Abstract
The COVID-19 pandemic has challenged the healthcare sector. In the face of waning caseloads, staff shortages, and supply chain issues, the topic of cybersecurity has often struggled for its time in the limelight. Behind the scenes, however, cybersecurity leaders and staff are burning out at a panicking rate. A dire shortage of skilled professionals continues to compound, as global affairs and an increase in the availability of information leaves healthcare cybersecurity teams barely able to keep afloat. This article describes the nature and scale of the health and human resource challenges faced by healthcare organizations and offers several practical options for health leaders to plot a course to attract and retain staff during this period of upheaval.
Introduction
Somewhere, as you read this, deep in the depths of one of Canada’s hallowed health institutions (or perhaps slightly more relevant, working from home), a cybersecurity professional is struggling and considering new career opportunities.
It should come as no surprise that while the healthcare sector worked tirelessly to respond to a global pandemic, amidst the fear and worry about our health or the health of those close to us, there would be attempts to exploit the situation. Significant and newsworthy events and our thirst for information drove us to any source of information, in some cases even neglecting to consider whether these sources were reliable, a scenario which perfectly describes a cybersecurity professional’s worst nightmare. Add a workforce under strain, potentially working short-staffed or amidst a sea of unfamiliar faces. The reality of a momentary lapse in judgement, particularly one associated with something as seemingly innocuous as another e-mail from the Information Technology (IT) department, becomes a near-certainty.
This is what cybersecurity teams worry about: the weight and impact of that momentary lapse at the end of a shift. The seemingly harmless click amidst a sea of call-bells, bloodwork, and e-mails. The almost-perfect login screen that looks “close-enough.” This is the burden they carry with them—and this is a small sampling of what is creating a different staffing crisis in healthcare.
This is the burden that is contributing to an unprecedented rate of burnout amongst healthcare cybersecurity professionals.
A worsening staffing crisis flying under the radar
The pandemic and its corresponding aftermath continue to highlight staffing crises among health professions, prompting some regions to cut back services or limit hours of operation. The talent gap also continues to worsen. While one 2021 study cites a global talent shortage now approaching three million qualified professionals, in Canada, “one in six cybersecurity jobs goes unfilled.” 1 As we continue towards “digital transformation” and fulfill the demand for increased automation and access to information, many healthcare organizations continue to lack formal hands-on and/or leadership functions related to cybersecurity. Many still feel their staffing complement falls short of what they require to adequately deliver this mission critical function. To further reinforce the dire nature that is the Canadian experience, the outcome of a recent survey of global health service providers cites inadequate staffing as the most significant barrier to delivering a more robust cybersecurity practice 2 and bodies such as the International Information System Security Certification Consortium (ISC^2) not only confirm a global gap of roughly 3.4 million skilled professionals in 2022, but predict that shortage to worsen well into 2025. 3
“Burnout,” having been defined within the 11th revision of the “International Classification of Diseases” (ICD-11) as “a syndrome conceptualized as resulting from chronic workplace stress that has not been successfully managed” 4 has emerged as one of the most significant factors affecting healthcare staffing. While the impacts to staffing impede our ability to deliver high-quality care and a reasonable workload, the notion of burnout extends well beyond the frontline caregivers. Emerging evidence suggests that cybersecurity professionals are experiencing burnout at rates equal to or exceeding that of frontline healthcare workers, primarily attributed to a lessened sense of “personal efficacy” or how well workers think they are performing in their roles. 5 Cybersecurity professionals are also concerned that a successful attack on their organization could end their career. As our digital footprints grow, an infinite string of reports of vulnerabilities and emerging threats lands in our inboxes. Is it any wonder that many cybersecurity professionals are seeking work elsewhere? Even more interesting, are we perhaps trying to solve an “unsolvable problem” 6 ? Even with the best tools and lightning quick response, our ability to avoid a breach often boils down to the ability of the frontline teams’ ability to pay adequate attention in that singular moment when something malicious lands in their inbox.
The burden of being informed
We live in the information age and through our tremendous access to both formal and informal news sources, we are increasingly exposed to global factors outside our control that can amplify anxiety. How many of us have wondered about the impact a prolonged conflict in Ukraine might have on our ability to deliver healthcare services with sanctions being lobbied back and forth, we have seen everything from Distributed Denial of Service (DDoS) attacks knocking entire health systems off-line, to the more nefarious “wiper” malwares intended on rendering entire fleets of devices unrecoverable by erasing their hard drives, rendering them unrecoverable, regardless of any potential ransom payment.
The past few years have taught us more about the way threat actors operate. We have appreciated for some time the scale of this industry (with combined revenues measured across known bitcoin accounts approaching two billion dollars since the onset of the pandemic 7 ) but a leak of chat logs of the “Conti” ransomware group provided a unique glance for security researchers at the internal operations of one such group. While some recent attacks impacting healthcare organizations have resulted in threat actors apologizing and providing free access to decryption tools, 8 the “Conti” leaks made one thing clear: healthcare is under attack, and we cannot rely on all threat actors being so forgiving to healthcare.
One of the greatest tools in the cybersecurity professional’s arsenal is a series of information sources, whether they be conventional media, curated threat intelligence feeds, or even the occasional “dark web” source. Managing these sources, particularly focusing on those proven to be reliable, can be a tremendous asset in preparing and responding for emerging cyberthreats. Attacks on Canadian institutions such as Suncor Energy, The Hospital for Sick Children (SickKids) and the Newfoundland Health Authority have been particularly newsworthy. While they provide an excellent opportunity for cybersecurity professionals to learn from the experiences of others, at the time of an incident, many cybersecurity professionals are left to rely on their ability to access the right contacts to prevent them from falling prey to the same exploits.
Much like news sources during the pandemic, we must consider the legitimate risk of information overload. Many chose to take breaks from social media or popular news during the pandemic as a mechanism to avoid the never-ending coverage and conflicting views related to topics such as masking and vaccination. However, there is also the anxiety associated with “missing” something—in a profession where timely response can be crucial to mitigating a potential breach, how do we balance the need to constantly be aware and informed of emerging threats, and the need to achieve some downtime and balance?
The risk of fatigue and complacency
With an increasing workload, competition for skilled resources, and an overwhelming amount of information to filter, cybersecurity professionals have continued to do what they do: identify and mitigate the risks associated with the use of technology, often compromising the balance between their personal and professional lives. With increasing focus on the topic (whether initiated internally, or externally via media reports or enquiries), amplification of breach notifications and alerts, and a dramatic increase in attacks has made the threat of alert fatigue very real.
While no-doubt under-reported, the threat of “missing” an alert due to volume or failing to act on the right alert in a timely fashion has already resulted in very real consequences: In 2013, a breach of U.S.-based retailer Target’s information systems ultimately leading to the exfiltration of more than one-hundred million customers’ records, was later attributed to an alert Target’s security team chose to ignore. 9 Acting on the right alert at the right time is pivotal to a timely response, and the security team’s ability to achieve this is further compounded by alert overload. A survey of security leaders at organizations with more than one-thousand employees in 2020 revealed those organizations often received more than one-thousand alerts per day, many of which could not be triaged or managed within 24 hours of receipt. 10
The cumulative effect of these risks, the staffing crises, information overload, fatigue and complacency may result in our information security teams being able to respond at an appropriate pace, leading to delays in applying mitigation earlier in the kill chain 11 and potentially limiting exposure and damage. Worse still, our teams may be able to respond in timely fashion but may have become “immune” to the alerts, not differentiating new subtleties between a new and emerging threat and yesterday’s brute-force attack.
All is not lost
While these factors paint a bleak picture for the future of the profession and, while the data continues to reflect year-over-year increases in cyberattacks, there are practical approaches to take to help support us and our teams without further perpetuating the stress, anxiety, and burnout. Positive indicators in the aftermath of the COVID-19 pandemic include increased attention to the mental health and well-being of cybersecurity professionals. Innovations in hiring/staffing and technology are being effectively applied as mitigating factors. Organizations have come forward to sponsor conferences and summits solely focused on trying to “solve” the problem of stress and anxiety among cybersecurity professionals (the inaugural “Mental Health in Cybersecurity Leadership Summit” was held in April of 2023, coinciding with the popular RSA security conference). While the literature does not offer much in terms of solutions specific to cybersecurity professionals, there are tactics that should be considered to help manage stress and anxiety that we should avoid overlooking.
Be prepared—have a plan
“Prior Preparation Prevents Poor Performance” is a phrase often attributed to former White House Chief of Staff James Baker. 12 If you have not yet taken steps to align your security program to one of the common cybersecurity frameworks or drafted and drilled on your incident response plans, now is the time. Continuing to plan, simulate and practice by performing tabletop exercises are essential mechanisms to ensure you have developed, tested, and improved your response in advance of an incident and will support our teams to feel well-prepared and avoid the impending sense of dread and panic regarding the unknown. We need to think differently about how we approach this, as preparing our information technology and security teams will not be adequate. How do we know how we will operate our ambulatory clinics or diagnostic imaging departments in the face of a cyberincident until we experience it through hands-on simulation? How do we involve our boards (and ensure continued appropriate oversight from a governance perspective, without straying into operations)? For those looking where to start, organizations such as the SANS Institute offer a tremendous array of services relating to immersive crisis response simulation and training. For those looking for “extra credit” and ideas beyond ransomware to simulate, the “BadThingsDaily” twitter account (@BadThingsDaily) offers news-inspired headlines to help fuel simulations and playbooks. In the age of “it’s not if, but when,” this should be considered table-stakes.
To further reinforce a sense of readiness, having a well-documented roadmap as it relates to cybersecurity supports the notion that there is a plan to work against. Maturity models such as the U.S. Department of Energy’s “Cybersecurity Capability Maturity Model” 13 (C2M2) are excellent tools to help mature both burgeoning and mature cybersecurity programs, and even map against the controls and concepts in the “National Institute of Standards and Technology” (NIST) cybersecurity framework. They often provide simple and straightforward tools to assess your present posture and measure against industry standards, which in turn help support activities such as risk assessment and remediation. For those looking for something less complex, the “CIS Critical Controls” 14 and a risk-based approach have been long-time favourite approaches to assessing and guiding cybersecurity work in a forward direction.
Choose your tools wisely
Cybersecurity revenues (dollars spent on technologies or services intended to protect or mitigate technology risk) in Canada in 2022 exceeded $3.5 billion (USD). 15 Without a well-defined plan as articulated above, cybersecurity teams are often prone to “firefighting”: technology solutions are purchased and implemented to address emerging issues, and not necessarily in coordination with an overall plan. While occasionally necessary, the proliferation of tools that are not seamlessly integrated into a single screen or view can further compound fatigue and increase the risk of security professionals missing important alerts due to the number of places to look for them.
Consider looking at security platforms that support multiple critical capabilities or bring the information into that “single pane-of-glass” to reduce the burden teams and ensure they can focus attention where it is most critical. Further embracing automation (to both automate the timely application of protections to your infrastructure, while simultaneously reducing the burden on your cybersecurity teams) is a continued step in the right direction. Five years ago, when we received indicators of compromise (IOCs; the hallmark characteristics or proof associated with a known breach), they were painstakingly added to anti-virus products and firewalls. Now, IOCs are added from trusted sources automatically, eliminating much of the manual step-by-step efforts.
Grow-your-own
It may be well-understood, but the culture of our organizations will have much to do with our ability to effectively educate, manage, and advance cybersecurity posture. An organization seeking to attach consequences to failing an annual phishing test, for example, may be contributing to a culture that fails to report inappropriate clicks and misadventures, further delaying response.
In the face of talent shortage, growing expertise in-house, while seemingly onerous, can be rewarding for both the employee and employer. In 2022, MITRE 16 (an organization founded in 1958, sponsored by the United States Air Force, whose mission is to “serve as objective advisers in systems engineering to government agencies, both military and civilian”) published 17 eleven strategies to develop and operate a world-class cybersecurity operations centre. A significant tactic pertains to hiring, growing, and retaining quality staff, and building them into an effective team. Giving cybersecurity teams access to the materials and opportunities to gain hands-on experience and pursue their own interests can support their pursuit of their passions, but also open doors to capabilities we may not yet possess. When hiring, we tend to look for the ideal candidate; with universities and colleges increasing their offerings related to cybersecurity, a crop of new graduates in need of mentoring and growth would seem to be an excellent opportunity to build a practice around candidates who possess the fundamental skills and correct mindset but need the practical hands-on experience. In the face of the growing crisis, there has been significant scholastic effort to educate and prepare students to join the cybersecurity workforce. Despite a noteworthy increase in post-secondary cybersecurity programs, many of these students continue to face the traditional challenges of new graduates: they often lack years of hands-on experience, have not yet obtained academic or professional certifications, or worse, do not fit the perceived “typical” mould of what our industry believes a cybersecurity professional should be. While programs such as the “Emerging Leaders Cyber Initiative” at Toronto Metropolitan University actively seek to address the need to diversify the cybersecurity field, a study soliciting the perceptions of students in cybersecurity programs published in 2020 noted the ongoing nature of cybersecurity as a “male-dominated” profession and further noted a distinct lack of mentorship opportunity for students and new graduates aside from those afforded to them by their fellow students/graduates. 18 This is an urgent call to action: we must do more to provide emerging professionals with access to mentorship and immediately diversify this workforce if we ever hope to meet the demand.
This is also an opportunity to evaluate and acknowledge our capacity to deliver critical security capabilities. If we are not able to staff a security operations centre, twenty-four hours a day, seven days a week, aligning to a trusted “Managed Security Service Provider” (MSSP) to monitor the organization after-hours is an increasingly popular strategy, and these partnerships can further support other gaps within the information security program as we staff-and-skill-up.
Remember in growing and supporting the cybersecurity team we must still be responsible stewards of what we are afforded; use the airtime to communicate with frontline teams responsibly. Too often, cybersecurity education content is poorly targeted—the result is a compromise in the frequency or content of the message. This is one of the major factors that lead many organizations to deliver their cybereducation once annually as part of a mandatory curriculum. Many organizations plan a phishing simulation annually. Why not a series of tests over the course of a month (or spread over the course of the year) comprising a “phishing derby”? Micro-learning and gamification are effective strategies to help deliver targeted content in a timely and efficient fashion, often enhancing engagement of frontline teams.
The challenges facing healthcare are many— and like many of those challenges, burnout and attrition will not be solved without a comprehensive and targeted effort to ensure people feel appreciated and valued, feel a sense of autonomy, have opportunities to develop professionally, and can show tangible proof their role is having a positive impact on experience and outcomes. These strategies (among others) are being applied successfully to frontline healthcare teams 19 —we need more concerted effort to ensure those working in fields like cybersecurity are afforded the same attention and care.
After all, these strategies are just natural extensions of why many chose healthcare as a profession: to care for the well-being of others.
Footnotes
Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article.
Ethical approval
Institutional Review Board approval was not required.
