Episode 23: Unlocking Skills for Thriving in Healthcare Cyber Security

This week on the HIPAA Vault Show we talk about the challenges and opportunities of working in the healthcare IT and cybersecurity field.

Professional Certifications
LPI – https://www.lpi.org/our-certifications/summary-of-certifications
GCP Professional Certifications – https://cloud.google.com/learn/certification

Want to learn more? Check out our blog!

Transcript:

Adam
Hello and welcome to The HIPAA Vault Show, where we discuss all things HIPAA compliance and cloud technology. My name is Adam Zenadine, and I’m joined, as always, by CTO and founder of HIPAA Vault, Gil Vidals. Hi, Gil. 

Gil
Hey, Adam. I’m ready to roll today. 

Adam
Yeah, I’m ready to roll too. So, as a brief intro, last week we talked about the right storage to choose for your medical data. This week, we’re going to talk about what it takes to work and thrive in healthcare It and cybersecurity. As the healthcare industry becomes increasingly reliant on advanced technologies, professionals in healthcare It and cybersecurity encounter unique challenges and opportunities. Today we’re going to unravel some of the key skills, knowledge and qualities required to operate within the healthcare It security industry. So, couple of our touch points today, but to start off, I think it would be good, Gil, if we could talk a little bit about the challenges facing the healthcare IT security industry and maybe some of the opportunities that arise from those challenges. 

Gil
Yeah. Thanks, Ed. Mike, this is a great topic because we do have a lot of experience in this area that is hiring qualified cybersecurity admins compliance managers. And our customers sometimes ask us if we know somebody qualified. That means they’re having a hard time finding somebody that can help in those kinds of roles. So I would think there are several challenges, unfortunately, in this. And one of the biggest ones is that at least in the United States, there are not enough young students going into the universities to study mathematics and the hard sciences, computer science. And that’s kind of sad because we need a lot of people like that are well versed in programming and cybersecurity and technology. So that’s one of the biggest problems we have. And there’s short supply. Then, of course, overseas is where a lot of companies end up having to resort to they go overseas. 

Gil
But now you’ve got a huge time zone issue and a language barrier sometimes, so that solution isn’t always the best one. You can also train someone that you find is good in technology. You can train them to be skilled, even in cybersecurity. 

Adam
Right? Yeah, I could dwell on the challenges all day because there are a lot of them, including It’s, an ever-growing and expanding arms race. That’s 24/7 between the good guys and the bad guys. It’s companies, healthcare companies, MSPs just trying to constantly upgrade their arms. And yeah, it is quite difficult there. But let’s move on a little bit to the opportunities that this offers to anyone interested in joining the healthcare It cybersecurity industry. 

Gil
Sure, I want to go into the opportunity because there’s a lot of that. But I also wanted to mention that the other big challenge is that it’s a moving target. So even if you find somebody well skilled and well versed in It, they’re going to have to deal in a world where the bad actors, that’s what we call the bad guys, the ones that are trying to hack in, they’re always inventing new ways to hack in. And so that’s a moving target and it takes a lot of effort to try to keep up with all of that. I think the opportunity for that is once you do find somebody or train someone to do that, then that’s a big asset to your company. That you can have somebody like that as part of your staff. Someone that’s skilled, they’re able to keep up with things, they’re able to be effective. 

And then you’ve got something golden in your company that your competitors may not have. So I think that’s a great opportunity. And then you’re also solving something that other companies are struggling to solve. So anytime you can do that’s a differentiator for your company. 

Adam
Yeah, definitely. And it’s constant innovation. So that’s really exciting for a professional. Right. That arms race means that you’re constantly learning new topics and new tricks. And then I’d also, as an additional comment there, say that ultimately, big picture, it’s about improving healthcare outcomes and protecting sensitive information, which is very important within other industries. Maybe the information isn’t quite as vital, but here we’re talking about patient information, so big opportunities there to help. So Gil, could you describe maybe a couple of the job roles that you’ve encountered within the industry and maybe some skill sets for them thinking you’ve got your assistance, administrators, compliance professionals, things like that? 

Gil
Yeah, so I think if you look at it like a pyramid and you look at the very top of the pyramid, you could name the compliance manager that’s the one that’s responsible ultimately for maintaining your organization systems to be compliant. So in our case, it’s HIPAA compliance. So the compliance manager has reports and dashboards where they’re looking to see really what the results of their scans. They could use a commercially vetted product like Rapid Seven or Nessus, and they are scanning all these systems and they have reports that they look at every week or every day, and they’re looking at these reports going, okay, what’s happening today? What vulnerabilities have popped up today that weren’t there yesterday, which vulnerabilities haven’t been resolved yet? And then they work with the systems administrators to say, hey, we need to patch all these systems, we need to fix these vulnerabilities, we need to remediate them. 

And so they help coordinate all that effort. And of course then you have the cybersecurity experts that work alongside the systems administrators and the cybersecurity team is more skilled or has more experience in using the different tools to block these attacks from happening. And then you have after that, you probably could have your help, desk technicians, you know, maybe lower in the pyramid, but in a sense you need the whole company’s mindset to be on security because it’s kind of everyone’s responsibility. If a sysadmin logs into a system and notices something a little different, like something’s not right here. They may not fully grasp what the issue is, but they should escalate. Instead of just ignoring it, sweeping out of the carpet, they should say, hey, let me talk to the cybersecurity guy, or Let me talk to the compliance manager. Let me point this out because it concerns me. 

So if everybody on the team has a concern for security and the posture of the company is we don’t leave things undone or incomplete or a mystery. We need to solve these things and figure out what they are, then things go better. So I think that’s something that is part of the culture that we need to have. 

Adam
And when it comes to all these roles that you described and the skills there, is there a common skill that you see across the board? If there was one common skill that you could describe, what would it be? Across all the roles? 

Gil
Yeah, I think across all the roles, what stands out to me is the skill of troubleshooting. In other words, not everyone’s wired to be a good detective. If you have the scene of a crime and there’s somebody bloody on the ground that’s dead, and one person walks in and can notices all these little minor details around the scene of the crime, and they go, I think I have a hint as to what happened here. I think that they were killed with a knife. All of a sudden they have this theory, but someone else might walk in, they don’t notice anything, like, oh, it’s just a dead guy there. That’s the end of that. So they don’t have the mind, they don’t have the situational awareness to be able to start figuring out there’s a lot of clues here. And so that is a real great thing, a foundational characteristic across all of these that you want someone that has that curious mindset, that Sherlock Holmes mindset, where they’re really curious and they want to find, what is this here? 

Why does this look different? And they’re asking a lot of questions. They’re very “Curious George”. And then because of that, they go down the rabbit hole, they start looking at this or that, trying to figure out what’s happening in the systems that they’re looking at to protect. So I would say that’s a very important attribute. 

Adam
Yeah, absolutely. So the curiosity and troubleshooting. Well, I think the last thing I wanted to cover is when it comes to employers or someone that’s interested in getting into the cybersecurity industry or the employers that are looking to hire or they maybe have existing employees that they want to upskill, what is the best way to improve skills of cybersecurity professionals or potential professionals? 

Gil
I’ve seen real improvement when, again, they have that underlying curiosity. And what I’ve seen a sysadmin do or compliance managers build their own systems on their own time, like they’re that curious. It just kind of consumes them and so they start building their own systems in their own environment, like a test environment, and they’re in there playing around, testing things on their own because they really want to know how it works. How did this bad actor, how did this guy break into this tool here? How does that work? Whereas another person may just read about it in a blog, like, oh, I read this guy hacked in this, how he did it. The other guy is like, wait a minute, I want to do that myself, I want to try it myself, I want to see how this works. So I think that having a development environment for your team where they could go and test things themselves and play with new tools and give them kind of a playground area could be a very good thing. 

As opposed to just take this module, go study this module, pass a little test. That has value, of course, but there’s also value in testing things and using getting your hands dirty and trying it yourself. 

Adam
Absolutely. So that’s where the real skills are gained by actually getting in there and testing it yourself. You did touch slightly there on certifications and while they’re not necessarily what really makes the professional, they are an important way to be able to prove or demonstrate capabilities. So are there any certifications that you might recommend? 

Gil
Well, yes, there are a lot of certifications and one of them that I think is baseline would be the LPI certification. That’s a Linux professional international. So a lot of the systems are built on Linux. Of course you have Windows systems as well. And also I think the professional certifications from Google are actually quite good. They’re very difficult to pass. So what makes the Google ones, like the Google Architect, the Google Developer Data Engineer, I think they have seven professional certifications. What makes those hard to pass is it’s not like some of the other certs I’ve seen where you just study really hard and then memorize and then just kind of regurgitate on the test what you memorize and then you pass it. The Google one, if you don’t have the experience, like if you’ve actually not had two or three years of hands on experience, very unlikely you’ll pass it. 

So it’s a well-done test that really gets into the nitty gritty and you could memorize all you want, but you won’t pass it. If all you have is a memory, you have to have the experience as well. 

Adam
Yeah, and what we’ll do as well is we’ll link in the description a place that you can go and find all the different Google Cloud Professional certifications and take a look through and see which one you’d be interested in or you’d be interested in having specific employees look into. And I’d also at this stage like to invite you to leave any comments. Let us know if you’re watching or listening. Are you a current cybersecurity professional are you looking to get into the cybersecurity and healthcare industry? We’d be very interested to know about that. So that is all for this episode. Thank you for joining us on our journey through the discussion around Empowering Budding and existing healthcare It professionals to better navigate the world of healthcare cybersecurity successfully. If you have any questions, you can email us at podcast@hipaavault.com or tweet us at HIPAA hosting.