecraft Initiative and HHS Cybersecurity Task Force member, remarked, “Healthcare cybersecurity is in critical condition.” And yet the majority of healthcare organizations are ill equipped and ill prepared to combat the growing cyber security threat, with inadequate staffing a major barrier to remediation. According to a Q4 Black Book survey, 84% of healthcare organizations do not have a cybersecurity leader and only 11% plan to put in place a cybersecurity leader in 2018.
“Specifically, healthcare staffing issues have become so dire that three out of four hospitals don’t have a designated security person and have been forced to get creative with security needs,” wrote the U.S. Department of Health and Human Services in its Health Care Industry Cybersecurity Task Force report.
Still, many healthcare organizations recognize the need to have more personnel focused on mitigating threats and protecting sensitive data. According to the (ISC)2 Global Information Security Workforce Study (GISWS), employers in the healthcare industry plan to expand staff by 20% or more. Yet, with a major cyber security talent shortage plaguing all industries, finding employees to fill these roles may be easier said than done.
The Solution: Addressing the Cyber Security Talent Shortage in Healthcare
While there is no solid solution yet in place, thought leaders, businesses and universities have begun formulating ideas on how to combat the growing cyber threat in healthcare.
In 2016, the Health Care Industry Cybersecurity (HCIC) Taskforce was formed — charged with analyzing the healthcare cybersecurity problem, reviewing challenges in regard to securing connected medical devices and other connected systems, and establishing a cybersecurity information sharing plan for the healthcare industry. In 2017, the taskforce presented its findings to Congress, recommending six imperatives for healthcare organizations, two of which focused on education and closing the talent gap:
- Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
- Increase healthcare industry readiness through improved cybersecurity awareness and education.
HIMSS, the Healthcare Information and Management Systems Society, put out its recommendation in 2016 to “adopt a universal information privacy and security framework for the health sector, creating an Health and Human Services cyber leader role, and addressing the shortage of qualified cybersecurity professionals.”
Addressing the talent shortage in cyber security is a common goal. Which is why many colleges and universities have created cyber security degrees aimed at preparing cyber security experts capable of mitigating the sophisticated threats facing organizations today.
Fortunately, with advancements in technology, earning a degree while gaining experience through full-time employment is more attainable than ever. Online cyber security master degrees are now being offered at reputable, accredited universities across the country. To encourage advanced education in this critical area of security, there are also several cyber security scholarships and grants available to those interested in furthering their education in information security.
Similarly, there has been a push to encourage women — who currently only represent 11% of the industry — to enter the field.
A Career in Cyber Security
A career in cyber security offers several benefits, including:
- Job security — Because demand is far outpacing supply in the cyber security sector and cyber attacks aren’t going away anytime in the foreseeable future, job security in this sector is strong. According to the 2015 (ISC)2Global Information Security Workforce Study, there will be 1.5 million unfilled jobs in cyber security by the year 2020.
- High pay — According to CNBC, the average annual salary for a cyber security professional with a bachelor’s degree is $116,000. And for the more advanced positions that typically require a master’s degree, the salaries almost double.
- The chance to make an impact — Cyber security experts are in desperate need. According to The Center for Strategic and International Studies, an estimated $100 billion is lost every year in the U.S. alone and roughly 508,000 jobs in the U.S. are lost every year due to cyber crime. Today’s wars are increasingly being fought online, underscoring the urgent need for both women and men who have the technical skills and understanding required to combat persistent and malicious cyber attacks.
As the healthcare industry continues to expand the use of potentially vulnerable digital technologies, organizations face a major challenge in ensuring those technologies and online databases are secure from criminals like Dave — who are incentivized by a billion-dollar black market industry. Just as Dave is working day in and day out to improve his hacking skills, the healthcare industry needs cyber security experts eager to work just as hard to protect the information cyber hackers like Dave are trying to steal.
To help fill the void in cyber security talent, the University of San Diego is training the next generation of cyber security leaders and engineers through two innovative master’s degree programs: the fully online Master of Science in Cyber Security Operations and Leadership and the fully on campus Master of Science in Cyber Security Engineering.