Health-ISAC Hacking Healthcare 9-1-2023

September 6, 2023 | Hacking Healthcare

This week, Hacking Healthcare™ examines the cybersecurity workforce issue. With the recent release of the United States’ National Cyber Workforce and Education Strategy, we wanted to examine how the United States and the European Union (EU) are attempting to address the growing shortage of skilled cybersecurity personnel. In our analysis section, we then explore what healthcare organizations may be able to do to maximize the talent available in the meantime.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

PDF Version:

Text Version:

Welcome back to Hacking Healthcare™

Solving the Cyber Workforce Problem

The growing use of technology products to carry out critical functions within all industries, and a general increase in connectivity globally, continues to highlight the need for countries to prioritize building and maintaining a vast, skilled cyber workforce. Unfortunately, thus far the need for this workforce has rapidly outpaced efforts to build it up. With the Biden administration’s recent publication of its National Cyber Workforce and Education Strategy, we thought it would be a good time to assess how the United States and the European Union are attempting to address this issue and to evaluate what kind of relief the healthcare sector might expect.[i]

United States

The National Cyber Workforce and Education Strategy is an expansive 60-page document that clearly indicates that the Biden administration takes the issue seriously.[ii] Much like the National Cybersecurity Strategy that came out earlier in the year, the workforce strategy is divided into thematic pillars with associated lines of effort.[iii]

While we won’t go into great detail here, the lines of effort encompass much of what you would expect in a whole-of-society approach. Improving cyber education and awareness (especially in K-12 education), reaching out to underserved communities to improve the diversity of the cyber workforce, looking for places to grow public-private partnerships, finding new funding opportunities and expanding existing ones, encouraging skills-based hiring practices, and encouraging “flexible employment models” are some of the approaches raised within the strategy.

While the scope of the strategy is encouraging, there is a distinct lack of specifics when it comes to describing the actual implementation of the various lines of effort. Expected completion dates and resource allocation are largely absent, and in many cases, the wording around these initiatives does not suggest concrete plans or near-term activities.

Furthermore, the National Security Council and the Office of the National Cyber Director are the entities tasked with implementing the strategy, and with a new National Cyber Director yet to be appointed and the potential for an administration change in 2024, it is an open question as to how much of a implementation priority this becomes.

It isn’t clear that things are any better in the European Union . The EU’s Cybersecurity Strategy for the Digital Decade, published in 2020 highlighted an estimated 291,000 unfilled cybersecurity posts and lamented that “hiring and training cybersecurity experts is a slow process leading to greater cybersecurity risks for organisations.”[iv] To address this deficiency, the EU highlighted multiple approaches to building out education and awareness while also pursuing upskilling and reskilling EU citizens in digital skill sets like cybersecurity.

More recently, the EU launched its 2023 Year of Skills initiative, which is designed to “address skills gaps in the European Union” and aid in “reskilling people with the focus on digital and green technology skills.”[v] As part of that initiative, the EU launched the Cybersecurity Skills Academy, a “European policy initiative aiming to bring together existing initiatives on cyber skills and improve their coordination, in view of closing the cybersecurity talent gap.”[vi]

The Academy hopes to address aspects such as:

Developing frameworks for defining, providing, and assessing cyber skills
Mapping and citing training opportunities, initiatives, and organizations relating to cyber skills
Coordinating pledges from stakeholders from the private sector
Highlighting funding opportunities and projects that support cyber skill development

These types of programs are in addition to the national-level initiatives at the member state level. The maturity of member state efforts varies significantly, from those who only reference it in general digitalization strategies to countries like Latvia, whose Cyber Security Strategy of Latvia for 2019-2022 “has specific goals to educate public and local administration staff on ICT safety, as well as provide cybersecurity skills for SMEs and citizens.”[vii]^, [viii]

Action & Analysis
**Included with Health-ISAC Membership**

Conclusion

We know that many of these considerations are more easily said than done, but as the current environment doesn’t look to change overnight, we do think they are worth investigating. We certainly hope that cyber strategies like those in the United States and the EU make progress sooner rather than later, and we will be sure to update you on the progress of major initiatives related to them.