Need to know the dosage for a patient’s medication? Tough, pay me. Need to know the lab results for that biopsy? Tough, pay me. Need to access your notes to reconsider a patient’s prognosis? Tough, pay me. Well, this is a new problem, isn’t it? Paper records on a shelf? Pretty hard to walk off […]
Welcome to Code Red, HIMSS’s new health IT cyber security podcast. Code Red focuses on cyber security challenges facing health care today & tomorrow, featuring the voices of the people on the front lines. The goal of the podcast is to explore the interplay between the people, processes & technologies that make up an organization’s […]
On March 12, 2008, the New York Times reported about a team of computer security researchers from Beth Israel Deaconess Medical Center and the Universities of Washington and Massachusetts that able to gain wireless access and reprogram a combination heart defibrillator and pacemaker to deliver potentially fatal jolts of electricity to a person with the […]
In celebration of Data Privacy Day, taking place each year on January 28th, members of the HIMSS Privacy and Security Committee talk about ways to help protect patient privacy. In part 1 of the series, Meredith Phillips, Chief Information Privacy and Security Officer for Henry Ford Health System discusses several common scenarios involving breaches […]
With all the data breaches and threats popping up all over by healthcare, expect the market for cybersecurity products and services in U.S. hospitals to grow by 13.6 percent annually between now and 2021.
That estimate comes from a new, lengthy and pricey report by research firm Frost & Sullivan on the U.S. market for hospital cybersecurity. Frost isn’t releasing dollar figures of its forecast to the media, but the Mountain View, California-based company isn’t holding back in identifying culprits in this expected market growth.
“There’s been a cultural naïveté about IT security in healthcare,” said lead author Nancy Fabozzi, Frost & Sullivan’s principal analyst for connected health.
Fabozzi said that many healthcare organizations have wrongly assumed that meeting HIPAA security requirements is enough. But the fact that, according to Frost’s research, there have been 1,437 large breaches of health data, affecting more than 154 million patient records, since 2009 illustrates that their efforts have been sorely inadequate.
More than 113 million of those records were breached in 2015 alone, so the threat appears to be growing. Of particular note, 98.1 percent of records breached last year were because of hacks or other malicious activity, according to Frost.
“Hospitals are finally now realizing that health data is so valuable,” Fabozzi said. Unfortunately, she added, until very recently, technology vendors have not had to prove that their offerings are sophisticated enough to meet the threats posed by hackers.
“In spite of a growing awareness of the problem of increased cyber threats, many healthcare organizations face considerable challenges as they gear up to do battle with cyber attackers. Hospitals’ lack of leadership, appropriately trained staff and adequate financial resources are critical concerns,” Frost explained in a PowerPoint presentation shared with MedCity News.
But they are starting to get the message. “Hospitals are transitioning from a reactive, piecemeal, fragmented approach to protecting privacy and security that is highly dependent on HIPAA compliance to an approach that is proactive, holistic and coordinated, anchored by integrated solutions designed to protect multiple endpoints (computers and connected medical devices),” the presentation said.
“The real opportunity here is for consultants — managed services and professional services,” Fabozzi explained.
In 2015, about 80 percent of healthcare security spending was on software and other products, with just 20 percent dedicated to services, Frost reported. Expect that mix to shift to about 70/30 by 2021.
With the HIPAA security rule now 13 years old — and based largely on a draft completed in 2000 — Fabozzi said that it’s likely there will be new legislation and regulation on healthcare cybersecurity in the near future, regardless of how the November presidential election plays out.
“There’s a risk in healthcare that goes far beyond anything in other industries, and that’s hacking into a medical device and harming patients,” Fabozzi noted.
Timing of this report couldn’t have been any better for Frost & Sullivan. The report — or at least the news release about it — hit the same week Phoenix-based Banner Health disclosed a major breach of payment terminals and other computer system and that Advocate Health Care Network in Illinois reached a record $5.55 million HIPAA settlement over allegedly lax security practices.
Here’s an infographic from Frost highlighting themes in the report:
Images: Frost & Sullivan, Flickr user El Hombre Negro
There’s no doubt that tech pros with security expertise are highly sought after. Yet in the face of that demand, it seems that schools are having a hard time producing enough graduates to fill open security jobs.
A new study of 121 university programs, conducted by an independent consultant contracted by cloud-based security provider CloudPassage, found that not one of the top ten U.S. computer-science programs (as ranked by U.S. News & World Report in 2015) requires a single cybersecurity course for graduation. In fact, only one of the top 36 U.S. computer-science programs demands such a course (for those keeping score at home, that’s the computer-science program at the University of Michigan).
CloudPassage CEO Robert Thomas suggested that, when you consider how cyber-attacks are driven more by organized crime and hostile governments armed with sophisticated tools and lots of funding, the average IT organization is operating at a distinct disadvantage. “All you hear over and over again is how many open security position there are… Frankly, it’s only going to get worse.”
The U.S government alone is looking to hire 1,000 IT security workers by the end of June. Not only are such professionals hard to find—the government isn’t generally competitive when it comes to salaries. As a result, some pundits doubt that federal agencies will achieve that hiring goal.
Christopher Key, CEO of Verodin, a security start-up focused on automating the testing of security defenses, thinks it’s hard for IT security professionals to keep up with the latest trends, never mind universities and IT generalists. “We think organizations need to first think more about the effectiveness of the money they already spend on security,” he said. “They need to measure if they are actually getting better at providing IT security.”
The bigger issue is to what degree IT security issues have dampened the willingness of organizations to launch new digital initiatives. While becoming a “digital business” is clearly all the rage these days, there’s a lot security risk associated with such projects.
Greg Richey, director of professional services for Ingram Micro, an IT distributor that provides support for thousands of small to midsize IT services providers, hasn’t seen a slowdown in the number of projects launched to deal with potential vulnerabilities. The issue isn’t the number of security professionals, he thinks; it’s the quality.
“I can find plenty of IT security people,” he added. “Finding good IT security people is another matter.”
In the absence of well-qualified IT security professionals, there’s a lot of interest in IT security automation. That means the use of machine learning algorithms and other forms of artificial intelligence; PatternX, for example, uses A.I. to provide “virtual security analysts” that eliminate many of the lower-level tasks that human security analysts perform manually. But someone still needs to make sense of all those security reports to determine the true nature of a particular threat.
In the meantime, any tech professional who wants to expand the scope of their IT security skillset must commit to continuous education. The threats that need to be addressed evolve on a weekly basis, both in sophistication and lethality. It’s not a job segment for the faint of heart.
This is a podcast featuring Eddie Potter, Sr. of Zscaler on a discussion about how you can secure your entire healthcare system enterprise. With the unique challenges that hospital systems are facing today continues to become more complex. There were more than 113M individuals impacted by data breaches in 2015 with 109M of the 113M were […]
Fifteen years ago, the landscape of IT was so fluid you could almost pick your specialty and start working. The need for computer engineers was so great, that anyone with some ambition could go far reasonably fast.
Document services specialists—who type for a living—were moving into application deployment. A night security guard who spent his time studying Novell became a certified Novell administrator. I worked in a copy center in a small law firm and became their network administrator literally just by asking.
Today, roles are far more static. An employee in a copy center could not reasonably expect to get a job working with computers just because he or she wants one. And someone who has studied Novell (or something more contemporary like Windows deployment) is less likely to find a job, thanks to competition with too many experienced people.
But it’s also static in another way: The jobs are changing or disappearing altogether. What happens to the engineer whose primary responsibility is mounting servers when the server room moves to the cloud? Likewise, it’s nearly impossible for that highly qualified desktop applications engineer to get a job in the promising field of network security.
As career coach Donna Shannon said: “A big mistake that candidates often make is thinking that ‘I can do this job, if only they would give me a chance!’ Companies are not thinking of your career goals; they are concerned about their needs. When you merge your desires with the company’s needs, that’s when the magic happens.”
Thanks to exactly those reasons, I successfully moved from desktop applications to IT security. Here’s how.
My company’s desktop manager retired, and they chose not to replace him. Our workload became greater, which of course is a good thing. But my concern was for the bigger picture: How long will the desktop be around? As demonstrated by the engineer mounting servers who loses his job to the cloud, the rate of change within the IT industry has increased rapidly over the past 15 years; I couldn’t reasonably count on the desktop existing for another 15 years, at least as we know it.
So I wrote a letter to my new manager detailing my other experience and abilities. I had recently gone back to school to get a degree in project management. I am a blogger; I was even a comedian a long time ago. If he needed any help outside the desktop, I wrote, feel free to tap me.
And he did. He gave me odd tasks that had nothing to do with the skill set on my resume. I happily took them and completed them quickly.
As Ask The Headhunter’s Nick Corcodilos said last year, when I wrote the letter: “I think it’s key to wander around, ask for advice, offer to help ‘on the side,’ using some of your skills, and gradually work your way into a new team.” He refers to it as “JHBWA,” or “Job Hunting By Wandering Around.”
Meanwhile our CIO was looking for someone to help with his workload, specifically the Security Awareness program. (This is a job in itself!) As with many CIOs right now, his workload had increased; there was no way for him to implement the program. So six months after I wrote the letter and helped with odd projects, the manager took me into his office and proposed the shift to security.
This was exactly what I wanted. I have some security background, having locked down the desktop with group policy, PrivilegeGuard, WSUS, Shavlik, and Symantec EP. But there’s more to security than the desktop, which made the new task a leap—a big leap.
Or as Lisa Yanni, a technical recruiter at Career Management Associates in New York, put it: “I think it is common for people to transition roles in IT, but going from desktop applications to security engineer is a pretty big jump and I don’t think a jump this drastic is very common, at least not that I have witnessed.”
So how do you do it? Well, first you have to ask.
“Any time we are trying to convince a company that they need a new role, we are actually pitching the job,” Shannon said. “This is very different than just applying to open positions, as you not only have to convince the company to hire (or move) you, but also that the job is necessary in the first place.”
Yanni added: “Tailor your resume to reflect all relevant experience for the role you are applying to even if it seems beyond where you are now… Companies love ambition… Think of all the reasons why they could say ‘no’ and come up with reasons to say ‘yes.’”
As for me, I’m sort of back to where I was 15 years ago… and cracking a whole new set of books.
- IT Security Pros: Are You Worth a Million Dollars a Month?
- How to Become More Marketable in IT Security
- From Linux Sys Admin to Programmer in 3 Easy Steps
Image: Sergey Nivens/Shutterstock.com
As you may have heard by this point, Lenovo loaded an adware package called Superfish Visual Discovery onto many of its devices. Annoying? Absolutely: Nobody likes an add-on that inserts sponsored links into your search results. But Superfish became downright dangerous when security researchers realized it could easily double as a handy tool for a man-in-the-middle attack, thanks to its ability to always appear as a “Trusted Party” to websites.
The revelations have left Lenovo scrambling to repair the damage. “We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience,” Lenovo wrote in a Feb. 20 statement. “However, we did not know about this potential security vulnerability until yesterday. Now we are focused on fixing it.”
The company also insisted that Superfish was never preloaded onto its ThinkPads, tablets, and enterprise hardware; but that means any other devices released between September 2014 and February 2015, including laptops in the company’s popular Yoga line, are apparently vulnerable.
Those who want to trust Lenovo’s automated tool for deleting Superfish can find it on the company’s website. Otherwise you can take the following steps to manually uninstall it:
1. In Windows, open “Search.”
2. Search for “Remove Programs” and select “Add or Remove Programs”
3. In the subsequent list, find “Superfish Inc. Visual Discovery”
4. Click “Uninstall”
After that, users should make sure the SuperFish Certificate is removed from their PCs, as well. Lenovo offers a step-by-step walkthrough for systems running Internet Explorer, Google Chrome, Opera, Safari, Maxthon, and other browsers that rely on the Windows Certificate store.
For Lenovo users, a handy Web page from LastPass will also verify whether SuperFish impacted your system. Better safe than sorry.
- 10 Reasons Why You Need a Cybersecurity Plan
- How I Made the Leap to IT Security
- IT Security Pros: Are You Worth a Million Dollars a Month?
If you’d like to change jobs or switch from freelance to full-time status, prepare to pounce: 2015 is shaping up to be a blockbuster year for the IT labor market, according to David Foote, CEO of research firm Foote Partners LLC.
“This year started out slow, just as we predicted,” Foote said. “But U.S. employers added an average of 17,633 IT jobs during September, October and November, and we see that momentum continuing into 2015.”
Foote’s optimistic forecast is based on his discussions with CIOs and his firm’s surveys of compensation and market demand for 734 individual certified, noncertified and hybrid IT skills. (Independently, a recent Dice survey also concluded that tech hiring will rise significantly in 2015.)
Of course, some tech skills will be hotter than others. In what has become an annual tradition, Foote went out on a limb by predicting the IT roles that are most likely to gain or lose ground in the new year, and briefly revisited his projections for 2014.
These positions could lead to solid salaries and job security in 2015:
“IT has been so focused on producing a solution that works today, they haven’t considered scalability,” Foote said. “User adoption rates and activity are soaring, which is fueling the demand for architects. In fact, The Open Group Architecture Framework (TOGAF) is the highest-paid skill in our quarterly index.”
Big Data Experts: Last year, Foote predicated a big demand for database developers, analysts and technical specialists, but his forecast faltered when the pay for 31 noncertified Big Data skills unexpectedly declined 2.5 percent between August and September. So we asked Foote to explain why he continues to be bullish on Big Data roles.
“Companies took a breather from hiring during the fourth quarter because they were unable to make the leap into prescriptive and predictive analytics,” he explained. “They needed some time to reflect and regroup.”
He added: “However, the pay for certified skills, especially Cloudera, has held up, which is why I still like Big Data but as a longer-term play.”
Who stands to benefit in the short-term? Data scientists and professionals with top-notch data management and/or analytical skills will likely see their stock value rise in 2015. Foote predicts that the pay for noncertified skills will rebound as companies launch new data initiatives and resume searching for external talent.
Cybersecurity Specialists: If you’re a certified IT forensic investigator, an intrusion analyst or a certified ethical hacker, you’re in luck. After experiencing a record year for attacks in 2014, companies are taking big steps toward building more secure environments.
“2015 will be a good year for cybersecurity pros with niche skills,” Foote said. “Companies don’t have a handle on their vulnerabilities so they’ll be looking for specialized experts to conduct vulnerability and risk assessments.”
Hybrid IT Pros: CIOs need forward-thinking business analysts and software engineers, who are well versed in business strategy, user experience and customer intelligence.“They don’t need coders,” Foote said. “CIOs are looking for are software engineers who can think beyond what they’re doing today and business analysts who can predict what customers will want next year and the year after that. The demand for outside-the-box thinkers with hybrid skills is not going away.”
These jobs, on the other hand, might face some headwinds over the next year:
SAP Specialists: Pay for SAP professionals has fallen 7 percent over the past three years, based on Foote Partners’ survey of 92 certified and noncertified skills. However, there are some exceptions. For instance, the pay for professionals with governance, risk, and compliance (GRC) expertise or knowledge of SAP’s retail modules has remained steady or grown.
“The pay for professionals with SAP peaked in 2011,” Foote said. “Knowing a hot module can bolster your job hunting fortunes and give you an edge in salary negotiations.”
Web Developers: Of course, companies still need website upgrades, reboots and maintenance. But developers are losing ground because the market is flooded with talent. “Employers can hold out for a Web developer with industry experience, e-commerce or specialized domain experience,” Foote pointed out. “Unfortunately, the current market conditions give employers the upper hand in salary negotiations.”
Cloud Professionals: Foote predicted great things for cloud architects, engineers, administrators and integrators in 2014, largely because the pay for 27 noncertified cloud skills rose throughout 2013. However, demand leveled off in the spring, and the pay for noncertified skills actually declined 1 percent over the last three to six months. Why? Chalk it up to an improving balance between supply and demand.
Employers no longer need to offer signing or retention bonuses to attract and retain cloud professionals, Foote explained: “It’s just part of the evolution… When the skill gaps close in a particular field, employers pay the going market rate, especially for noncertified skills.”
- How to Explain Your Technical Skills to HR
- 5 Critical Soft Skills for Tech Pros
- The Fastest-Growing Tech Skills: Dice Report
What’s consistently one of the fastest-growing skills for job postings on Dice, boasts above average salaries, and is changing the way companies—small and large—are thinking about data storage? It’s cloud, and the future for tech professionals with this experience is anything but gloomy.
An analysis of searches by hiring managers in the Dice resume database highlighted the key skills companies are looking for from cloud professionals.
Not surprisingly, Java is all too important to firms hiring cloud candidates. The programming language and platform is the foundation for so many technologies today that it remains one of the top skills on Dice year after year, and while other languages are gaining speed, Java is still king of the hill.
Cloud-specific skills like SaaS, Virtualization, vCloud and Salesforce all rank on hiring managers’ wish lists for candidates. Salesforce hit 1,000 job postings in April this year and continues to grow in popularity, with job postings up 26 percent year over year on Dice.
Open source technologies like Linux, Python and Hadoop create value to companies looking for cloud professionals. Tech professionals with Hadoop experience doubly benefit as other movements like Big Data continue.
What’s the future of a technology without professionals to sell it? Companies are frequently looking for cloud professionals with sales experience who can drive the product forward and hit goals while doing it.
And you can’t have a conversation about cloud without the mention of security. Companies are looking for security professionals who can communicate best practices to colleagues, define vulnerabilities and act quickly in the unfortunate event of a breach.
One thing that hasn’t changed since we last reported on Cloud via Open Web, our Big Data sourcing tool, is that Amazon/AWS is still the preferred vendor, but unlike last year, there’s another kid on the block. VMware also popped up frequently in hiring managers’ searches, proving that as the cloud proliferates, so will companies looking to capitalize on and further enhance the technology.