What does your role as a senior cybersecurity architect entail?
It’s a very broad role. I’m trying to keep up with cybersecurity threats globally, not just in healthcare. Really, whatever is happening on this planet is likely to happen to us.
My role is not just to understand that on a daily basis, but to understand how we can reduce it in the context of an academic medical center or a large health system. That includes keeping up with the many cybersecurity tools and solutions available to help. It’s also about understanding the people and processes involved in enhancing those things.
It’s hard to take a day off in the cybersecurity field, because it could be a big day. You’re almost permanently attached, but you do it because it’s the hot job.
Do health systems have dedicated cybersecurity programs? Is Dartmouth Health doing something different that other systems can benefit from?
I’d say all hospitals have a program at this point. The real question is whether they have dedicated cybersecurity resources.
I’ve heard numbers fluctuate [when it comes to how many U.S. hospitals lack a dedicated cybersecurity employee]—probably 75% or maybe ’90s. But I’ve talked to many hospitals and I’m pretty comfortable [saying] it’s definitely in the three-quarter range up there. That’s a scary prospect, given the depth of a hospital cybersecurity program. That is done by committee in organizations that lack the full-time resources, and it only adds to the stress of the people there doing other work.
We are fortunate to have dedicated cybersecurity resources at Dartmouth Health.
Filling cybersecurity positions is a challenge across industries, including healthcare. How has Dartmouth Health addressed the national cybersecurity workforce shortage, and what strategies have you found to be effective?
Network security work [requires] Institutional knowledge takes years to cultivate and is difficult to outsource. It’s hard to attract someone new from the outside who’s really only here with a short-term commitment. It goes back to retaining our skilled employees.
I don’t think there’s a hospital in America that doesn’t consider wages. Trying to be as competitive as possible on salary is important. It’s also about what we can expand on flexible working options. I think there was some anxiety at first because you’re talking about patient data flowing out of the hospital and possibly into someone’s home where they are working remotely. It’s really hard to accept, but I think we’ve done it over the last few years. I think all the hospitals have done that, and that’s something that we can expand on.
Download Modern Healthcare’s app to stay informed when there’s breaking industry news.
Another strategy is to think about career advancement. [It’s important for systems to consider] How we can train you, how we can educate you, and how we can help you become a highly skilled person who will become a great cybersecurity resource. Then the important thing is how we can recognize the work you do.
The work of cybersecurity in hospitals is often in the dark, but we must recognize the work of anyone who is willing to get up every day and come to work in a hospital.
What are the incentives for health systems to give full priority to cybersecurity?
I think the biggest leverage we’ve seen over the last few years is cybersecurity insurance. It’s the mainstay of any hospital’s cybersecurity program. Cybersecurity insurance has evolved over the past few years in terms of its expectations of what a hospital security program should look like. So it’s a key driver of change in every hospital and has directly impacted hospitals’ perceptions of cybersecurity programs and staff.
