One of the most challenging health system roles to fill doesn’t provide direct care to patients but, rather, makes sure people can see their providers without a hitch.
Healthcare cybersecurity staffers are in demand as the industry becomes a growing target for hackers. Health system leaders told Becker’s that they focus on cultivating talented employees who might not have a cybersecurity background and training them in-house, as well as hiring people aligned with the mission of healthcare.
“When you’re looking for a security engineer, a threat hunter, an incident response person, it’s really hard to find that person with experience in healthcare,” said Frank Sinatra, vice president of IT and chief information security officer of Newark, N.J.-based University Hospital. “These guys are generally working for third-party service providers and others, so we really have to develop our own talent.”
Working for a state-owned urban hospital, Mr. Sinatra also has to keep salary considerations in mind when seeking an employee with a broad array of cybersecurity skills. “You’re not finding someone who can do all that for under $100,000,” he said. “You’re looking at more like $150,000, and that’s not the salary we’re paying.”
To fill a manager role for his three-person team, Mr. Sinatra found an individual with programming and coding experience then taught him the cybersecurity part. Mr. Sinatra also wanted a candidate with the drive and tenacity to “not lose” and to “take it personally” when the organization is threatened.
“So far it’s worked, because that person, he’s my main manager of security operations and response, and he has developed some great automation to vet the thousands of alerts we get,” Mr. Sinatra said. “He’s delved into different areas and found security flaws in the configuration of different things. And above all, he has the personality of someone who takes it seriously to safeguard the organization.”
Mr. Sinatra recommends other health system leaders “look outside of traditional security people and roles and experiences” and ease job requirements such as years of experience and certifications. Recruits also need to be self-starters, continuous learners and intellectually curious, he said.
“You can’t have a security engineer waiting to be told what to do,” he said. “They need to go out there and learn the environment, understand what’s not normal, and know how to investigate it, to determine if it’s a threat or if it’s not, and do that efficiently, because if you don’t you can go down a rabbit hole. You can look at one thing for hours and never be satisfied. You have to know when there’s a good probability that this is not a threat anymore and move on to the next thing.”
Melissa Rappl, chief information security officer of Omaha-based Children’s Nebraska, said she has focused on building a team that is not only technically proficient but also focused on the health system’s mission.
“Looking back, I’ve realized that our most effective strategy combines strategic hiring, solid operations, and a culture of ongoing learning,” she said. “What truly distinguishes our team is our commitment to learning and engaging with others. By participating in industry events and leading exercises with partners like CrowdStrike, we’ve prioritized being prepared and collaborating across functions. These experiences sharpen our skills and strengthen our relationships throughout the organization.”
When giving feedback to vendors or addressing her fellow executives, Ms. Rappl also aims to model the “clarity and integrity” she expects from her team. “Together, these strategies have helped us build a cybersecurity team that is resilient, respected and ready for what’s next,” she said.
Cybersecurity staffers at West Reading, Pa.-based Tower Health worked their way up through the organization, coming from IT support and infrastructure and clinical engineering.
“It was a matter of working on getting appropriate training and coaching seminars, just basically teaching them what they needed to know from the security side,” said Terry Grogan, vice president of IT assurance and chief information security officer of Tower Health, which has a cybersecurity staff of five and an identity team of six. “But they had the foundational information for the most part, from other jobs they did in IT.”
She has used Certified Information Systems Security Professional certification training and brought in third-party consultants like Gartner.
One challenge has been finding recruits willing to work on-site, even on a hybrid basis. Ms. Grogan said she believes face time with clinicians is important for cybersecurity staffers. Still, she doesn’t plan to hire consultants, who tend to be either too rigid or risk-averse.
She also has to be clear about the specifics of working in healthcare cybersecurity. For one, it operates 24/7. It can also lag behind some other industries on the technical end of things.
“That seems to be some of the shock I see, especially if I bring in a security person outside of healthcare who’s never been in healthcare. They come in and they’re like, ‘What do you mean we’re running servers that are 15 years old or network switches that are 20 years old? What do you mean we’re still running Windows 2003?’ You find folks shocked by the technical debt in healthcare.”
Ms. Grogan also had success at a previous health system bringing in temporary employees on a “try-before-you-buy” basis, via headhunting agencies, before hiring them full time.
“I don’t build cybersecurity teams by buying talent,” said Jason Elrod, vice president and chief information security officer of Tacoma, Wash.-based MultiCare Health System. “I build them by finding people with courage and curiosity, then giving them the clarity and ownership to grow. Skills can be taught. What matters is mindset and mission alignment, especially when that mission is protecting patients and the health system.”
