Chapter 5: Workforce

The technical vulnerabilities in healthcare systems are compounded by another challenge: finding people with the necessary cybersecurity skills to protect those systems.

At every conference and closed door gathering of healthcare cybersecurity professionals, one theme is universal: there aren’t enough hands to do the work of protecting the modern healthcare enterprise. The workarounds can range from outsourcing huge amounts of work, to building internal training programs from ground zero, to simply telling one’s board of directors that an attack is inevitable if they’re going to continue to fund at the levels they propose. Frustration is palpable, and answers are few.

The cybersecurity workforce shortage is not unique to the healthcare sector.¹ Globally, the cybersecurity workforce gap is expected to reach 1.8 million by 2022 according to the 2017 Global Information Security Workforce Study.² In America alone, employers struggle to fill nearly 200,000 new job openings requiring cybersecurity-related skills each year, including 5,000 information security analyst positions, the most common job in the field.³

The workforce gap has led to serious challenges in securing critical public and private data, and the gap is growing. Two schools of thought have arisen to explain this issue. The first posits that the workforce deficit is a function not having enough people in the education pipeline,⁴ and policy solutions in this school of thought encourage more students to pursue cybersecurity education programs. The second posits that in addition to an inadequate supply of talent, the cybersecurity workforce lacks mechanisms to match job seekers with job providers.⁵ Policy solutions in this the second school of thought aim to better align education and industry, and include efforts to focus education on applied skills, create collaborative opportunities between educators and employers, and improve measurement and communication of employee competencies.

To best ameliorate the problems that fuel the healthcare cybersecurity workforce gap, the community needs solutions that address both schools of thought. Therefore, the policy recommendations in this chapter are divided into two categories: recruiting, which largely addresses the first, educational school of thought, and retention, which addresses the second, job-alignment school of thought. The two schools are not strictly separated though, and in many recommendations they may overlap. To set the stage for these policy solutions, Part II of this chapter will describe the challenges facing the healthcare sector that make it particularly sensitive to the cybersecurity workforce shortage. These challenges include:

Table 4: Summary of Healthcare Workforce Challenges

Part III will then provide specific policy recommendations to meet these challenges, centered on recruiting and retaining top cybersecurity talent. These policy recommendations are:

Policies for Recruiting the Cybersecurity Workforce Needed to Support Healthcare

• Amend the Cybersecurity Enhancement Act of 2014 to incentivize recipients of the CyberCorps Scholarship to serve in specific, critical need sectors like healthcare.
• Under leadership from the U.S. Department of Labor (DOL), HHS, and state and local governments, create and subsidize models for cybersecurity-specific apprenticeships in the healthcare sector.
• Create and incentivize adoption of sector-specific Centers of Academic Excellence designated programs.
• Support an industry-wide approach for creating a healthcare cybersecurity job certification.
• Create a sustainable financing model that supports healthcare providers who typically have the least concentration of cybersecurity expertise.

Policies for Retaining Cybersecurity Professionals in Healthcare

• Provide payroll tax incentives to healthcare providers to address the “brain drain” in healthcare cybersecurity.
• Healthcare leaders should work with security teams when making technical resource decisions that affect a provider’s security posture, emphasizing approaches that maximize productivity and reduce burnout.

i. Financial limitations

As discussed in Chapter 3, healthcare providers, especially small- and medium-sized organizations, have limited budgets and tight profit margins—a 2.7 percent industry average for healthcare.⁶ This limitation makes it difficult to recruit and invest in the development of relatively high-paid cybersecurity talent who often “view an attractive pay package as a given.”⁷ Operating on a tight margin makes it incredibly difficult to recruit cybersecurity talent who are sought after by higher paying firms in other sectors, like finance and big tech. Similarly, it can be difficult to retain cybersecurity professionals who often leave healthcare to pursue better pay and benefits.⁸ This retention problem is referred to as the healthcare cybersecurity “brain drain,” which occurs after a cybersecurity manager invests a large amount of time and money into a new hire, only to have an individual leave for another job after a few years.⁹

ii. Workforce shortage

On top of a cybersecurity workforce shortage, most health organizations have a non-cybersecurity workforce shortage as well. Reports from the Health Resources & Services Administration, an agency of HHS, project that there could be a shortfall of nearly 67,000 primary care physicians and a 20 percent shortage of nurses in the United States by 2020.¹⁰ By 2021, there is an expected shortage of 250,000 public health workers. Given competing hiring priorities, healthcare leaders may, and justifiably so, direct extra funding to attract physicians and nurses rather than cybersecurity professionals. The overarching healthcare workforce shortage combined with limited budgets makes it especially difficult to recruit a robust healthcare cybersecurity workforce.

iii. Skills

Healthcare cybersecurity specialists must not only be equipped with cybersecurity-related skills, they must also be familiar with HIPAA, proper handling of protected health information (PHI), and other healthcare-specific idiosyncrasies. Other sectors face similar challenges and Burning Glass calls these sorts of jobs, which blend cybersecurity technology skills with industry specific expertise, “hybrid jobs.”¹¹ While there is a unique opportunity for job seekers who possess both sets of skills to demand higher salaries, it is difficult to find a single cybersecurity education and training program tailored to the idiosyncrasies of the healthcare privacy and security environment. As such, it is difficult for hiring managers to identify candidates who have all of the necessary competencies required for working in the healthcare setting. These additional requirements make an already scarce set of job skills even more rare.

iv. Job appeal

Potential employees may find healthcare cybersecurity work unappealing, even relative to other mundane cybersecurity work. Currently, many of the daily tasks required of cybersecurity specialists are tedious and involve manually sifting through large data sets, for example checking access logs to ensure that organizations remain HIPAA-compliant. While privacy and security teams are often artificially separated, sometimes, during security and/or privacy audits access logs must be analyzed to identify HIPAA violations. To complete this task, healthcare workers may first print access logs, which are documents that have tracked the digital behavior of specific employees. As healthcare employees interact with dozens of patients every day, access logs can be dizzyingly long. After printing or exporting a log to Excel, it is not uncommon for a cybersecurity analyst to go through every single line of data, using a highlighter to flag instances where a colleague may have improperly accessed a patient file.¹² Compared to flashy national security and intelligence positions in the Department of Defense, it is no wonder that healthcare cybersecurity work can appear unappealing.

Healthcare security work can be so uninteresting and unrelenting that professionals may burnout and leave the industry altogether. Generally speaking, information and cybersecurity teams in healthcare are small and compete with other core staff departments for limited funding. This means that security teams are typically understaffed and under-resourced, creating more stress for current employees. Keeping cybersecurity specialists isolated, sifting through security reports in a small backroom leads quickly to burnout. A white paper by social scientist Andrea Little Limbago found that burnout was one of the three main challenges to retention in the tech industry as a whole, alongside poorly defined career paths and non-inclusive culture (discussed in the next two sections)¹³.

v. Career paths

There is no often traveled single path to becoming a cybersecurity professional, and professionals come from all different backgrounds. According to one study, 87 percent of today’s global cybersecurity workforce did not start out in cybersecurity, and 30 percent did not even come from an engineering or IT background.¹⁴ As receptive as this seems on its face, the lack of clear paths means that people interested in cybersecurity may not know how best to gain skills and find a job. Indeed, the same study found that 31 percent of global hiring managers in cybersecurity believed that the absence of a clear information security career path was an important factor in why they could not hire enough people.¹⁵

Poorly defined career paths and lack of professional development also lead many existing security specialists to exit the profession. According to Matthew Doan, a New America cybersecurity fellow and senior associate at Booz Allen, there is a dearth of opportunities for cybersecurity professionals across industries to move both vertically and laterally throughout their career. In healthcare, cybersecurity specialists similarly lack well-defined career paths and professional development opportunities.

vi. Diversity

The diversity problem within the broader cybersecurity workforce exacerbates the workforce challenges presented here. An (ISC)2 study from March 2018 found that, although minority participation in the cybersecurity workforce is higher (26 percent) than the overall U.S. minority workforce (21 percent), there are still pay discrepancies and promotional barriers that disproportionately affect people of color, and in particular women of color.¹⁶ The study found that more minorities in cybersecurity have obtained a master’s degree or higher (62 percent) when compared to their white counterparts (50 percent), yet minorities are still paid less on average ($115,000 for minorities, compared to $122,000 for the overall cybersecurity workforce) and promoted less often (23 percent of minority cybersecurity professionals hold a role of director or above, compared to 30 percent of their Caucasian peers). Female participation rates are also dismally low at only 14 percent of the cybersecurity workforce in North America.¹⁷

In many ways, these statistics illustrate that the cybersecurity workforce is dominated predominately by white men. This diversity gap is problematic for three reasons. First, lack of participation, especially among women, limits the pool of available talent in the workforce. Second, homogenous teams produce less innovative work.¹⁸ And third, there is a troubling social equity problem when minorities are not afforded the full pay and promotional opportunities stemming from relatively high paying cybersecurity jobs.

Beyond this broad culture of discrimination, it is hard to pinpoint a unique culture of discrimination specific to the healthcare sector. Still, healthcare-specific cultural factors do influence employee turnover. In particular, the healthcare sector is extremely slow to embrace new technologies that could enhance and support employee’s work; for example, the vast majority of the healthcare sector used paper records until 2009. The sector adopted electronic health records only after a massive government incentives program sparked this transition. The conservative, tech-wary culture in healthcare can restrict the adoption of security tools and technologies that would support the cybersecurity workforce.

These challenges are situated within the problematic national cybersecurity landscape, where progress is painfully slow and policymakers remain lukewarm towards concrete cybersecurity action (or even draft counterproductive policies), all while cybersecurity incidents continue happening at an accelerated clip. Such realities make the healthcare cybersecurity workforce shortage especially difficult to solve. In order to ensure the secure and uninterrupted provision of healthcare services, this report presents a comprehensive healthcare cybersecurity workforce vision as a guide for community stakeholders including healthcare industry leaders, federal, state, and local policymakers, and academic institutions.

This report offers a healthcare cybersecurity workforce vision built on the following two pillars:

• Recruiting a diverse workforce that is well prepared for healthcare-specific cybersecurity challenges.
• Retaining cybersecurity professionals within the healthcare sector.

In short, the aim of this vision is to create a more robust healthcare cybersecurity workforce backed by sector-specific job training programs and technologies. Necessarily, a robust workforce will more accurately reflect the population it serves and add value to security outcomes through increased workforce diversity. Moreover, solutions will draw upon a dual approach that emphasizes both A) expanding educational offerings that attract more students to the healthcare sector and B) creating a better system for matching healthcare cybersecurity job seekers with hospitals and other healthcare providers. While the specific recommendations contained in this report are geared specifically towards addressing the healthcare cybersecurity workforce gap, the two pillar model above is broad enough to prove useful for other industries seeking to address their particular cybersecurity workforce challenges.

Recommendations for Recruiting the Cybersecurity Workforce

Recommendation #5.1: Amend the Cybersecurity Enhancement Act of 2014 to incentivize recipients of the CyberCorps Scholarship to serve in specific, critical need sectors like healthcare.

One of the key programs that seeks to expand the cybersecurity talent pipeline is the CyberCorps: Scholarship for Service program, administered by the National Science Foundation in coordination with the Office of Personnel Management and the Department of Homeland Security. Established in 2000, the CyberCorps Scholarship provides tuition and a stipend to students in return for a dedicated term of service in a federal, state, local, tribal, or territorial government organization. The obligation for government service requires that a scholarship recipient serve in a qualifying position for a period of time equal to the length of the scholarship, so generally between one and four years.

Considering that only about 3,300 students have completed the CyberCorps Scholarship program since its establishment in 2000, it is difficult to assess its impact on the cybersecurity workforce beyond the simple observation that CyberCorps has not significantly narrowed the gap.¹⁹ While future independent assessments should be conducted to fully understand its effects, research will likely show that the program has an even lesser effect on the healthcare cybersecurity workforce. There are several reasons to suggest that CyberCorps fails to perceptibly improve the healthcare cybersecurity workforce.

First, the obligation to serve in a government agency precludes most healthcare providers from eligibility. According to the American Hospital Association’s 2018 Hospital Statistics, there are 5,534 registered hospitals in the United States.²⁰ Of these, nearly 80 percent of hospitals are privately owned, either as not-for-profit or as for-profit community hospitals. Only 956 hospitals are owned by state and local governments and even fewer, 209, are federally owned. With so few government-owned hospitals, it can be difficult for CyberCorps Scholarship recipients to find eligible government healthcare operators that appeal to them. Thus, since most healthcare organizations are privately-owned, cybersecurity professionals supported through the CyberCorps Scholarship program have limited options to start their careers in the healthcare sector—or any other critical private sector, for that matter.

A second reason CyberCorps will not lead to significant changes in the healthcare sector is that, even for those individuals who choose to enter one of the few government-owned healthcare organizations, the required term of service is too short to guarantee that individuals will remain in the healthcare sector for more than a few years. Cybersecurity professionals who complete the scholarship program are likely to feel drawn to other fields outside of healthcare. As detailed above, healthcare struggles to retain cybersecurity talent more than other fields.

Given these weaknesses, the current CyberCorps model is unlikely to significantly move the needle in addressing the healthcare cybersecurity workforce shortage. Still, recognizing that relatively small changes to the program could address its shortcomings and help narrow the gap in one of America’s most fundamental critical infrastructures, the Cybersecurity Enhancement Act of 2014 should be amended to incentivize recipients of the CyberCorps Scholarship to serve in specific, critical need sectors like healthcare. The Cyber Scholarship Opportunities Act (S. 754) recently introduced in the Senate and unanimously approved by the Senate Committee on Commerce, Science, and Transportation, may help do that.²¹

Importantly, this bill would allow CyberCorps Scholarship recipients to fulfill their post-award service obligation outside of strictly government-run organizations; specifically, they would be allowed to work in a “nonprofit that is considered to be critical infrastructure.”²² This new provision encompasses nearly 60 percent (or 2,849) of community owned hospitals that, for the first time, would be eligible organizations for the post-award service obligation. While this still leaves over 1,000 investor owned (for-profit) community hospitals ineligible under the CyberCorps program, the shift to include nonprofit critical infrastructures is a significant improvement.

Since the aim of this provision is to support the beleaguered system of critical national infrastructures, and healthcare is one of the most critical need sectors, it makes sense to specifically name healthcare in the text of the bill and provide extra incentives to individuals who choose to fulfill their service in a qualifying healthcare position. Considering the fact that cybersecurity threats fail to discriminate between for-profit and nonprofit entities, lawmakers should also weigh the merits of allowing post-award employment obligations to be fulfilled in for-profit healthcare organizations.

Recommendation #5.2: The US Department of Labor, HHS, and State and Local governments should enable models for cybersecurity apprenticeships in the healthcare sector.

Alongside the DOL, HHS has recognized the importance of developing general information technology apprenticeship programs²³ in the healthcare sector. This includes a recognition of apprenticeable occupations like information assurance specialists, information and IT project managers, and IT generalists.²⁴ However, the current focus on providing federal, state, and local funds for the development of health IT apprenticeships leaves notably absent an apprenticeship model focused specifically on developing the healthcare cybersecurity workforce. While there is a temptation to rely on industry to lead the development of apprenticeship programs,²⁵ the only way to achieve scale is through a systems-level approach that partners public and private entities through deliberate policy-grounded decisions.²⁶ These policy decisions can take a number of forms.

First, policymakers should outline a clear framework that establishes healthcare cybersecurity apprenticeship program requirements, including general guidance on the roles and responsibilities of the healthcare sector, apprenticeship intermediaries,²⁷ and the education system. It is important to be clear that this recommendation calls simply for a standards framework, rather than a strict set of regulatory requirements. The registered apprenticeships program requirements from the DOL serve as a good model to achieve clarity, but state and local policymakers can codify their own healthcare cybersecurity apprenticeship program standards framework. Since around half of the states already follow their own apprenticeship registration models that are different than the federal DOL registered apprenticeships program, this is particularly applicable. Important in this regard is first identifying and standardizing the core competencies of a “healthcare cybersecurity expert.” This task may be best coordinated through NIST’s National Cybersecurity Center of Excellence (NCCoE). NCCoE is well-equipped to convene the range of healthcare stakeholders necessary to create such a standard, including healthcare industry representatives, educational programs including apprenticeship providers and intermediaries, academic institutions, and relevant public-sector entities.

Second, federal and state policymakers should incentivize industry groups and apprenticeship intermediaries to create cybersecurity-specific apprenticeship programs in the healthcare sector. While some healthcare providers may be comfortable with existing health-IT apprenticeship models, healthcare cybersecurity apprenticeships will be foreign for most (if not all). To ease a transition and incentivize employers to start and run a program, action at the federal and state level must invest in apprenticeship intermediaries, marketing, and research. These incentives can be constructed in a number of ways, either through subsidies provided directly to employers, tax breaks, or public service agreements similar to the CyberCorps Scholarship.²⁸

For a number of reasons, apprenticeships in the healthcare sector are particularly effective at addressing recruitment and retention issues. First, healthcare apprentices have a clearly defined career path with upward lattices, making it more likely that they will stay in their job longer.²⁹ Second, the “earn while you learn” model instills a sense of loyalty within healthcare employees who feel invested in by their organization, thus increasing retention. Third, apprenticeships have a built-in mentorship component that is critical not just for training, but also for retaining new hires, especially those who come from diverse backgrounds. In the end, healthcare organizations that incorporate apprenticeship training models improve patient care, cultivate a diverse workforce that more closely resembles the patients being served, and cut costs associated with employee turnover.³⁰

However clear the benefits of these healthcare apprenticeship models, federal, state, and local authorities are still in the early stages of adopting even the most basic cybersecurity apprenticeship models,³¹ so conversations about hybrid, healthcare-specific cybersecurity apprenticeships are still a long way off.

Nonetheless, as more state and local programs opt to develop healthcare cybersecurity apprenticeship programs, they should learn lessons from successful models in other, non-cybersecurity related healthcare occupations. A distance learning option, for example, is especially beneficial for individuals seeking a healthcare cybersecurity apprenticeship since much of the work can be done remotely, it maximizes flexibility, and rural healthcare providers can recruit talent from the outside.³²

Finally, when enabling healthcare cybersecurity apprenticeship programs an important distinction must be made between the healthcare IT apprenticeships that exist in some density and the healthcare cybersecurity apprenticeships that are especially rare. While healthcare IT apprenticeships help to fill the anemic health IT workforce, this does not directly address the shortage of cyber and information security (IS) professionals in healthcare. In their analysis of healthcare cybersecurity and cyber threats, authors Aurore Le Bris and Walid El Asri noted the flaws in conflating cybersecurity occupations (they use the term information security, which falls under the cybersecurity umbrella) with information technology occupations:

When the hospital does have an IS staff, an improper organizational structure may prevent them from having the sufficient leverage to define strong security policies. In fact… the Information Security team is most often integrated into the IT department and so under the control of the CIO. However, IS and IT have diverging guidelines: IT aims first at making systems easy-to-use whereas IS aims at making them secure – that can increase their complexity for users (e.g. 2-factor authentication). As a result, in conflictual situations, IS considerations tend to be discarded in favor of the IT ones.³³

It is important to separate information technology from cybersecurity since the related occupations should manage different areas of work while still working in cooperation with each other.³⁴

Recommendation #5.3: Create and incentivize adoption of sector-specific Centers of Academic Excellence (CAE) designated programs.

With input from HHS, NIST, industry leaders, and academia, DHS and the National Security Agency (NSA) should create sector-specific CAE³⁵ designations to incentivize and reward higher education institutions that create cybersecurity programs related to critical infrastructures, particularly healthcare. There is precedent for differentiating between various CAE programs, for instance the CAE-CD (Cyber Defense) and CAE-CO (Cyber Operations) programs are two existing variants that can provide a framework for further sector-specific differentiation. Creating a healthcare CAE designation will encourage higher education institutions to create new programs specifically designed to train students in the idiosyncrasies of healthcare cybersecurity. This designation will supplement the expansion of academic specializations that could support cybersecurity apprenticeships and cater to those students who either prefer completing their postsecondary education before entering the workforce or want to transition into a different career.

Receiving CAE designation is based on a broad set of criteria, meaning there are no sector-specific requirements for this designation. Without sector-specific requirements for CAE designation, the trend is for educational institutions to create broad cybersecurity programs that train cybersecurity generalists. For specialized critical national infrastructures like healthcare, with idiosyncratic data, privacy laws, and cyber threats, having programs with a more nuanced curriculum would be helpful. Creating sub-specialties within a generalized program may also be an appealing approach.

While institutions may begin creating such sector-specific programs out of a desire to have a competitive advantage over other schools, Congress can incentivize action. At the most basic level, funding for general research into the best practices of sector-specific education programs would be a valuable contribution. NSF’s Secure and Trustworthy Cyberspace (SaTC) program serves as a good model for this sort of research, but research outcomes covering education will be limited since funding is capped at $300,000 and the maximum funding duration is two years.³⁶ In parallel to this research effort on best practices in cybersecurity education, Congress should provide increased funding to centers who earn the proposed healthcare CAE designation presented above. As a result, even more institutions would create certified cybersecurity instructional programs related to healthcare and more students would be equipped with the hybridized skills required to serve as healthcare cybersecurity specialists.

Recommendation #5.4: Support an industry-wide approach for creating a healthcare cybersecurity certification.

NIST, through the NCCoE, should leverage its convening power to bring together relevant stakeholders who can help inform the standards needed in a healthcare cybersecurity certification.³⁷ These stakeholders include industry associations like CompTIA, training providers like SANS Institute, professional organizations like the International Association of Privacy Professionals, International Information Security Certification Consortium, hiring managers, and healthcare industry leaders.

However useful it may be to quickly identify an individual’s skill sets using an industry certification, and whatever the benefits for job advancement, obtaining a certification can be difficult and is not the only way to demonstrate capability. For example, attempting certain tests can cost an individual anywhere between $330³⁸ and $2,300,³⁹ with required renewals costing an additional fee. Certifications may also depend on demonstrated work experience of four or five years for full certification,⁴⁰ a prohibitive barrier for newcomers with no formal work experience. Given that the cybersecurity profession is one deeply tied to the expertise of hackers and self-taught professionals who often acquire skills outside of the traditional workforce and education systems, requiring work experience as a prerequisite to certification may be a barrier to entry for some otherwise qualified individuals.⁴¹ Formal work experience may be unnecessary if an individual can demonstrate competency during a boot camp, capture the flag competition, non-traditional training program, or during a hiring simulation exercise.

While there are certifications available for less experienced candidates or for those who obtain skills outside of formal employment, these “entry level” certifications do not tend to land people jobs at the same rate as the certifications that require work experience. The problem here is that employers do not offer jobs that match with entry level certifications. Thus, despite all their benefits in ensuring industry standards, the mismatch between entry level certifications and available jobs accepting them restricts the number of available pathways into the industry. Given these drawbacks, one may wonder if creating a distinct certification for healthcare cybersecurity is a wise course of action. Indeed, it can be, so long as a number of factors are met.⁴²

First, the certification must ensure that employees not only possess generally transferable cybersecurity skills, they must also understand healthcare-specific cybersecurity nuances. These nuances include regulations around data security and privacy stemming from HIPAA, handling PHI, protecting patient flows, tracking insider threats, and understanding the culture of healthcare that makes access control different from other industries.

Second, there must be a suite of certifications that covers the spectrum of junior and senior employees. Going a step further, there must be industry alignment to ensure that employers will actually buy into the value of entry level certificates, in particular. In other words, certifications should not be viewed primarily as “career escalators” that position an already established cybersecurity professional for upward mobility.⁴³ Rather, efforts should focus on certificates that serve as “door openers,” which create new opportunities for more people to enter into the healthcare cybersecurity labor market. To achieve this, it may also be necessary to better align the incentives of certifying authorities to those of their job seeking test takers. By fostering this sort of industry-wide approach, more avenues for entering the healthcare cybersecurity workforce will open while still ensuring employee competency.

Finally, in recognition of the “door opener” approach to certification, employers must accept the need for jobs that are doable by workers with fewer than five years of work experience. This elevates the importance of in-house career development and mentorship programs. Human resource teams within healthcare organizations will need to lead the development of these programs and create specific mentorship initiatives for diverse hires.

Recommendation #5.5: Create a sustainable financing model that supports healthcare providers who typically have the least concentration of cybersecurity expertise.

To address retention challenges at rural and small/medium-sized organizations, the federal government should consider a model similar to the National Health Service Corps or the Indian Health Services program, designed to attract cybersecurity experts to rural healthcare providers where it is least concentrated. State and local governments can also prioritize subsidies associated with an employee moving from a higher paying job to a lower paying one and cover relocation expenses to a rural community.

Many small- and medium-sized healthcare organizations still rely on local servers and databases stored in-house, “often in closets or in unsecure infrastructure.”⁴⁴ There is a great opportunity for healthcare to shift to hosted, cloud, and shared computer environments, but the continued reliance on local servers and in-house databases is likely to persist for some time given the capital investment limitations and the conservative tech postures of most small- and medium-sized organizations. The mentality that tech infrastructure should be stored in-house is the same mentality that leads many healthcare providers to think that they must have physically present, in-house cybersecurity staff (rather than contracting someone to work remotely). For some healthcare providers, where servers and databases require a physical connection for access, this does make sense. And until healthcare providers make the physical and mental transition to embrace hosted, cloud, or shared computer environments, cybersecurity professionals will be called to all corners of the country to fill positions in the rural locations. These positions can be especially difficult to fill because of their isolated location and lower pay.

The National Health Service Corp and Indian Health Services provide full or partial federal support either through direct grants or loan repayment programs for medical students who agree to work in underserved, typically rural communities. These programs grew from the recognition that rural communities faced an even more pronounced challenge in attracting and retaining medical doctors. The same difficulty presents itself for attracting cybersecurity professionals. Small- and medium-sized healthcare organizations in rural locations have a pronounced lack of cybersecurity expertise at their disposal. This shortfall makes it difficult for small- and medium-sized organizations to maintain strong security postures.

Recommendations for Retaining Cybersecurity Professionals

Considering the shortfall of cybersecurity talent in healthcare, it is promising to see hiring managers already prioritize recruiting cybersecurity professionals. The Global Information Security Workforce Study noted that healthcare is expected to expand its cybersecurity staff more than any other industry, with 39 percent of hiring managers expecting to increase their cybersecurity workforce by 15 percent or more in the next year.⁴⁵ This “more butts in seats” approach is an important part of the strategy for shoring up the healthcare cybersecurity workforce. However, while much of the cybersecurity workforce conversation is rightly focused on recruiting more talent, an equally important conversation is on how to retain cybersecurity specialists in order to ensure that the field does not leak talent and face a perpetual shortage.

Recommendation #5.6: Provide payroll tax incentives to healthcare providers to address the “brain drain” in healthcare cybersecurity.

To counteract cybersecurity “brain drain”in healthcare and other critical infrastructures, the federal government through Congress should create payroll tax incentives for companies in chronically understaffed, high-need sectors like healthcare. While federal tax dollars may move the national needle most effectively, states can leverage their economic development resources to encourage similar movement in their local health sectors. There are many examples of federal tax incentives and credits being used to stimulate and support certain industries and occupations, including as part of the American Recovery and Reinvestment Act of 2009, the 2010 Hiring Incentives to Restore Act, and the recent Tax Cuts and Jobs Act approved by Congress in December 2017. The most helpful tactic for encouraging retention of healthcare cybersecurity professionals would be a payroll tax incentive that rewards healthcare providers for having long-serving cybersecurity employees. Several requirements could be included in a tax incentives plan to help reach this goal.

First, a healthcare provider should be required to employ the same person in a cybersecurity-related position for a minimum number of years. Second, after this requirement has been met, providers would become eligible for a payroll tax benefit. Third, as an added incentive for even greater retention, benefits could increase over time as employees remain in their positions. In other words, the longer a healthcare provider employs the same individual in a cybersecurity job, the higher the payroll tax benefit granted to that provider.

Together, these requirements would create an structure whereby healthcare providers are incentivized to to retain their cybersecurity staff for the maximum amount of time possible. In order to do so, providers would need to offer more competitive salaries, bonuses, and professional development opportunities, making them more competitive in the labor market.

Recommendation #5.7: Empower employees with artificial intelligence and automation tools for time- and data-intensive tasks in order to maximize productivity and reduce burnout.

Healthcare leaders should empower current cybersecurity professionals with tools and technologies to support employees whose workflows are repetitive, involve large amounts of data, or require fast responses. The mundane and time consuming task of manually auditing patient logs to check for HIPAA compliance is a good example of a task that could be eased and improved through the use of machine learning tools. Not only is this process a pain for the employee tasked with the audit, it also presents a patient privacy and safety issue. Since a manual audit requires a significant amount of time and data, it is nearly impossible for a cybersecurity professional to conduct a fully comprehensive security audit of every patient record and connected medical device. This means that some exploited vulnerabilities could remain unaddressed for months or even years.⁴⁶ Tasks like this one are optimal use cases for artificial intelligence tools.

To maximize productivity and reduce burnout, healthcare organizations should adapt their institutional policies to focus on technologies that can automate time-intensive tasks and allow for efficient review of large patient data sets. Leveraging these technologies would allow cybersecurity professionals to focus more of their time on other more challenging and interesting organizational priorities like investigating incidents, creating high level strategic plans for better security training and incident response, cyber hygiene, and HIPAA compliance training. Boredom and stagnation contribute to employee turnover.⁴⁷ By reducing the amount of time spent on mundane tasks and increasing opportunities to engage in higher level thinking, healthcare providers are more likely to retain employees.