Last week, officials at The McCombs School of Business at The University of Texas at Austin announced a Leadership in Health Care Privacy and Security Risk Management certificate program, which they attest is a first-in-the-nation professional program.
The program is designed to develop leaders who can manage risk in American healthcare systems, protecting them from fast-evolving cybersecurity threats. There are currently 350,000 unfilled cybersecurity job openings in the U.S., officials noted. Some estimates note that the cybersecurity workforce gap will hit 1.8 million globally by 2022.
Endorsed by the Texas Hospital Association, and by CynergisTek and Clearwater Compliance, two firms in the healthcare cybersecurity, privacy and compliance space, the program brings together industry leaders as teachers and case facilitators.
The eight- week program graduated a pilot class of 16 participants in August 2019. Students ranged in age from their early 20s to their late 50s and included working professionals from cybersecurity, information technology, and clinical fields, as well as military veterans and recent college graduates.
The co-directors of the program are Sri Bharadwaj, chief information security officer (CISO) at UC Irvine Health in Orange County, Calif., and Leanne Field, clinical professor and director for digital healthcare innovation at UT Austin. Bharadwaj, who has been in his role at UCI Health for nearly five years, spoke with Managing Editor Rajiv Leventhal soon after the release of the announcement to discuss the program in greater detail. Below are excerpts of that discussion.
Clearly, the goal of this program is to address the cybersecurity workforce shortage in healthcare. Why do you think such a gap exists?
The topic of cybersecurity sometimes just baffles people. Most cybersecurity folks are very tech-oriented; very few really understand how to translate a cybersecurity scenario to the concept of what a layman would think. The way we have [historically] approached cybersecurity in healthcare is that it has been more on the backburner rather than on the forefront of discussions. The original premise around cybersecurity was essentially that the security guys will give me access and that would be it.
Once we had the Hollywood Presbyterian Medical Center breach, and some of the other major breaches that have occurred, either [internally] or via some sort of ransomware attack, then cybersecurity was beginning to be spoken at the board level. The board would ask questions such as, what might happen if something like this happens to us? Those types of questions were being asked by CEOs a few years ago, and that transformed the industry to take cybersecurity to the forefront.
So now health system executives are asking, how do we address cybersecurity challenges? That is where we have come in a short span of time. There was always HIPAA and PHI [protected health information], and the thought was that data was locked in data centers, meaning no one would be able to get it. Or, even if the data was available in the cloud, the [hospital’s] vendor will take care of it. That was the historic mindset people had. Even the CIOs didn’t believe that security was a big deal since they had business associate agreements (BAAs) signed by the vendor, and had a half or full cybersecurity person in their organization—despite that person doing nothing more that provisioning.
Now, that is changing; there’s a big need to have leadership in cybersecurity, to understand all the factors that could be impacting the industry as a whole. There’s a lot of activity around privacy and security with the federal and state environments as well. People are beginning to recognize that with all the technology out there, we don’t know what’s happening and why it’s happening, so let’s bring the cybersecurity folks onto the forefront and do something about it.
Some estimates predict that the workforce gap will get even wider in the next three to five years. What can be done to reverse this trend?
When I look at the gap, it may widen purely because there is one area in healthcare cybersecurity that hasn’t been addressed: medical device security. At some point, someone will alter infusion pumps by putting in a higher dosage for the patient, and the patient in some way, shape or form will have a bad outcome. That will change the way people behave with medical devices since it touches the patient. That is going to happen at some point in time, and I really hope it doesn’t, but when it does, it will catapult the need for [greater] cybersecurity in the industry.
However, if you take that medical device scenario out of the picture, has the industry significantly matured? Yes, it has. It has moved from the back-office discussion to now having a seat on the board to understand how to manage [risk]. We are seeing a bigger need for trained professionals in the industry and that is why you have so many jobs out there. Every other week I get a request for a CISO position that someone is desperately trying to fill. They struggle with trying to find leaders who understand enterprise risk management, and understand how to mitigate, manage, and move forward while changing dynamic healthcare systems. Not many people have that experience, and have been there and done that. That leads to the mismatch of supply and demand.
Do other industries have this challenge with their cybersecurity workforce? Could healthcare learn from other sectors?
Financial services comes to mind; I used to work in this sector. In that industry, they have spent enough money in cybersecurity to [improve], purely because they were worried about dollars impacting their customers or members. However, the same paradigm is not applicable in healthcare since healthcare has a unique situation where you’re not just looking at money as the [primary] element. Healthcare transcends from the time you go to the gym in the morning to the food you eat to the time when you have some sort of care service. And of course you have devices everywhere on top of that.
As co-director of this new Leadership in Health Care Privacy and Security Risk Management certificate program, what role do you envision yourself having as it relates to training and education for the program’s students?
When we put it together, it was more about how to create the next generation of healthcare cybersecurity leaders. There are a lot of security courses that people can take, get a CISSP [Certified Information Systems Security Professional] certification, and that will [teach you] about what cryptography is and how to deploy it.
But our course explains why you need to deploy cryptography and when to use the right cryptographic tools to encrypt data. The “why” and the “how” has been missing; if you want to know what it is and how you implement it, there are plenty of courses from a technical perspective. But when and why you need to implement a particular type of encryption, and how you explain that to folks, is what was missing. That’s why we put this course together.
What skills do you see as increasingly necessary for healthcare cybersecurity professionals to have?
The one skill they need to understand as being extremely important is to translate cybersecurity challenges into layman’s terms. That is a very important skill for anyone working in healthcare to have and we see a lot of people who just cannot do that.
The other one is to take an enterprise-wide risk management approach rather than a “cocoon” approach of staying in your own bubble. Take a step back and look at the forest, understand how you are protecting the forest and how are you managing all these risks that you have in the organization. An example of a cocoon approach would just be tackling your identity management project. OK, that is one aspect of covering yourself, but how are you taking a step back and looking at risk management as an enterprise?
How will you measure this program’s success?
For us, it’s about getting the graduates into organizations that will use them effectively for delivering cybersecurity within the healthcare environment. Secondly, we want to get constant and continuous feedback from the students who are going out there and learning. And we want the employers who employ these students to give us feedback on if a certain [part of the program] was relevant or not, and where we might have missed the mark. Third, how many other future generations of these cybersecurity leaders are being created? By educating one, you are educating 10; we believe in that model. Start small and make that mission moment—something that is evangelical to broaden the spectrum and deliver a better group of healthcare cybersecurity professionals for the nation.
