The increasing number of recent ransomware attacks, security breaches, and privacy incidents understandably have hospital executives concerned about cybersecurity. The consequences of these breaches are significant, and developing strategies to address them is a difficult but necessary process. One major component of that process is determining appropriate staffing.
The Five Pitfalls
There are five pitfalls of security benchmarking that must be recognized before healthcare organizations can determine an appropriate level of security staffing.
Assuming cybersecurity professionals are ubiquitous and interchangeable. Cybersecurity professionals have specialties and work in different disciplines. To keep up with advancements in technology, cybersecurity personnel must develop new skills via specialized training.
Staffing based on organizational size alone. Hospitals have long understood they must keep a mix of clinical staff specialties regardless of the number of licensed beds. All positions such as physicians, nurses, radiology technicians, and laboratory specialists must be filled, even if comparable benchmarking ratios drop below a full-time position for small organizations. The same is true with security professionals—certain positions must be filled even for small organizations.
Using staffing models developed for organizations outside the industry. Healthcare security professionals must implement unique controls that are designed for a specialized threat spectrum and risks. Additionally, the regulatory complexity in healthcare is different from other sectors, which requires a broader set of skills. For example, biomedical devices introduce some very different security challenges. These devices often have life cycles exceeding 15 or more years, may be hampered with very few patch and vulnerability management options, and can’t be actively scanned due to an unacceptable risk to patient safety. The banking and finance sector would never permit customers to have unescorted access to computer assets; however, hospitals must routinely leave patients and family in treatment rooms full of biomedical equipment that, in many instances, do not require log-on credentials. Therefore, benchmarks from the financial sector (or others) will not address the diverse complexity needed for health care.
Staffing without considering the maturity of the security program. Many organizations make the mistake of assuming that it takes the same amount of staff to build a security management program as it does to manage a mature organization. It’s important to recognize the different skill sets between builders and operators, then acknowledge that some who are great builders (e.g., security architects) may not be happy in an ongoing support role (e.g., security operations) for a long period of time. It is important to select a benchmarking target that is the same maturity in order to accurately assess the security program’s staffing needs.
Comparing security staffing levels with organizations that may not be performing well. Most hospitals are struggling with their cybersecurity staffing. The 2016 Office for Civil Rights (OCR) desk audits determined that 83 percent of the organizations surveyed had serious deficient risk assessment deficiencies. Furthermore, 94 percent of those same organizations’ risk management plans did not meet OCR’s expectations. Simply stated, a high majority of the audited entities did not identify all threats and a higher percentage did not have a plan to reduce those risks to an acceptable level. Benchmarking against struggling organizations is a recipe for failing an audit, or worse.
A Better Model
The best way to build a staffing model is by starting at the bottom, identifying the major control groups from the HIPAA Security Rule:
- Security (and risk) management
- Workforce security (onboarding, awareness, and training)
- Incident management
- Contingency planning, including business continuity management
- Security audit and compliance
- Vendor management
- Physical security
- Physical asset management (including disposal)
- Access controls (includes vulnerability and patch management)
- Policy and procedures
By assigning roles based on requirements, healthcare organizations likely will end up with a security management organization that looks like the exhibit below. Few organizations have the resources to adopt this target organizational structure, so it will be necessary for individuals to assume multiple responsibilities. Executives must balance the organizational resource limitations with the risk associated with assigning responsibility above the individuals’ skill sets. While combining roles is desirable, it must be balanced with the need to preserve the separation between the audit and compliance staff from the operational staff.
Building a Staffing Model from the Bottom Up
Healthcare executives seeking to build a mature security management team should first focus on addressing the highest risks. Every risk should have a corresponding plan of action that identifies both the technology and staffing needed to reduce the risk.
Clyde Hewitt is vice president of security strategy, CynergisTek, Mission Viejo, Calif.