What does your role as senior cybersecurity architect entail?
It’s a very broad role. I’m trying to keep pace with cybersecurity threats all across the globe, not just in healthcare. Really, anything that’s happening on the planet could potentially happen to us.
My role is not only to digest that every day, but also to understand how we mitigate those things in the context of an academic medical center or a large health system. That includes keeping pace with a breadth of cybersecurity tools and solutions that are out there to help. It’s also about understanding the people and processes involved in augmenting those.
It’s tough to take a day off in cybersecurity, because that could be a big day. You’re kind of permanently plugged in, but you do it because it’s fascinating work.
Is it common for health systems to have a dedicated cybersecurity program? Is Dartmouth Health doing something different that other systems could benefit from?
I would venture to say that all hospitals have a program at this point. The real question is whether they have dedicated cybersecurity resources.
I’ve heard the number fluctuate [when it comes to how many U.S. hospitals lack a dedicated cybersecurity employee]—maybe it’s 75% or maybe it’s in the high 90s. But I’ve had conversations with many hospitals, and I’m fairly comfortable [saying] it’s certainly in that upper three-quarter range. That’s a frightening prospect, considering how deep a cybersecurity program in a hospital really needs to be. That’s getting done by committee in organizations that lack full-time resources, and it just further strains folks who are there to do other work.
We’re very fortunate to have dedicated cybersecurity resources at Dartmouth Health.
Filling cybersecurity positions has been a challenge across industries, including healthcare. How has Dartmouth Health dealt with the national cybersecurity workforce shortage, and what strategies have you found to be effective?
The work of cybersecurity [requires] institutional knowledge that takes years to cultivate, and it’s hard to outsource that. It’s tough to pull in somebody fresh from the outside who’s really only here on short-term engagement. It goes back to retaining our skilled employees.
I don’t think there’s a hospital in America that has not taken a look at salary. Trying to be as competitive as possible on salary is important. It’s also about what we can extend in terms of flexible work options. I think initially there was some trepidation because you’re talking about patient data flowing out of a hospital and maybe into somebody’s house where they’re working remotely. That was really hard to come to terms with, but I think we’ve done it for the last few years. I think all hospitals have done it, and it’s something that we could extend.
Download Modern Healthcare’s app to stay informed when industry news breaks.
Another strategy is thinking about career advancement. [It’s important for systems to consider] how we can train you, how we can educate you, and how we can make you a highly skilled person who will be a fantastic cybersecurity resource. Then, importantly, how we can recognize that work you do.
The work of cybersecurity in a hospital is often in the shadows, but we must recognize the work of anyone willing to wake up every day and come to work in a hospital.
What are the incentives for health systems to adequately prioritize cybersecurity?
I think the biggest lever we’ve seen in the last few years is cybersecurity insurance. That has been a mainstay of any hospital’s cybersecurity program. Cybersecurity insurance has evolved over the last few years in terms of its expectations of what a hospital security program looks like. So that’s been an important driver for change in every hospital and has directly influenced hospitals’ awareness of cybersecurity programs and staffing.