Healthcare Cybersecurity. PHOTO: Cybercrime Magazine.

Healthcare Organizations Staff Up To The Cybersecurity Challenge

Worker shortage persists, pipeline improves

David Braue

Melbourne, Australia – Dec. 1, 2022

Healthcare providers must all secure and protect their patients’ data, but the broad spectrum of security capabilities among healthcare companies means many smaller businesses will struggle to keep up despite progress in reversing the expansion of the cyber skills gap.

That progress has been delivering real improvements in the cyber security skills pipeline, Paul Connelly, CISO with Fortune 100 healthcare provider HCA Healthcare, recently told Cybercrime Magazine.

“We’re starting to see the beginning of the effects of some of these programs to try to get people interested in this field earlier,” Connelly explained.

While historically many people would go into IT and move laterally into cybersecurity, he said, “now it seems like people are getting into the security side earlier.”

“Whereas we used to always be looking for people that already had a certain number of years’ experience, now we are doing much more with internships and people coming right out of college, and trying to develop our own skills mix within the team.”

That doesn’t mean it’s easy to fill job openings — but healthcare does, he added, have a “secret weapon” in that potential employees like the idea of being affiliated with an organization that is doing noble work for others.



“We have a lot of people who are just very passionate about the fact that not only are they in cybersecurity and fighting bad guys, but they’re doing it for an organization that’s taking care of people,” Connelly said. “I do think that attracts people into healthcare as well.”

Yet other considerations are preventing the playing field from being as level as it might be, pointed out Gordon Lawson, CEO of cybersecurity firm Conceal, who noted that many smaller healthcare operators are struggling with outdated, vulnerable systems and a lack of resources to fix them.

“Not all hospital systems are built the same,” Lawson explained, noting that while the large size of HCA Healthcare has helped it build “an incredibly robust SOC [with] some of the most talented cyber defenders I’ve ever seen,” many smaller healthcare systems “don’t have the resources to staff up like that.”

Such providers tend to lean heavily on outside service providers — yet that, Lawson said, “leaves them very reliant on a service provider or other resources to make sure that they’re at the right levels to provide that defense within the organization.”

Even larger providers depend heavily on outside firms, Connelly pointed out. “Most healthcare organizations are very networked,” he explained, “and we really have to depend on the third parties that we work with to do their part in protecting our systems and our data, as well as the security of medical devices.”

Yet that can be difficult given the complexity of the healthcare ecosystem. “Even just the basic hygiene can be difficult,” Connelly explained. “The smaller the system, the more difficult it is even just to take care of basic patching and operating system upgrades and things like that.”

“At the end of the day, it’s not only patient safety, but patient trust that’s at stake.”

Healthcare is a target, no matter how large

Although complex software supply chains offer attackers a broad range of potential means of ingress into a target network, a highly top-heavy healthcare software industry means attackers can target just one or two major systems and potentially breach a large number of healthcare providers.

Exacerbating these challenges is the sheer breadth of use cases — with a broad range of staff accessing data in the field, through various devices, with an urgency that is prone to shortcut-taking or human error.

“The plethora of data that healthcare organizations have is a very strong target,” Lawson said. “Whether you’re a doctor or a nurse or an administrator, you are online and interacting with the data every day — so I think that vector allows for some vulnerabilities as well.”

“But there’s an expectation that hospitals are going to be up and running, and providing great service, and protecting people’s information and their personal data,” he added. “And that’s a high bar for any organization.”

True to conventional wisdom, Connelly said a key element of meeting that challenge lies in the ability to engage the board and spur real action around cybersecurity. Within HCA Healthcare, he said, increasing board awareness over the past six to seven years has “really ratcheted up the awareness and understanding of cybersecurity among our board members through training.”

That training — including a tabletop exercise around a hypothetical ransomware attack — has helped the team increase the frequency of cybersecurity updates and increased the board’s awareness of the imminent risks that every healthcare provider faces.

“We have really tried to make them aware, and they recognize it as a key risk in the healthcare industry,” Connelly explained. “So, they give it a lot of attention.”

Moving forward, however, increasing executive awareness only validates cybersecurity’s importance: actually resolving the challenge will, Lawson noted, require ongoing efforts to recruit future cybersecurity specialists.

Red/blue team events, hackathons and other high-school programs provide “vital” hands-on practical experience, Lawson said, adding that he is “encouraged seeing what is out there and how kids can get into this — and not just kids, but mid-career professionals who realize that if you can get into cyber, you really can have a very nice career for a long time.”

Importantly, however, healthcare organizations also need to work together to increase the industry’s overall security capabilities — including both technological controls and access to security staff.

“We need to be able to make sure that smaller organizations are also able to recruit, and that there’s enough folks out there to go to those as well,” Lawson said.

“We’re all in this together,” Connelly agreed. “Not everybody has the resources of larger organizations, but I’m a strong believer in the Health-ISAC and the other ways that we share information and support one another.”

“There really aren’t competitors when it comes to cybersecurity,” he continued. “We all want to benefit, and anything we can do to help anyone else, we want to do that.”

David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.


About Conceal

Conceal provides a capability that protects people and critical assets against the most advanced threat actors in the world. We are fundamentally changing the approach to cybersecurity by creating a platform where security practitioners can see the latest threat vectors and implement enterprise-wide solutions that comprehensively protect their organization.

With our Conceal platform, we take those core capabilities and evolve them into a commercially available product that incorporates intelligence-grade, Zero Trust technology to protect global companies — of all sizes — from malware and ransomware.

Conceal is leading the fight to protect enterprises from cyber threats — if there is malware, we detect, defend and isolate it from users and the network.