It’s an understatement to say the healthcare industry was forced to grapple with cybersecurity last year. Cyberattacks against healthcare organizations spiked in 2020 alongside the COVID-19 pandemic, prompting the FBI, HHS and the Homeland Security Department to issue a joint warning that hackers were targeting healthcare with ransomware attacks.
So it’s no surprise that cybersecurity topped the list of services being assessed this year, with 100% of hospitals in Black Book’s survey considering outsourcing cybersecurity in 2021—a significant jump from Black Book’s earliest data in 2015, when just 16% of hospitals had done so.
Cyberattacks have only gotten more sophisticated in recent years, said Theresa Meadows, senior vice president and chief information officer at Cook Children’s Health Care System in Fort Worth, Texas.
“The challenge for us, across healthcare, is that a lot of our cybersecurity teams are really small,” Meadows said. “It really depends on the size of your organization, but most need additional help.”
Cook Children’s, like many hospitals, is using a mix of a small team of in-house staffers and outsourced services to tackle cybersecurity.
That has included outsourcing services such as monitoring the health system’s IT systems and conducting HIPAA risk assessments of possible business associates.
“There’s no way that we could staff enough people to run an operations center 24/7,” Meadows said. That would have required hiring an additional 10 or more cybersecurity staffers, all of whom would need salaries, benefits, training and ongoing education—not to mention the time it would take to recruit multiple workers with the right technical skills.
That’s in part because of a shortage of qualified cybersecurity workers.
Across industries in the U.S., there’s a workforce gap of roughly 360,000 cybersecurity professionals, according to a 2020 report from cybersecurity professional organization (ISC)². At health systems, specifically, it takes 70% longer to fill cybersecurity job openings compared with other IT jobs, according to a separate survey of HR executives from Black Book.
Because it’s difficult for hospitals to build cybersecurity programs capable of managing the range of threats they’re facing, it’s likely the healthcare industry will see an uptick in outsourcing as a way to fill in those gaps in 2021, according to Rebhan. Cybersecurity is “mission-critical” for patient safety, he added.
Some hospitals are even tapping companies for “virtual chief information security officers”—essentially outsourcing the role to consulting companies that assign a person or team to advise and manage information security at the organization.
It’s particularly difficult to recruit CISOs in healthcare, since hospitals are competing for executives against companies from other industries, Brown said.
A virtual CISO contracted from a company can be helpful for smaller organizations that don’t necessarily need a full-time executive in that role, Meadows said. “In the ideal world, the CISO would be somebody that you would employ and have on your staff full time,” she added, but not every organization has the budget to do so.
Cook Children’s, as a larger health system, employs its own CISO, Meadows said.