1st Author
1st author's affiliation1st line of address2nd line of addressTelephone number, incl. country code
1st author's E-mail address
2nd Author
2nd author's affiliation1st line of address2nd line of addressTelephone number, incl. country code
2nd E-mail
3rd Author
3rd author's affiliation1st line of address2nd line of addressTelephone number, incl. country code
3rd E-mail
ABSTRACT
In this paper, we describe the cyber security workforce in healthcare industry. Cyber security workforce has emerged as one of the most vital services to safeguard any sector. It needs to be strengthened with proper training and awareness. There are number of difficulties in the path of cybersecurity workforce development. This paper discusses various training sessions and awareness programs for creating best in class professionals. Different workforce development strategies are elaborated in this paper. Various issues and other blocking factors are also analyzed in the paper.
INTRODUCTION
Cybersecurity refers to the technologies used and techniques implemented to protect data and information systems against any malicious activity like theft, malware or spyware attack or any other type of compromise [6]. Cyber security workforce comprises of highly skilled professionals who can deal with any adverse situation and respond with minimum delay. The pervasion of technology in every sphere of life has drastically increased the need for protection of these resources. There is an urgency to develop a skilled and capable workforce to face challenges of the future [6].
Building a cybersecurity workforce for any organization looking to safeguard its information systems needs careful planning and execution. It involves assessment of the current security situation of the organization, planning the security team on the basis of requirements and then actually building the team and network for its operations. There are various certification and professional courses started by the government to create highly abled staff. Cybersecurity talent management programs not only help organizations in their hiring solutions but gives a definite path to people looking to make their career in this field [3].
There are several challenges lying in the path of development of a future ready workforce. The workforce for cyber security has seen people from varied backgrounds. Some people from non-technical backgrounds like lawyers, healthcare professionals and college dropouts are also able to generate good interest levels in this field [6]. It is difficult to set a skill set for this workforce. It is a lot more than just hiring best technical people. An effective system needs broad diversity of roles [6].
The Department of Homeland Security (DHS) provides a cybersecurity toolkit which helps to create a workforce framework. It describes cyber security work responsibilities. It provides a toolkit for organizations to build competency models and training programs [13]. The content of the product has taken inputs from industry as well as academics. Development of a capable workforce needs good level of education as well as industry support.
Cybersecurity Workforce in Healthcare Industry
Healthcare industry has always been up to the mark for providing superior quality health services to the people. But, it has suffered attacks like data breaches and system malfunction in the past. Patient history, insurance and payment details and other health related information is very crucial and confidential. Any attacker can gain access to hospital’s system to corrupt data and retrieve highly sensitive information. It is essential to deploy a workforce dedicated to securing data even in the healthcare sector. A new branch of health industry called Health IT promotes the use of IT services in providing world class services [10].
The significance of cybersecurity can be mapped to health industry by the number of attack incidents that have occurred in the past. No facility is secure until it is made so. Educating people about the importance of data and its protection can greatly increase the count of people wanting to be in cybersecurity field. Technological advancement enables superior quality healthcare efficiently, faster and cost effectively [10]. Health IT has transformed paper records into digital records, on paper prescriptions into online medical advice and a patient’s insurance procedure can all be completed online now. A patient’s medical records can be shared on network in order to seek expert opinion. But, using technological tools involves technological risks. All these need to be secured from cyber-attacks. The aim is not to make a healthcare staff cyber security expert but to raise awareness about the subject to the general population [10]. Cybersecurity workforce development programs encourage people to think before they take any action.
Various cyber security awareness and training programs have been devised by different education and defense organizations to educate employees against data breaches and cyber-attacks. Some of the programs are discussed below:
Stop. Think. Connect
The U.S Department of Homeland Security (DHS) has launched a campaign ‘Stop. Think. Connect’ to make people think before they take any step [10]. This program implies on shared responsibility in protection of digital assets. It focusses on training people on what a possible cyber-attack may look like and methods to avert such incidences. Medical records and other important information are sent in and out of the organization. Any person sending data on the network should be aware of the security checks that should be performed before hitting the send button. Any suspicious activity, for instance, unauthorized access to any area or system by someone should be reported. Dubious mails or software updates should be carefully examined before replying or making any changes to the system. This training program functions like a defense in line of an in depth defense procedure to reduce an organization’s risk profile and fulfill compliance requirements [10]. Creating cybersecurity workforce is not similar to creating a product rather it is like creating a service. It needs time and practice.
The NICE Cybersecurity Education Framework
The National Initiative for Cybersecurity Education in collaboration with National Institute of Standards and Technology have developed a program called Nice Cybersecurity education framework [12]. It is the foundation for defining and implementing healthcare sector related cyber security functions, job responsibilities and roles [12]. This program has a proper curriculum and offer specific certifications to people working in health industry. It provides education, training, awareness and professional development on issues related to cybersecurity. The goal of NICE is to build a highly capable ad skilled workforce which can promptly handle vulnerabilities and respond to dynamically increasing array of threats [12]. The NICE framework is organized into seven categories, with each category relating to a specific cyber security expertise. These categories are [12]:
Securely provision: It includes information assurance, software engineering, technological demonstration, tests and evaluation.
Operate and Maintain: It focusses on data administration, security management, knowledge management, technical support and systems security analysis.
Protect and Defend: It comprises of incident response, computer network defense and vulnerability assessment and management.
Investigate: It deals with digital forensics and investigations.
Operate and Collect: It consists of cyber operations planning and collection operations.
Analyze: It includes cyber threat analysis, exploitation analysis and all source intelligence.
Support: Strategic planning, legal advice, policy development, education and training come under support.
It seeks to develop all hazards situational awareness and information sharing protocols within all departments of healthcare industry. It also deals with developing role based job responsibilities, functions and competencies [12]. This program aims to remove various confusions related to cyber security norms and processes. Identifying, assessing and managing vulnerabilities in the health sector still remains the center of focus for any organization trying to streamline cybersecurity [2].
HITRUST Security Program
Cybersecurity can be defined as the ability of an organization to protect its information environment on global domain [8]. Information security and information assurance are two separate components which are at threat. Securing the available information from any outsider and making the information available to authorized personnel are the major targets of implementing cybersecurity measures. For a robust security policy, three key issues must be addressed. These issues are – threat modelling, threat intelligence and collaboration [8]. Threat modelling is achieved by risk analysis and defining a control threshold from an appropriate security framework [8]. The security framework ensures people follow processes and implement best regulatory and legislative practices. Modelling threats also enable identifying risks and helps in avoidance and reduction of risks. Creating a model structure properly addresses security policy definition, measurement and reporting and other crucial parts of security program. As technology is ever changing, the attacks are also advancing fast. Threat intelligence facilitates understanding of risks and cyber-attacks. Collaboration with other private and public sectors will help the organization to address these risks and threats effectively and more efficiently [8]. The HITRUST Risk Management Framework (RMF) provides several features. Some of them are described below [8]:
A control framework is created which consists of consistent set of requirements which are updated at least annually to keep risks relevant and up to date.
A set of risk based requirements are created keeping in mind the specific risk factors.
An implementation level maturity model to control assessment and evaluation is created
Health Industry Preparedness Cyber Threat Summit organized by HITRUST in 2013 discussed numerous topics for the evaluation of how prepared the health industry is for any attack on its digital data. The summit also proposed to conduct an industry wide cyber-attack and response exercise to calculate the effective response time and analyze the reaction of staff towards such an attack. Such exercises assess not only the processes of an organization but help in understanding the preparedness of information systems, medical devices and other technological resources [8]. It solves four main purposes:
Gives a better picture about cyber-attack response readiness.
Measure the HITRUST risk management framework and its areas of improvement.
It helps to co-ordinate an organization’s current response and understanding with the U.S Department of Health and Services.
Valuable research and results on different attack situations and appropriate response can be documented for future use.
Comptia Cybersecurity Certification
Comptia is a provider of vendor neutral IT certifications [4]. The certification programs aim to train workforce to combat cyber-attacks and risks. The certification of Comptia is a comprehensive program which includes assessment of knowledge, skills and abilities pertaining to the field. It is valid for a particular time period and needs recertification after the time period expires. The recertification will have course content as per the latest technology and scenarios. Research shows that 55% of the security breaches occur due to human error which emphasizes the role of workforce development to protect data and information resources [4]. Comptia works with the NICE (National Initiative for Cybersecurity Education) campaign to bring awareness to population about the adverse effects of data loss and misuse. The main components of the campaign are – national cybersecurity awareness, formal cybersecurity education, cybersecurity workforce, cybersecurity workforce training and professional development [4]. The Certified Academic Partnership Program (CAPP) offers a wide range of opportunities to college students and universities to be part of this dynamic industry of cybersecurity. The institutions for training staff in hospitals and related organizations can offer this partnership program with Comptia to provide a gateway for recruitment in cybersecurity workforce.
CERT Approach to Cybersecurity Workforce Development
The CERT approach talks about a circular model of workforce training and development [7]. The learning program is a continuous cycle. There are three major development areas of this program which is followed by a final evaluation phase [7].
Knowledge building: it focusses on learning and understanding of basic and advanced level concepts of each topic. It is the foundation for next phases of training. Knowledge is imparted in two major ways. Traditional classroom training and online training programs are available for workforce development. Online training program are more in demand these days as they are cost effective and can be easily accommodated in the busy schedule of any person wanting to learn these skills. Also, online training can run at a pace suitable to the individual. The absorption of knowledge in online training may be slow but is more productive.
Skill building: It deals with providing practical experience of the knowledge learned in first phase. Hands-on experience of the skills developed through knowledge is provided to the individual. The advent of automated tools has greatly reduced the need of highly skilled people but it is still a necessity to develop analytical ability to perform skill related activity in most professional manner. Cybersecurity skills can be efficiently developed through exercises focused on transforming knowledge into abilities to apply it [7]. In this phase, exercise environment to practice is controlled and involve two systems- one to generate network patterns and other to capture them. Packet capture, packet capture filter and identifying network protocols are key exercises taught in this phase.
Experience building: The main target of this phase is to make individuals apply their learned skills in unfamiliar and uncontrolled environments to give them a taste of real world. It aims to maximize performance by creating an environment similar to real job responsibilities. Complex and unpredictable environments are presented before people to refine their knowledge and skills. Large quantities of traffic, multiple networks and other unpredictable scenarios are some cases which will need applications of skills to control the situation
Evaluation phase: It assesses professional development. It tests knowledge and skills proficiency. Instructional objectives are used as metrics to measure the performance. For instance, if given access to network monitoring devices which can capture normal and abnormal traffic then, the ability of the student to identify web server vulnerabilities and use of intrusion detection system serve as evaluation basis for knowledge and skills.
This training program can help any staff member in health industry to learn how to avert a possible attack and respond if a possible situation arises.
Cybersecurity Workforce Development Products and Techniques
Several security bodies across the nation have developed products which organizations can use to train their staff members. Some products are elaborated below.
NICE Component 3
According to National Institute of Cybersecurity Education (NICE), the workload for cybersecurity professionals is increasing faster than skills of these people. There is a dire need to address the demand issues and fulfill workforce gap [9]. Component 3 of the NICE has researched about Workforce Planning. It emphasizes workforce planning is the systematic way of identifying current human capabilities (supply) and determine future human capital requirements (demand) and develop strategies to fill the gap between demand and supply [9]. An organization can implement this technique in four different stages [9].
Define and identify workforce positions: Identify functional roles and develop competency levels and skills suitable to the needs of the organization.
Conduct supply analysis: This phase creates analytical tools and validate outputs with organizations to capture unique characteristics. It conducts supply analysis to determine strong and weak areas and gaps to be filled.
Conduct demand and gap analysis: It conducts facilitated organization surveys and demand analysis. This phase analyzes gaps between demand and supply and risk assessment is done to close these gaps.
Implement workforce planning: this phase mainly deals with designing of hierarchy, reporting structure and processes. Implementation plan is created. Initial training program for workforce is also developed in this phase.
Cybersecurity workforce planning approach integrates best practices to train organization members. This technique advocates the development of a Capability Maturity Model (CMM) to allow organization to self-identify their stage in planning workforce development and make necessary adjustment to narrow the gaps. Cybersecurity Workforce Planning Diagnostic should be used to determine amount, type and kind of cybersecurity workforce needed to meet the requirements of their organization [9].
Cybersecurity Workforce Development Toolkit
The Department of Homeland Security (DHS) has developed a toolkit for workforce training against cyber-attacks [6]. The cyber security professionals are in short supply currently. This tool aims to develop skills and meet the ever increasing demands for skilled professionals in an organization. This kit helps to understand the cyber security workforce risks, take inventory of workforce and templates to create your own cybersecurity career paths and recruit and retain high performing individuals [6].
This kit provides an organization with resources and information needed to build a workforce, strengthen its skills, plan its structure and advance towards creating an efficient team. The phases this tool covers are [6]:
Prepare: This is to check the current situation. It analyses the planning readiness of the organization’s cyber security workforce against a possible cyber-attack. It is a self-assessment activity which is completed using Capability Maturity Model (CMM). It is a self- assessment tool to measure maturity of their cybersecurity workforce planning capability.
Plan: It explains how to plan your cybersecurity team. This phase makes use of certain tools provided with the kit to evaluate current and future cyber security workforce needs. It also explores cybersecurity risks and contains suggestions to close the gaps. The risks within an organization are measured with the help of two elements- risk exposure and risk tolerance [16]. Risk exposure is the likelihood that a threat will occur. Risk tolerance is the likelihood that risk will succeed in causing damage [16]. Inventory needs like number of vacancies, size of the team and skills required are studied and planned.
Build: this phase focusses on what is needed to build a highly efficient cybersecurity team to protect the information resources of the organization in the best possible way. It discusses cybersecurity talent profiles, roles, job responsibilities and useful tips to recruit and train best in class staff. The teams are built according to categories and specialty areas determined by the National Cybersecurity Workforce Framework. The tool provides questionnaire to judge the ability and interest of a potential candidate to join the cybersecurity workforce team.
Advance: It involves development of people working in the organization. The tool provides templates for creating custom cybersecurity career paths, links to training and awareness programs, information about professional events and ideas for retaining staff. It is a people centric part of the tool which exhibits how to conduct training of people in the right direction. This is achieved by mentoring, certifications, conferences and training.
The crucial part in the training of cybersecurity personnel and development of required infrastructure is to understand the organization’s risk equation [16]. There is an increasing demand to understand this cybersecurity workforce development framework from healthcare industry. Health sector is now becoming acutely aware of the risks involved with security of digital data [14]. One of the ways of promoting this framework is through publishing content at international platforms [14].
Problems with development of Cybersecurity Workforce
The world is at risk of losing or corrupting its digital data due to malicious intent of certain individuals or parties. The development of a workforce capable to safeguard information of its organization is the need of the hour. Implementing workforce development tools and training programs have become a mandatory step. Every state’s critical concern is to make their systems cyber safe [17]. There are still few issues which need to be addressed even if an organization is using workforce development framework provided by national agencies. Some of the issues are:
The BYOD (Bring Your Own Device) culture makes it difficult to monitor software and hardware environment [15]. It can pose a great threat to the entire technology portfolio of a company. The web server must check for every device that generates an information access or update service. With new devices joining the network every day, it is difficult to maintain security. In order to solve this problem, access to data should not only be based on login but on a combination of login and context [15]. For instance, can this user with this particular credentials can access database at this time of the day and with this device [15].
The gaps between education to workforce pipeline are quite wide [5]. These gaps are a major hindrance in meeting the requirements of cybersecurity professionals in an organization. Competency gap is the lack in the level of proficiency of applicants needed for the job. Professional experience gap is the gap in the level of experience held by people wanting to be part of cybersecurity workforce. The experience of the candidates needed to perform the job effectively is not at par with the expected experience. There is also education speed to market gap which mainly arises due to lack of cybersecurity knowledge in the curriculum at high school level. This affects the number of qualified individuals available for cybersecurity roles [5].
A crucial issue is the misconception that cybersecurity s only a technical problem so only technically trained people can be part of the job [3]. Foremost need is to define the roles and tasks for a cybersecurity employee. It is essential to make people understand that every person with access to computer system needs to protect its data from any unauthorized external agency. So every member of the organization working on computer has a cyber security role. This is known as ‘cyber hygiene’ [3]. Only educating and creating workforce is not enough. In order to meet the needs of the dynamic cyber world, regular certifications, internships and training in complex environments must be organized to ensure high competency level in the team.
The threat of cyber-attacks is increasing at a faster pace as compared to the time needed to build an efficient combat team. Organizations have a key question to answer. Should outsourcing to a private company for safety of the data is better option than investing time and money in training and recruitment? Organizations have to decide to train, hire or contract out cybersecurity personnel [17]. The major advantage of hiring professionals from outside is that they will have cut edge knowledge to detect and defend attacks most efficiently [17].
Future Research Issues
The National Institute of Standards and Technology’s (NIST) Information Technology Laboratory (ITL) is the organization within the department of commerce which holds the responsibility for establishing cybersecurity guidelines and standards [11]. The NICE (National Institute of Cybersecurity Education) is the program led by NSIT which has three primary goals for the future [11]:
Raise national awareness about the threats and harmful effects of cyber-attacks
Development of a control strategy for rapidly growing cyber-attack methods is a paramount issue. The amount of data is exponentially increasing and so is the risks involved. Cybersecurity laws and policies need to be amended to suit the current situation. It is not only compliance to existing rules and following training programs but putting in place strict control environments at workplace can help reduce the threat. With dynamic technology and devices, controlling the processes of an organization remains a major issue. The workforce can be trained in best possible manner by learning in a practical environment. Future research should be based on integrating problem based learning. This includes building practical labs and incorporating case studies in curriculum for better understanding of students. The advent of electronic health records has raised the need for cybersecurity in healthcare industry [1]. Can health industry provide cybersecurity is a question which troubles many people. The people in health sector can be trained to protect sensitive information and be alert towards any malicious activity on the network. One possible solution to safeguard confidential patient information is to assign a unique patient number to every patient [1]. This number is not the same as the social security number (SSN) provided by the government but it’s a separate entity needed by the systems and databases of health industry. This would make it difficult for a hacker to get access to records as multiple keys would be needed. Cybersecurity professionals recommend this to protect confidentiality and integrity of data. If it can prove to be a viable solution to secure electronic health records is still a subject of research [1].
References
[1] 2015. National Cybersecurity Institute Journal. 1, 3 (2015).
[2] 2016. Collaborative Approaches to Medical Device Cybersecurity (2016).
[3] C Dodge, R., Toregas, C. and Hoffman, L. 2011. Cybersecurity Workforce Development Directions. (2011).
[4] Credentialing Cybersecurity Workforce. Comptia.
[5] 2014. Cybersecurity Workforce Competencies: Preparing Tomorrow’s Risk-Ready Professionals.
[6] 2016. CYBERSECURITY WORKFORCE DEVELOPMENT TOOLKIT. US Department of Homeland Security.
[7] Hammerstein, J. and May, C. 2010. The CERT® Approach to Cybersecurity Workforce Development. Software Engineering Institute. (2010).
[8] 2014. Healthcare’s Model Approach to Critical Infrastructure Cybersecurity. HITRUST. (2014).
[9] 2013. NICE Component 3 How to Plan for your Cybersecurity Workforce. National Initiative for Cybersecurity Education. (2013).
[10] J. Michalsky, R. 2013. Raising Cyber Security Awareness for Healthcare Professionals. NJVC. (2013).
[11] LeClair, J. 2013. Protecting Our Future. Hudson Whitman/Excelsior College Press.
[12] 2012. National Healthcare Cybersecurity Protection & Education. The National Health ISAC.
[13] National Cybersecurity Workforce Framework | National Initiative for Cybersecurity Careers and Studies (NICCS) - Trademarked: 2015. https://niccs.us-cert.gov/training/national-cybersecurity-workforce-framework. Accessed: 2016- 03- 14.
[14] Update on the Cybersecurity Framework: 2014. http://www.nist.gov/cyberframework/upload/nist-cybersecurity-framework-update-120514.pdf. Accessed: 2016- 03- 11.
[15] Van Ommeren, E., Borrett, M. and Kuivenhoven, M. 2014. Staying Ahead in the Cyber Security Game. Sogeti and IBM.
[16] THE CYBERSECURITY WORKFORCE PLANNING DIAGNOSTIC. US Department of Homeland Security.
[17] 2014. The Cybersecurity Workforce: States’ Needs and Opportunities. National Governors Association. (2014).
[18] National Research Council (U.S.)., 2013. Professionalizing the Nation's Cybersecurity Workforce? Criteria for Decision-Making. National Academies Press.
