Close

Abstract paint blobs

The Millennials Initiative 2018

Table of Contents

Solutions for the Health Care Cybersecurity Workforce of the Digital Age

by Dillon Roseen

A fundamental principle of medical ethics spanning as far back as the ancient Greek Hippocratic Oath is that it is more essential for a physician not to harm a patient than it is to do them good. Today, emerging technologies are transforming health care, and, as a result, new threats are emerging that could violate this principle, placing patients directly in harm’s way. As our reliance on technology in health care increases, from handling sensitive patient data using electronic health records to receiving vital signals from implanted medical devices, so, too, does the risk inherent in connectivity.

Health data often include the most private and immutable information of our lives, which makes it all the more alarming that the cybersecurity of connected health system is especially vulnerable compared to other sectors. Health care data breaches account for an overwhelming number of the nation’s total breaches. In fact, at 53.1 percent of all the publicly reported data breaches, health care is by far the most breached of all sectors.1 Each of the millions of stolen health records costs health organizations an average of $380, not to mention the time and emotional costs patients must endure following a breach. For comparison, the average cost of a single stolen record for other sectors is $141.2 The total cost of health care data breaches has been estimated to be $1.2 billion, a number that is probably conservative given underreporting and the additional costs associated with negative PR, breach response, and future investments in prevention.3

Emerging technologies are transforming health care, and, as a result, new threats are emerging that could violate this principle, placing patients directly in harm’s way.

In addition to the costs associated with stolen health records, cyber-insecure health systems may be unable to deliver life-supporting care. Connected medical devices can carry lethal cybersecurity vulnerabilities—like a pacemaker that was recently recalled4 by the Food and Drug Administration (FDA)—and become vectors for life-threatening or system-disrupting attacks, as was the case in a major global cyberattack last summer.5 If left unmitigated, these cybersecurity threats leave our health care system and the vulnerable patients it supports in danger of suffering from irreversible financial, reputational, and medical harm. That is why it is critical for policymakers to implement a proactive cybersecurity strategy for the health care sector.

This report builds upon ongoing policy research efforts by the New America Cybersecurity Initiative and highlights key points that are especially pertinent to a cohort that will be forced to grapple with future health care cybersecurity threats: Millennials. According to the New America Cybersecurity Initiative’s Do No Harm 2.0 health care report, improvements in health care cybersecurity should be pursued in the following three areas: technology, workforce, and culture. More specifically, health care cybersecurity efforts should seek to identify technological opportunities and challenges facing the health care sector, build the health care cybersecurity workforce of the future, and crystallize a culture of trust between patient and provider by ensuring the privacy and availability—and, therefore, security—of medical information. Together, these efforts will provide solutions for closing the gaps and patching existing problems. They will also, more importantly, articulate a proactive vision for where the health care industry should be in five years. This agenda is more constructive rather than reactive and serves to improve patient health outcomes and protect patient dignity in the long run.

Because Millennials are often looked to fill the gaps in the health care cybersecurity workforce, yet generally lack robust training opportunities and sufficient resources to succeed as health care cybersecurity professionals, the focus of this paper is on the workforce stream of the Do No Harm 2.0 report. Thus, this report takes a closer look at the workforce recommendations and provides additional context intended for an audience that may not normally focus on cybersecurity policy.

Box 1

Key Terms and Abbreviations

Key Terms

  • Cybersecurity: This report adopts a broad definition of cybersecurity, first offered in the Do No Harm 2.0 report:

Cybersecurity is often thought of as an internal-external paradigm, where hackers infiltrate an organization or a system from the outside and then commit a crime. However, as humans become so deeply integrated with technology in every work flow that they have, cybersecurity actually becomes much more about insider behaviors, interaction with technologies, and securing those technologies from (both accidental and intentional) fraud, waste, abuse, and potential safety-related issues.6

  • Health care cybersecurity workforce: The set of individuals in the health care sector whose occupations collectively aim to identify, mitigate, and preempt the exploitation of digital vulnerabilities within the health-IT infrastructure. These individuals include, but are not limited to: Chief Information Officers (CIO), Chief Medical Information Officers (CMIO), Chief Technology Officers (CTO), information security analysts/specialists, cybersecurity professionals,7 and Health Insurance Portability and Accountability Act (HIPAA) Security Officers.
  • Electronic health records (EHR): A digital version of a patient’s health chart that includes a complete version of that patient’s medical history from all clinics involved in a patient’s care. EHRs are designed to be shared across different health providers. EHRs are closely related to electronic medical records (EMRs) and the terms are often used interchangeably.
  • American Recovery and Reinvestment Act of 2009: A piece of legislation that included incentives for the adoption of EHR in the health system, specifically as part of the provision called the Health Information Technology for Economic and Clinical Health (HITECH) Act. This led to the speedy uptake of EHRs in the health care system, but left many cybersecurity vulnerabilities in the interconnected health record system as a result.
  • Apprenticeship: As defined by the Department of Labor (DOL), an arrangement that includes a paid-work component and an educational or instructional component, wherein an individual obtains workplace-relevant knowledge and skills.
  • Millennial: As defined by the Pew Research Center, individuals born between 1981 and 1996.

Abbreviations:

CIO – Chief Information Officer

CTO – Chief Technology Officer

DHS – US Department of Homeland Security

DOL – Department of Labor

EHR – electronic health record

EMR – electronic medical record

HHS – US Department of Health and Human Services

HIPAA – Health Insurance Portability and Accountability Act

IT – information technology

OPM – Office of Personnel Management

NCCoE – National Cybersecurity Center of Excellence

NICE – National Initiative for Cybersecurity Education

NIST – National Institute of Standards and Technology

NSF – National Science Foundation

OPM – US Office of Personnel Management

SBIR – Small Business Innovation Research

Problem Definition

Understanding the challenges facing the health care cybersecurity workforce starts first with a conversation on the broader national and international cybersecurity workforce landscape. Globally, across all sectors, there is a massive gap between the number of open cybersecurity positions and the number of cybersecurity professionals who are hired to fill those positions. This has led to a so-called ‘cybersecurity workforce gap’ or ‘shortage,’ terms used interchangeably in this paper and broadly meant to describe the unmet demand for cybersecurity professionals in the workforce. The 2017 Global Information Security Workforce Study found that the cybersecurity workforce gap is expected to reach 1.8 million by 2022.8 In America, the cybersecurity workforce gap is the result of several key factors.

First, and perhaps most discussed, is the hypothesis that there is an inadequate cybersecurity education pipeline that has led to a skills shortage. Generally speaking, this hypothesis goes on to argue that there are too few people receiving cybersecurity educations, either because there are limited opportunities to receive such an education or because people are not interested in studying cybersecurity (or some combination of the two). For health care specifically, cybersecurity education and training programs are not tailored to the idiosyncrasies within the health care environment. Health care cybersecurity specialists must possess a highly unique set of competencies that fall at the intersection of cybersecurity, health care privacy, and security regulation, most notably around HIPAA. This blended skill set creates a sort of “hybrid job” (to borrow terminology from labor market analytics company Burning Glass) that is generally not taught in a single education or training program.9 This makes it difficult to meet baseline competencies required for cybersecurity professionals to succeed in the health care setting.

The 2017 Global Information Security Workforce Study found that the cybersecurity workforce gap is expected to reach 1.8 million by 2022.

Further complicating these issues with training and recruitment, mundane and repetitive tasks occupy much of the time of information security professionals in health care. As a result, retaining cybersecurity talent in health care becomes much more difficult. Policy recommendations aimed at addressing this problem focus on strategies to increase the number of students pursuing a cybersecurity education, including two- and four-year degrees, technical training programs, and apprenticeships, and efforts to create industry-specific tools that would support health care information security professionals.

The second hypothesis regarding the cybersecurity workforce gap suggests that the cybersecurity skills shortage is not actually as bad as it appears. Rather, it argues that there are in fact more qualified individuals with sufficient skills to work in cybersecurity than employers currently appreciate. Put simply, the problem is that there are people in the labor force who have the skills to be employed as cybersecurity professionals, but employers are not hiring them. For instance, many health care providers require applicants to have a specific industry certification, several years’ work experience, and a college degree before hiring them. It is common, however, for individuals to teach themselves the basics of cybersecurity outside of a formal education or certification program; the nature of the profession is very much one of learning through independent self-exploration. Policy recommendations aimed at addressing this problem are centered on aligning hiring practices to better measure the skill level of potential employees and moving away from traditional measures that may underappreciate an individual’s actual level of expertise.

The third factor contributing to these workforce challenges is a problem related to the hiring and promotion of minority candidates.10 Perhaps surprisingly, a recent study found that minority participation in the cybersecurity workforce (26 percent) is actually higher than the workforce participation of minorities in other occupations (21 percent).11 While this initial observation is promising, there are other more insidious factors to consider. For instance, the same study found that the average pay for a cybersecurity professional is $122,000, but is only $115,000 for minorities. This finding is especially problematic when considering that minorities in the cybersecurity workforce have, on average, obtained a higher level of education (62 percent with master’s degrees or higher) than their white counterparts (50 percent with master’s degrees or higher). Still, only 23 percent of minorities hold a position at the director level or above, compared to 30 percent of their white peers. The barriers to equal pay and promotion have particularly pronounced negative impacts on women, who comprise a dismal 14 percent of the total cybersecurity workforce, and in particular on women of color.

Beyond the generally accepted understanding that a workforce should reflect the population it serves, the issues related to diversity in the cybersecurity workforce are problematic for three reasons. First, the anemic workforce needs to recruit and retain talent from every part of society or it misses a deep pool of talent that can help fill the gaps. Second, social science research has demonstrated that heterogeneous teams produce higher quality work than homogenous equivalents.12 Third, from an equity perspective, it is troubling to know that there are systems in place that propagate discriminatory outcomes for minority cybersecurity professionals.

The problem is that there are people in the labor force who have the skills to be employed as cybersecurity professionals, but employers are not hiring them.

A fourth problem contributing to the health care cybersecurity workforce shortage is explicitly linked to the incredibly tight budgets of most health care organizations, especially small- and medium-sized providers. Whereas other industries that handle similarly sensitive information, like financial services, operate on margins of 15 percent or more, health care operates on margins hovering around 3 percent.13 This limitation restricts the ability of health care organizations to invest in robust cybersecurity protections and recruit highly sought-after talent. Moreover, given a number of competing hiring priorities, health care managers are often compelled to spend limited budgets on nurses, physicians, or other high-need positions rather than on cybersecurity staff.

Box 2

Summary of Health Care Workforce Challenges14

  • A global cybersecurity workforce gap exists across all sectors.
  • Limited budgets and tight profit margins make it difficult to recruit and retain relatively high-paid cybersecurity talent, especially in competition with other higher-paying tech jobs and flashier defense positions.
  • In combination with limited budgets, there is an overarching shortage of critical health care employees, including physicians and nurses, that compels hiring managers to make tradeoffs based on the most pressing hiring priorities.
  • Health care cybersecurity work is often mundane, time-consuming, and tedious, turning off potential employees and making it difficult to retain current talent.
  • Employees must possess a complex set of hybridized cybersecurity and health care competencies, a rare skill set not often taught in traditional education programs.
  • A diversity gap in the cybersecurity community writ large limits the pool of available talent, leads to fewer innovations, and introduces troubling social equity concerns.

Complex and multifaceted challenges like the cybersecurity workforce shortage require equally complex solutions. Thus, a comprehensive solution to the cybersecurity workforce shortage must present strategies that address the myriad of issues described above and create solutions that anticipate where the health care sector is headed over the next five years. The following sections lay out a series of policy recommendations that do just that.

Existing Programs & Policies Aimed at Improving the Cybersecurity Workforce

Many efforts that attempt to mitigate the challenges present in the overarching cybersecurity workforce are currently underway, however few are designed to specifically address the pernicious issues unique to the health care sector. As a conversation on the health care cybersecurity workforce is couched within the context of the broader cybersecurity workforce landscape, it is important to first note the programs and policies framing the overarching cybersecurity workforce discussion. In this regard, the following tables act as a non-exhaustive list of some of the most commonly cited cybersecurity workforce development programs and policies.

Box 3

Existing Cybersecurity Workforce Programs and Policies15

Programs

  • CyberCorps Scholarship for Service
  • Cybersecurity apprenticeships
  • Cybersecurity challenges and competitions
  • Cybersecurity certifications
  • National Centers of Academic Excellence in Cyber Defense (CAE-CD)
  • The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework16

Government Policies

  • Cybersecurity Enhancement Act of 2014
  • Federal Cybersecurity Workforce Assessment Act of 2015
  • May 11, 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
  • June 15, 2017 Presidential Executive Order on Expanding Apprenticeships in America
  • (Pending legislation) S.754 – Cyber Scholarship Opportunities Act of 2017

Policy Recommendations

Robust workforce development policies often converge around three distinct aspects of the workforce experience: recruitment, retention, and research. Recruitment strategies are intended to both increase the number of individuals pursuing cybersecurity education programs and also better align health care hiring practices to account for skilled experts who may not have traditional education backgrounds. Retention strategies are focused on supporting diverse hires, who exit the cybersecurity profession at higher rates, and mitigating the “brain drain” through payroll tax incentives. Research strategies are centered on the creation and implementation of health care-specific technologies that would make information security work more meaningful, specifically through existing government innovation funding programs.

Recruitment-Specific Policies

1. The CyberCorps Scholarship for Service program should be amended to allow recipients to serve in specific, critical need sectors like health care.

The CyberCorps Scholarship for Service program is a major federal effort to increase the number of trained cybersecurity professionals who enter the federal government. In exchange for tuition and a living stipend while pursuing a cybersecurity education program, recipients agree to serve in a cybersecurity-related position in a federal, state, local, or tribal government. Only about 3,300 students have entered the scholarship program since 2001, which includes several hundred students who are still in their education programs.17 The placement rate in government for students completing the program is quite high, and about 70 percent of students stay involved in a government position following their service commitment.18 Still, with nearly 200,000 new openings for cybersecurity-related jobs annually, it is clear that CyberCorps has not even come close to meeting the demand for cybersecurity talent, nor should it be expected to provide the sole source of cybersecurity training.19 For health care in particular, CyberCorps is an especially unreliable source of talent because recipients are required to fulfill their post-award service obligation in the government.

Most health providers in the United States are privately owned and operated; in total, 80 percent of hospitals are privately owned.20 Thus, most health institutions are ineligible. This is problematic because, in addition to there already being a small number of students completing the scholarship program, they are not offered the opportunity to fill high-need positions in non-governmental critical national infrastructures, like health care.

With that said, there are ways in which the CyberCorps Scholarship program can be amended to better serve the needs of critical sectors that are particularly at risk, such as health care. There is a bill currently in the Senate (S.754) that aims to do just that. Specifically, the bill would loosen the requirements for post-award service to also include non-profit critical national infrastructures, as defined by the Critical Infrastructures Protection Act of 2001.21 If the post-award service requirement is expanded to include non-profit critical national infrastructures, health care stands to benefit. Nearly 60 percent of community-owned hospitals (or 2,849 total hospitals) would become eligible institutions for the first time, allowing scholarship recipients to enter into the health care cybersecurity workforce upon graduation.22 Even considering the fact that over 1,000 community hospitals with for-profit status would still be ineligible, the move to include nonprofit critical infrastructures is a needed improvement.

CyberCorps has not even come close to meeting the demand for cybersecurity talent, nor should it be expected to provide the sole source of cybersecurity training.

Going one step further, policymakers in Congress should consider implementing even stronger incentives to encourage more students to pursue careers in health care cybersecurity. They can do this in the text of any proposed legislation by explicitly naming health care as a high-need critical national infrastructure and providing additional post-scholarship monetary incentives to students who choose to enter “high-need” sectors, like health care. Similar federal programs exist that incent doctors and nurses to serve in high-need rural areas.23

2. The DOL, the National Cybersecurity Center of Excellence (NCCoE), and state and local governments should create and subsidize models for cybersecurity-specific apprenticeships in the health care sector.

An apprenticeship, according to the DOL, is “an arrangement that includes a paid-work component and an educational or instructional component, wherein an individual obtains workplace-relevant knowledge and skills.”24 Already, apprenticeships have been used in contemporary industries ranging from manufacturing to hospitality to transportation. Recently, apprenticeships have been heralded as a game-changing training model that can mitigate chronic workforce shortages in the cybersecurity profession and in health care cybersecurity more specifically.

There are many benefits to adopting apprenticeship models that build the health care cybersecurity workforce. Apprenticeships can be particularly effective at addressing recruitment and retention-related challenges in health care cybersecurity for three reasons. First, there is a clear hiring and promotion schedule that attracts individuals seeking upward mobility throughout their career.25 Second, health providers are better able to retain talent because of the “earn-while-you-learn” model that fosters a spirit of loyalty amongst their employees. Third, and particularly relevant for retaining diverse hires, apprenticeships have an engrained mentorship component that supports both training and professional development. Health providers that choose to incorporate apprenticeship training models not only create an alternative pathway into the health care cybersecurity profession, they also lay the groundwork for a more diverse and representative workforce.

Despite these clear benefits, implementation of health care-specific cybersecurity apprenticeships is distant. In fact, even the most generalized cybersecurity apprenticeships that don’t account for health care-specific idiosyncrasies are still in an early stage of development.26 There is a tendency for the development of apprenticeship programs to be led by industry players, and for government officials to take a back seat. However, in order to achieve scale, government officials must enact purposeful policy-grounded solutions that encourage a systems-level, public-private approach. To this end, policymakers should develop policies that meet this goal.

Despite these clear benefits, implementation of health care-specific cybersecurity apprenticeships is distant.

First, there needs to be a clear framework that details the requirements of a health care cybersecurity apprenticeship, with guidance on the roles and responsibilities of each relevant actor in the apprenticeship process: intermediaries,27 health care organizations/employers, apprentices, and educational institutions. A critical piece of this process should be creating a set of competencies required for someone to be considered a “health care cybersecurity expert.” NIST’s NCCoE may be best equipped to shape such a standard given its ability to convene a range of stakeholders whose input is critical for success. NCCoE must rely on guidance from a wide range of groups when establishing a standard for health care cybersecurity expertise, including from health care providers, educational institutions, intermediaries, and relevant public-sector entities.

Importantly, there is not a single set of requirements that would be applicable for every apprenticeship across every jurisdiction, and thus these frameworks should largely be viewed as valuable guidance. Policymakers at all levels—federal, state, and local—have an important role to play in shaping the apprenticeship standards that work best for their constituencies, especially considering that around half of these standards are set at the state level. For policymakers looking for a place to start, the DOL’s registered apprenticeships program can serve as a strong example.28

A second step for creating sustainable health care cybersecurity apprenticeships is providing incentives that would scale successful apprenticeship models. Since health care cybersecurity apprenticeships will be foreign to all but the most progressive health systems, incentives help to ease the transition for employers and intermediaries looking to introduce apprenticeships into their hiring practices and business models. These incentives can be constructed in a number of ways, either by providing subsidies directly to employers to help hire additional talent through an apprenticeship program, through tax breaks for providers or intermediaries who adopt new models, or through some newly constructed public service agreement similar to the CyberCorps Scholarship. A wealth of research has been produced on other effective strategies for scaling apprenticeship capacity, including in the Youth Apprenticeship in America and Connecting Apprenticeship and Higher Education reports.29

Retention-Specific Policies

1. Provide payroll tax incentives to health care providers to address the “brain drain” in health care cybersecurity.

Much of the focus around cybersecurity workforce development is rightly centered on recruitment. This makes sense considering 39 percent of health care hiring managers hope to grow their information security staff by 15 percent or more over the next year, more than any other industry.30 Filling seats is crucial, but it is not the only aspect of creating a robust health care cybersecurity workforce. Another important consideration is how to retain newly hired talent to ensure there isn’t a leaky pipeline, creating a perpetual shortage that leads to increased hiring costs. The so-called health care cybersecurity “brain drain” happens when a health system manager spends a great deal of time and money to train a new cybersecurity professional, only to have them leave quickly for another job, often in a higher-paying industry. This is a very real concern for many health system managers because they often see staff leave shortly after getting brought up to speed.31

Why are health care cybersecurity professionals leaving? Social science research finds that there a number of factors that can affect an employee’s decision to leave, regardless of industry. These factors include pay, work conditions, development opportunities, and the expected level of time and effort required for a job. Additional research on tech-specific retention trends finds that a lack of professional development opportunities, burnout, and a non-inclusive cybersecurity culture can lead to especially high turnover in the tech industry—for instance, average tenure is about three years, with over half of women leaving tech altogether.32

When these lessons are applied to the health care context, it becomes clear why there is a brain drain of cybersecurity talent. Not only are professional development opportunities few and far between, information security specialists in health care often lack a clear promotional path. Moreover, workflows in health care can be particularly tedious, time consuming, and boring. For instance, information security professionals are often required to manually audit EHR access logs by hand, a process taking countless hours and requiring little higher-level thinking. Because information security teams in health care are generally small and compete for funding with other core non-clinical departments, employees face a lot of pressure that can lead quickly to burnout. Additionally, the overarching cybersecurity sector has a documented culture of harassment that can disproportionately affect women, leading many qualified women to exit the field.33 On top of all this, higher-paying tech companies and flashier intelligence agencies often actively recruit cybersecurity talent away from health care, presenting an easy exit for those trained specialists who want out.

A lack of professional development opportunities, burnout, and a non-inclusive cybersecurity culture can lead to especially high turnover in the tech industry.

Given these retention challenges affecting the health care cybersecurity workforce, policymakers should embrace methods to mitigate the factors leading to high turnover. Specifically, policymakers at the federal and state levels should create and fund workforce development programs that provide payroll tax incentives to health care providers who effectively retain cybersecurity talent. Many examples exist that provide models for how to effectively develop these programs, from the 2010 Hiring Incentives to Restore Act to the Tax Cuts and Jobs Act approved by Congress in December 2017. In order to reward health providers who retain cybersecurity talent, payroll tax programs should provide tiered incentives that increase over time. For instance, the longer an individual remains employed in a specific health system, the more money a health system receives as part of the payroll tax program. By creating a tiered model, health providers are incentivized to establish retention programs for their cybersecurity workforce, like professional development or mentorship opportunities. For forward-thinking providers, payroll tax incentives can even be reinvested directly toward the salary of a cybersecurity employee. Reinvesting in this way helps to offset the external pressure from other higher paying industries.

Research-Specific Policies

1. Leverage existing government innovation funding programs to develop next-generation cybersecurity tools specific to the health care sector.

When applications of emerging technologies, like artificial intelligence, quantum computing, blockchain, and natural language processing, are considered in the health care sector, they are most often discussed in terms of how they can help deliver better patient outcomes. It is true that these technologies present incredible opportunities to more accurately diagnose illnesses, empower patients with their own health data, and spot disease outbreaks before they spread. However, the focus on delivering better patient health outcomes misses another equally valuable opportunity for these technologies: better protecting patient data, privacy, and health system cybersecurity. Already, research has demonstrated both theoretical and practical applications of emerging technologies for cybersecurity enhancement. One specific area in the health care sector relates to the tedious and time-consuming task of manually auditing HIPAA access logs, a process that can be largely automated through big data analytics and artificial intelligence. Yet innovations in this space are encumbered by lack of general awareness and limited research funding that enables scaling of promising technological applications across the entire health care ecosystem.

This recommendation assumes health care’s continued enhancement of human-computer interactions to augment employee workflows that are tedious, involve large data sets, and/or necessitate speedy responses. For health care cybersecurity professionals, workflows tend to be all three, creating high-pressure situations that fall onto small teams. Stressful environments like this lead quickly to burnout.

To help address burnout while also increasing employee productivity, health systems should look to adopt emerging technologies that can support employee workflows by automating repetitive tasks and quickly sifting through massive patient data sets. In this way, health care cybersecurity professionals are able to pursue more rewarding security projects, like investigating high-level security incidents, researching best practices from other organizations, and producing strategic organizational security plans on HIPAA compliance and digital hygiene. As a result of this shift away from mundane assignments toward projects that require more high-level thinking, health systems are better able to retain their cybersecurity employees. Health systems must continue to embrace emerging cybersecurity innovations, but government must also encourage continued research into technological innovation and scaling of promising solutions. Government innovation initiatives are common, especially in high-tech industries, and models are easily adapted to spur health care cybersecurity-specific innovation.

The focus on delivering better patient health outcomes misses another equally valuable opportunity for these technologies: better protecting patient data, privacy, and health system cybersecurity.

Government funding initiatives like Small Business Innovation Research (SBIR) programs have proven to be effective at catalyzing innovation and job creation through relatively small government investments, cementing permanent technological advances in critical industries.34 Broadly speaking, SBIR grants are awarded by federal agencies to small businesses conducting promising early-stage research and development in fields that are viewed as too risky for private investors. While a number of government agencies administer SBIR programs, the largest source of funding currently comes from the U.S. Department of Defense.

Box 5

Table 4. Examples of SBIR Projects

  1. SEMATECH (Semiconductor Manufacturing Technology) Consortium, designed to address unprecedented challenges in the semiconductor industry
  2. NIST’s Advanced Technology Program, awards funding for high-risk, high-reward research in critical technical areas of national importance
  3. Partnership for the Next Generation of Vehicles (i.e. the “Supercare Initiative”), partnered the government with three automobile manufacturers to create a clean, efficient, safe, and affordable vehicle of the future

There are several positive effects of SBIR funding on innovation and workforce development. Evidence shows that government-sponsored SBIR projects are particularly effective at spurring innovations that would not have otherwise happened in the absence of funding.35 Moreover, receiving even a nominal SBIR award often leads to additional positive outcomes for award recipients; for instance, SBIRs play a certifying role, signaling to private investors that a project is thoroughly vetted by a trusted government actor. Since private sector investors trust the rigorous SBIR assessment process, many choose to invest even more in an SBIR-funded project. In the absence of a certified SBIR grant, private investors are less inclined to provide additional support.

While SBIR-funded projects do not always succeed in the long-run, even those projects that fail or exit the market create positive economic outcomes. For instance, SBIR-funding is often used to support employees in small businesses, and the training and expertise they gain from an SBIR project will follow them throughout their career. This is especially exciting for health care cybersecurity since the human capital expertise developed through an SBIR project can be leveraged to help address chronic workforce shortages.

Another documented benefit of SBIR-funded projects is a spillover effect that benefits all of society, not just one specific industry. According to research from the National Research Council, SBIR-funded projects create an 84 percent social rate of return.36 This is much higher than the expected 25 percent social rate of return for projects that fail to receive SBIR funding. In other words, SBIR-funded projects are very likely to provide widespread net benefits to society, well beyond the specific aims of a project.

Despite the fact that SBIRs constitute one of the largest and most effective government-industry partnerships in terms of annual budget, there is not enough focus on critical need areas like health care cybersecurity. The Department of Health and Human Services (HHS) is currently one of 11 federal agencies required to set aside at least 3.2 percent of its research and development budget for SBIR projects; more of these funds should be set aside to specifically research health care cybersecurity innovations.37 To achieve this goal, there needs to be a supportive policy framework that encourages the creation of welfare-enhancing cybersecurity technologies in health care. HHS has wide discretion to set funding priorities, and, as such, SBIR funding models should be directed toward the expansion of health care cybersecurity projects. Projects should be selected based on, among other criteria, their potential for commercialization. By increasing SBIR funding in health care cybersecurity in this way, additional tools will be developed that can augment existing technological interventions. Moreover, effective cybersecurity platforms and tools will proliferate throughout the health care sector at a faster rate.

Conclusion

This research report explored various dimensions of the health care cybersecurity workforce gap and presented policy solutions aimed at rectifying deleterious issues. It began with a brief introduction describing why the cybersecurity workforce issue is a critical part of protecting patient privacy, dignity, and safety while continuing to deliver the best patient health outcomes. The paper then went on to define the problems surrounding the health care cybersecurity workforce in more detail. Following this problem definition, the paper explored existing high-level cybersecurity workforce initiatives to help frame health care-specific policy recommendations. Next, the substantive policy section of this paper presented recommendations to improve the health care cybersecurity workforce according to a three-pillared framework: recruitment, retention, and research. These recommendations drew heavily from the New America Cybersecurity Initiative’s Do No Harm 2.0 report, which presents a series of recommendations that also encompass technology and cultural issues in the health care cybersecurity space. For forward-thinking policymakers, this report can serve as a useful study on how to bridge the health care cybersecurity workforce gap, an urgent issue facing one of our nation’s most vulnerable critical national infrastructures.

Dillon Roseen is a 2017-18 Millennial Fellow with the Cybersecurity Initiative at New America. He extends heartfelt thanks to the small-but-mighty Cybersecurity Team: Ian Wallace, Laura Bate, and Robert Morgus. Their support and guidance has been invaluable. He thanks Reid and Melody for building the “MPPF ship” and helping the cohort set sail on this incredible journey.

Citations
  1. Privacy Rights Clearinghouse, Chronology of Data Breaches Database, May 24, 2018 source.
  2. 2017 Cost of Data Breach Study: Global Overview (Traverse City, Michigan: Ponemon Institute, 2017).
  3. Melissa Locker, “These Industries Are the Most Vulnerable to Data Breaches in the United States,” Fast Company, February 7, 2018, source.
  4. U.S. Food and Drug Administration, “Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac Pacemakers: FDA Safety Communication,” August 29, 2017.
  5. Sir Amyas Morse, KCB Comptroller and Auditor General National Audit Office of the United Kingdom, “Investigation: WannaCry cyber attack and the NHS,” (London: Department of Health, 2018).
  6. Dillon Roseen and Robert Lord, Do No Harm 2.0 (Washington, DC: New America, forthcoming 2018).
  7. The terms cybersecurity specialist, cybersecurity professionals, and information security analyst are used interchangeably throughout this report.
  8. Frost & Sullivan, Executive Briefing: 2017 Global Information Security Workforce Study Benchmarking Workforce Capacity and Response to Cyber Risk, source.
  9. Buring Glass and General Assembly, Blurring Lines: How Business and Technology Skills Are Merging to Create High Opportunity Hybrid Jobs, May 24, 2018 source.
  10. We define minority candidates to include women and people of color, and pay particular attention to individuals whose identities intersect both of these aspects of diversity (e.g. women of color).
  11. Jason Reed and Jonathan Acosta-Rubio, Innovation Through Inclusion: The Multicultural Cybersecurity Workforce (Santa Clara, CA: Frost & Sullivan and (ISC)2, 2018).
  12. Katherine W. Phillips, “How Diversity Makes Us Smarter,” Scientific American, October 1, 2014, source.
  13. Moody’s Investor Services, “Announcement: Preliminary FY 2016 US NFP hospital medians edge lower on revenue, expense pressure,” 16 May 2017, source and Aswath Damodaran, “Margins by Sector (US) database,” NYU Stern School of Business, January 2018 source.
  14. Roseen and Lord, Do No Harm 2.0.
  15. For further detail on these programs and policies, see Appendix.
  16. Sharp-eyed readers will note the NICE framework is not strictly a “program” but it is included since it informs many cybersecurity workforce conversations across the public, private, and academic sectors.
  17. News Release, “NSF awards nearly $5.7M to defend America’s cyberspace,” National Science Foundation, December 20, 2017, source.
  18. NICE Working Group (NICEWG) Update Call, “Metric Moment – What Gets Measured Gets Done: Scholarship for Service Metrics,” (working group update, NICEWG call, May 23, 2018).
  19. Cyber Seek, “About Page,” May 25, 2018 source.
  20. American Hospital Association, “Fast Facts On U.S. Hospitals, 2018,” Health Forum LLC, February 2018, source.
  21. Critical national infrastructures are defined here according to the Critical Infrastructures Protection Act of 2001: “The term ‘critical infrastructure’ means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
  22. American Hospital Association, “Fast Facts.”
  23. Association of American Medical Colleges, “Loan Repayment/Forgiveness and Scholarship Programs,” May 25, 2018 source.
  24. U.S. Department of Labor, “Frequently Asked Questions about the Apprenticeship Program” May 25, 2018 source.
  25. Using Registered Apprenticeship to Build and Fill Healthcare Career Paths (Washington, DC: U.S. Department of Labor) 2-3, source.
  26. Virginia, a state heralded as a leader in cybersecurity education and apprenticeship, did not begin accepting students into its first cybersecurity apprenticeship program until 2017.
  27. The Youth Apprenticeship in America Today report from New America details the important role that intermediaries play in the apprenticeship ecosystem, namely that intermediaries hold the partnership between apprentice and employer together. Intermediaries can be individuals, non-profits, or for-profit organizations that coordinate the activity of both employers and apprentices, helping to ensure a program’s success.
  28. Registered apprenticeships are those apprenticeships that meet certain national standards for registration with the DOL or a federally recognized State Apprenticeship Agency. Registered apprenticeships differ from other models because, according to the DOL: 1) participants who are newly hired (or already employed) earn wages from employers during training; 2) programs must meet national standards for registration with the U.S. Department of Labor (or federally-recognized State Apprenticeship Agencies); 3) programs provide on-the-job learning and job-related technical instruction; 4) on-the-job learning is conducted in the work setting under the direction of one or more of the employer’s personnel; and 5) training results in an industry-recognized credential.
  29. Mary Alice McCarthy, Iris Palmer, and Michael Prebil, Connecting Apprenticeship and Higher Education: Eight Recommendations (Washington, DC: New America, 2017); Brent Parton, Youth Apprenticeship in America Today: Connecting High School Students to Apprenticeship (Washington, DC: New America, 2017).
  30. Frost & Sullivan, Global Information Security Workforce Study.
  31. Joseph Conn, “Healthcare struggles to recruit top cybersecurity pros,” Modern Healthcare, October 24, 2015, source.
  32. Andrea Little Limbago, Increasing Retention Capacity: Research from the Field (Arlington, VA: Endgame, 2017).
  33. Ibid.
  34. Charles W. Wessner, “Preface,” in The Small Business Innovation Research Program (SBIR): An Assessment of the Department of Defense Fast Track Initiative (Washington, DC: National Academy Press, 2000), 5.
  35. Ibid., “Introduction,” 32.
  36. Ibid., 35.
  37. Small Business Innovation Research, “About Page” May 25, 2018 at source.

Close

Solutions for the Health Care Cybersecurity Workforce of the Digital Age

View as PDF

Table of Contents

Close

The Millennials Initiative 2018