As healthcare technology leaders, one of the critical items on our radar is information security. We know we need a security program. We need people to develop, implement, and maintain our information security plan. Let’s be honest. This is not sexy work. No doctor is going to pat us on the back and say how wonderful two-factor authentication has been. We are not only tasked with the protection of the organization’s information; we must do so with minimal resources. People are the key. Understanding your team’s talent, their professional goals, and aligning those goals with the work to be done creates the momentum for success.
The challenge with most guides for healthcare IT is they assume we have large teams with good-sized, dedicated security teams. This is a bad assumption. There are over 6,100 hospitals in the United States. 24% are rural, critical access hospitals with less than 25 beds. There are many ways to “size” hospitals. In general, the buckets are:
• Small hospitals contain fewer than 100 beds
• Medium hospitals contain between 100 and 499 beds
• Large hospitals contain 500 or more beds
More than 80% of the 6,100 hospitals are small and medium in size. It stretches the imagination, and budget, to think the hospitals with lower bed counts have large, dedicated information security teams. If even 50% of us are working on using cross-functional resources to secure our data, we need to get creative. We need creative people.
Small hospital information security strategy
Since so many of us are in the same situation, there must be common threads to our success. In visiting with my colleagues and from my own experience, three keys to success are:
1. Standards-based framework - According to a CHIME survey, 78% percent of us are using the NIST Cybersecurity Framework. This makes a great deal of sense, especially for smaller hospitals. Selecting a well-known framework upon which to base your information security program gives you access to many readymade tools and resources.
2. Hospital leadership sponsor - An executive who cares deeply about risk is an indispensable ally. Information security programs bring unpopular changes. Aligning the program efforts with Joint readiness work, financial audits, and other reviews already happening in a smaller organization use organization-wide resources wisely and allow executives to support both efforts at the same time.
3. Entire IT team involvement - Smaller hospitals are lucky to have one dedicated information security person. This means that the whole information technology team needs to get involved in the program, receive basic training, and understand what part of their work includes information security. Total team involvement is the only way to achieve so much work, at a measured pace, over the long term.
"Designing, implementing and managing an information security program in a smaller hospital is absolutely possible. It takes focused effort on the part of the leader of the IT team, career pathing, and drawing on the strengths of the entire group"
Information security career path
None of this can happen without people. Even smaller IT organizations can develop an information security career path. The average information technology person stays in their position for three years. If you can get a person to stay with your company for five to seven years, you have gotten a real return on your investment. There are four things to keep in mind when building these career paths:
1. Build the entire career path now - Many times, I see managers write only the single position description for which they have been approved. This is a mistake. Take the time to develop the entire career path, including where you will use outside resources. Even if you do not fill these positions now, you understand each role and how they snap into the plan.
2. Start with desktop support - Often, there are front line team members eager to move into information security. They have wonderful knowledge of our organization and great customer relationships. Internal promotions contribute to high team engagement.
3. Not everyone wants to be a manager - Many people are very uncomfortable holding someone else accountable for completing their day-to-day work and confronting them about behavior changes. Ensure the career path you layout allows people the financial option of staying an individual contributor.
4. Certifications matter - All the research and hiring data of the last several years proves that certifications matter, no place more than in information security. Make certifications preferred or required as appropriate for the positions. List the obvious ones from ISC2, SAN, and CompTIA. There are other organizations as well, and some will be in better alignment with your organization. Get the point across that certifications matter, and you expect people on your team to stay sharp.
Designing, implementing, and managing an information security program in a smaller hospital is possible. It takes focused effort on the part of the leader of the IT team, career pathing, and drawing on the strengths of the entire group. This is not an “IT” problem and will not be “solved” by IT, but we will lead the way. It does not necessarily take ten people, but it does take creativity and the entire team’s engagement.