search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
CYBER CORNER


Cyber Expert Staynings: New Regulation May Help Boards of


Directors Prioritize Cybersecurity Healthcare Innovation sat down with cyber expert Richard Staynings to discuss the current cybersecurity talent drought and the importance of educating CEOs and boards of directors about cyber risks By Janette Wider


A


ccording to Cyber Seek—a tech job-tracking database from the U.S. Commerce Department and the


trade group CompTIA—there are about 464,420 total cybersecurity job openings in the U.S. As healthcare organizations are continuously seeing increases in ran- somware attacks, this shortage of cyber talent can put healthcare organizations at risk—but why is there such a shortage and what can healthcare organizations do to promote a better understanding of why cybersecurity professionals are vital to leadership? Richard Staynings, healthcare technol- ogy and cybersecurity strategist, thought leader, expert witness, and chief security strategist York


for New City-based


Richard Staynings


Cylera, sat down with Healthcare Innovation Managing Editor Janette Wider to dis- cuss the cybersecurity talent drought specifi - cally in healthcare.


Why do you think that there is such a lack of cyber security talent in healthcare organizations, specifi cally? I think there are a number of factors that have contributed to the current situation. Firstly, market demand has taken a very steep rise over recent years. So, there’s been a latent recognition of the fact that we need more security professionals, particularly in our hospitals, than was the previous situation. That’s been brought around by changes in risk posture, changes in the negative impact of cyberattacks like res- titution fi nes and damages, which makes


28


failure to implement cybersecurity much more costly, and therefore, much more relevant to boards of directors than it was previously. The second factor is that healthcare has historically had a cybersecurity defi cit compared to fi nancial services and other industries that 20 years ago recognized the signifi cance of cybersecurity in order to protect their business, their business reputation, their business value, and their bottom lines. It’s immediately apparent if I transfer a million dollars out of someone’s account in a bank, that money is gone. It’s less apparent if I transfer a million patient records out of a hospital that they have been stolen. And in many cases, things like identity theft take many years before the FBI and others are able to triangulate multiple people that have had their iden- tity stolen back to the original source. If that source is a hospital, then the CEO is probably retired by that point, and some- one else is sitting in the big chair. So, we have this latency in healthcare, which is making it diffi cult to understand the true signifi cance and impact of breaches when they occur, particularly if they don’t have the cybersecurity capabilities in the fi rst place to recognize that they’ve actually had an attack. And for the last 20 years, many hospitals have lost massive amounts of PHI, and were totally ignorant of the fact that anyone had stolen it, but this is getting better.


How can healthcare organizations promote a better understanding of the need for cybersecurity professionals to leadership? We need to do a better job of educating CEOs and boards of directors on the need for cybersecurity. It’s an education process.


hcinnovationgroup.com | NOVEMBER/DECEMBER 2021 Janette Wider


Many board members of health systems can’t even spell cybersecurity, let alone understand it. So, there’s a generational gap there. We’re beginning to get some diversity of talent into healthcare, now we’re seeing more women on boards of directors, we’re seeing more minorities, and we’re seeing more technology and cross industry specialists, not just the retired general and the chairman of the local business board or whatever it is. We’re beginning to get people that are com- ing in from other industries and the people that can spell cybersecurity onto boards. But it’s still not a priority because there are so many other priorities in healthcare, particularly with COVID.


What will drive hospital CEOs and boards of directions to prioritize cybersecurity? New regulation. We saw some minor updates


to The Health Insurance


Portability and Accountability Act of 1996 (HIPAA) through The Health Information Technology for Economic and Clinical Health Act (HITECH Act) and the Omnibus Rule. Perhaps it is going to take changes to the Joint Commission, which deals with patient safety, to say cybersecurity is now one of your major concerns around patient safety. It’s no longer about people slipping on a wet fl oor or other clinical errors as a result of failures in healthcare. Maybe we need a new regulation that manages pri- vacy and security and healthcare systems. Regulation was what drove cybersecurity back in the early 2000s and late 90s. I’m not a big fan of regulation, but perhaps that’s what it’s going to take. There seems to be, even though we’ve got ever rising litiga- tions against healthcare entities, the mes- sage doesn’t seem to be getting through.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32