On Demand Webinar | Overview | Technology
Healthcare cybersecurity should be one of the top risks on every healthcare professional mind including yours. We will discuss the seriousness of the healthcare cybersecurity landscape including top risks, patient safety recent and near-ter...
Live Webinar | Technology
Healthcare cybersecurity should be one of the top risks on every healthcare professional mind including yours. We will discuss the seriousness of the healthcare cybersecurity landscape including top risks and patient safety impact, recent a...
On Demand Webinar | Basic | Technology
In this joint presentation from Humana and their subsidiary, Transcend Insights, attendees will gain insight into how a major health plan currently receives/delivers healthcare data in a (lacking interoperability) environment and what devel...
Blog | Technology

5 Pitfalls to Avoid When Considering Security Staff Benchmarks

Blog | Technology

5 Pitfalls to Avoid When Considering Security Staff Benchmarks

Clyde Hewitt presents areas of concern when determining appropriate staffing for information security.

The increasing number of recent ransomware attacks, security breaches, and privacy incidents understandably have hospital executives concerned about cybersecurity. The consequences of these breaches are significant, and developing strategies to address them is a difficult but necessary process.  One major component of that process is determining appropriate staffing.

The Five Pitfalls

There are five pitfalls of security benchmarking that must be recognized before healthcare organizations can determine an appropriate level of security staffing. 

Assuming cybersecurity professionals are ubiquitous and interchangeable. Cybersecurity professionals have specialties and work in different disciplines. To keep up with advancements in technology, cybersecurity personnel must develop new skills via specialized training. 

Staffing based on organizational size alone. Hospitals have long understood they must keep a mix of clinical staff specialties regardless of the number of licensed beds. All positions such as physicians, nurses, radiology technicians, and laboratory specialists must be filled, even if comparable benchmarking ratios drop below a full-time position for small organizations. The same is true with security professionals—certain positions must be filled even for small organizations. 

Using staffing models developed for organizations outside the industry. Healthcare security professionals must implement unique controls that are designed for a specialized threat spectrum and risks. Additionally, the regulatory complexity in healthcare is different from other sectors, which requires a broader set of skills. For example, biomedical devices introduce some very different security challenges. These devices often have life cycles exceeding 15 or more years, may be hampered with very few patch and vulnerability management options, and can’t be actively scanned due to an unacceptable risk to patient safety. The banking and finance sector would never permit customers to have unescorted access to computer assets; however, hospitals must routinely leave patients and family in treatment rooms full of biomedical equipment that, in many instances, do not require log-on credentials. Therefore, benchmarks from the financial sector (or others) will not address the diverse complexity needed for health care.

Staffing without considering the maturity of the security program. Many organizations make the mistake of assuming that it takes the same amount of staff to build a security management program as it does to manage a mature organization. It’s important to recognize the different skill sets between builders and operators, then acknowledge that some who are great builders (e.g., security architects) may not be happy in an ongoing support role (e.g., security operations) for a long period of time. It is important to select a benchmarking target that is the same maturity in order to accurately assess the security program’s staffing needs. 

Comparing security staffing levels with organizations that may not be performing well. Most hospitals are struggling with their cybersecurity staffing. The 2016 Office for Civil Rights (OCR) desk audits determined that 83 percent of the organizations surveyed had serious deficient risk assessment deficiencies. Furthermore, 94 percent of those same organizations’ risk management plans did not meet OCR’s expectations. Simply stated, a high majority of the audited entities did not identify all threats and a higher percentage did not have a plan to reduce those risks to an acceptable level. Benchmarking against struggling organizations is a recipe for failing an audit, or worse.

A Better Model

The best way to build a staffing model is by starting at the bottom, identifying the major control groups from the HIPAA Security Rule:

  • Security (and risk) management
  • Workforce security (onboarding, awareness, and training)
  • Incident management
  • Contingency planning, including business continuity management
  • Security audit and compliance
  • Vendor management
  • Physical security
  • Physical asset management (including disposal)
  • Access controls (includes vulnerability and patch management)
  • Policy and procedures

By assigning roles based on requirements, healthcare organizations likely will end up with a security management organization that looks like the exhibit below. Few organizations have the resources to adopt this target organizational structure, so it will be necessary for individuals to assume multiple responsibilities. Executives must balance the organizational resource limitations with the risk associated with assigning responsibility above the individuals’ skill sets. While combining roles is desirable, it must be balanced with the need to preserve the separation between the audit and compliance staff from the operational staff.

Building a Staffing Model from the Bottom Up

Healthcare executives seeking to build a mature security management team should first focus on addressing the highest risks. Every risk should have a corresponding plan of action that identifies both the technology and staffing needed to reduce the risk. 

Clyde Hewitt is vice president of security strategy, CynergisTek, Mission Viejo, Calif. 

About the Author

Clyde Hewitt


Related Articles | Technology

Column | Technology

Why humanizing technology maximizes patient engagement and increases financial value for health systems

Going digital has become a buzzword in the healthcare industry, and while answers abound to help healthcare leaders achieve this goal, the right question is hardly ever asked.

How To | Financial Sustainability

Financial Sustainability Report: August 2020

The August 2020 Financial Sustainability Report offers healthcare finance leaders guidance on how to set compensation for physicians in surgical specialty areas and how to pursue a financially sustainable business model for virtual care,

Article | Telemedicine

Telemedicine is exploding, but where is the ROI for health systems?

Telehealth is well on its way to having much broader acceptance and use than was seen at any time prior to the COVID-19 crisis. Yet there continue to be barriers and challenges in its widespread adoption.

How To | Telemedicine

How to leverage the telemedicine surge to create a profitable telehealth model

Healthcare finance leaders can help their organizations establish profitable telehealth programs following the COVID-19 pandemic by focusing now on the economic and operational drivers that will determine the success or failure of such programs.