How Employers Try to Retain Tech Talent

How Employers Try to Retain Tech Talent

As soon as Scott Algeier hires a freshly minted IT specialist out of college, a little clock starts ticking inside his head.

It’s not that he doesn’t have plenty to offer new hires in his role as director of the non-profit Information Technology-Information Sharing and Analysis Center (IT-ISAC) in Manassas, Va., nor that IT-ISAC cannot pay a fair wage. The issue is Algeier is in an all-out war for talent – and experience counts. Contractors, government agencies – indeed virtually every other employer across the nation – values experience almost as much as education and certifications.

As employees gain that experience, they see their value grow. “If I can get them to stay for at least three years, I consider that a win,” says Algeier. “We have one job where it never lasts more than two years. The best I can do is hire quality people right out of college, train them and hope they stick around for three years.”

The Military Context
An October 2016 White Paper from the Air Force University’s Research Institute says the frequency of churn is even more dire among those in the military, particularly in the Air Force which is undergoing a massive expansion of its cyber operations units.

The present demand for cybersecurity specialists in both the public and private sectors could undoubtedly lead the Air Force to be significantly challenged in retaining its most developed and experienced cyber Airmen in the years ahead, writes Air Force Major William Parker IV, author of the study.

“In the current environment, shortages in all flavors of cyber experts will increase, at least in the foreseeable future. Demand for all varieties of cybersecurity-skilled experts in both the private and public sectors is only rising.”

Meanwhile, it is estimated that today there are at least 30,000 unfilled cybersecurity jobs across the federal government, writes Parker. According to the International Information System Security Certification Consortium (ISC2), demand for cyber-certified professionals will continue to increase at 11 percent per year for the foreseeable future. Some estimates placed the global cyber workforce shortage at close to a million.

The military – both a primary trainer and employer in cyber — offers some interesting insight. A recent survey of Air Force cyber specialists choosing between re-enlistment or pursuit of opportunities in the civilian world indicates those who chose to reenlist were primarily influenced by job security and benefits, including health, retirement and education and training.

“For those Airmen who intended to separate, civilian job opportunities, pay and allowances, bonuses and special pays, promotion opportunities and the evaluation system contributed most heavily to their decisions [to leave the military],” Parker’s paper concluded.

Indeed, several airmen who expressed deep pride and love of serving in the Air Force stated they chose to separate because they felt their skills were not being fully utilized.

“Also, they were aware they had the ability to earn more income for their families in the private sector,” adds Parker. The re-enlistment bonuses the Air Force offered were not enough to make up the pay differences these airmen saw.

“It is also interesting that many of those who say that they will reenlist, included optimistic comments that they hope ‘someday’ they may be able to apply the cyber skills they have attained in the service of the nation.”

Tech companies present a different set of competitive stresses: competing with high pay, industrial glamor and attractive perks. Apple’s new Cupertino, Calif., headquarters epitomizes the age: an airy glass donut that looks like it just touched down from a galaxy far, far away, filled with cafés, restaurants, a wellness center, a child care facility and even an Eden-like garden inside the donut hole. Amazon’s $4 billion urban campus, anchored by the improbable “spheres,” in which three interlocking, multistory glass structures house treehouse meeting rooms, offices and collaborative spaces filled with trees, rare plants, waterfalls and a river that runs through it all.

While Washington, D.C., contractors and non-profits do not have campus rivers or stock option packages, they do have other ways to compete. At the forefront are the high-end missions in which both they and their customers perform. They also offer professional development, certifications, job flexibility and sometimes, the ability to work from home.

“We work with the intelligence community and the DoD,” says Chris Hiltbrand, vice president of Human Resources for General Dynamics Information Technology’s Intelligence Solutions Division. “Our employees have the opportunity to apply cutting-edge technologies to interesting and important missions that truly make a difference to our nation. It’s rewarding work.”

While sometimes people leave for pay packages from Silicon Valley, he admits, pay is rarely the only issue employees consider. Work location, comfort and familiarity, quality of work, colleagues, career opportunities and the impact of working on a worthwhile mission, all play a role.

“It’s not all about maximizing earning potential,” Hiltbrand says. “In terms of money, people want to be compensated fairly – relative to the market – for the work they do. We also look at other aspects of what we can offer, and that is largely around the customer missions we support and our reputation with customers and the industry.”

Especially for veterans, mission, purpose and service to the nation are real motivators. GDIT then goes a step further, supporting staff who are members of the National Guard or military reservists with extra benefits, such as paying the difference in salary when staff go on active duty.

Mission also factors in to the equation at IT-ISAC, Algeier says. “Our employees get to work with some of the big hitters in the industry and that experience definitely keeps them here longer than they might otherwise. But over time, that also has an inevitable effect.

“I get them here by saying: ‘Hey, look who you get to work with,’ he says. “And then within a few years, it’s ‘hey, look who they’re going to go work with.’”

Perks and Benefits
Though automation may seem like a way to replace people rather than entice them to stay, it can be a valuable, if unlikely retention tool.

Automated tools spare staff from the tedious work some find demoralizing (or boring), and save hours or even days for higher-level work, Algeier says. “That means they can now go do far more interesting work instead.” More time doing interesting work leads to happier employees, which in turn makes staff more likely to stay put.

Fitness and wellness programs are two other creative ways employers invest in keeping the talent they have. Gyms, wellness centers, an in-house yoga studio, exercise classes and even CrossFit boxes are some components. Since exercise helps relieve stress and stress can trigger employees to start looking elsewhere for work, it stands that reducing stress can help improve the strains of work and boost production. Keeping people motivated helps keep them from negative feelings that might lead them to seek satisfaction elsewhere.

Providing certified life coaches is another popular way employers can help staff, focusing on both personal and professional development. Indeed, Microsoft deployed life coaches at its Redmond headquarters more than a decade ago. They specialize in working with adults with Attention Deficit Hyperactivity Disorder (ADHD), and can help professionals overcome weaknesses and increase performance.

Such benefits used to be the domain of Silicon Valley alone, but not anymore. Fairfax, Va.-based boutique security company MKACyber, was launched by Mischel Kwon after posts as director of the Department of Homeland Security’s U.S. Computer Emergency Response Team and as vice president of public sector security solutions for Bedford, Mass.-based RSA. Kwon built her company with what she calls “a West Coast environment.”

The company provides breakfast, lunch and snack foods, private “chill” rooms, and operates a family-first environment, according to a job posting. It also highlights the company’s strong commitment to diversity and helps employees remain “life-long learners.”

Kwon says diversity is about more than just hiring the right mix of people. How you treat them is the key to how long they stay.

“There are a lot of things that go on after the hire that we have to concern ourselves with,” she said at a recent RSA conference.

Retention is a challenging problem for everyone in IT, Kwon says, but managers can do more to think differently about how to hire and keep new talent, beginning by focusing not just on raw technical knowledge, but also on soft skills that make a real difference when working on projects and with teams.

“We’re very ready to have people take tests, have certifications, and look at the onesy-twosy things that they know,” says Kwon. “What we’re finding though, is just as important as the actual content that they know, is their actual work ethic, their personalities. Do they fit in with other people? Do they work well in groups? Are they life-long learners? These types of personal skills are as important as technical skills,” Kwon says. “We can teach the technical skills. It’s hard to teach the work ethic.”

Flexible Work Schedules
Two stereotypes of the modern tech age are all-night coders working in perk-laden offices and fueled by free food, lattes and energy drinks. On the other hand are virtual meetings populated by individuals spread out across the nation or the globe, sitting in home offices or bedrooms, working on their laptops. For many, working from home is no longer a privilege. It’s either a right or at least, an opportunity to make work and life balance out. Have to wait for a plumber to fix the leaky sink? No problem: dial in remotely. In the District of Columbia, the government and many employers encourage regular telework as a means to reduce traffic and congestion — as well as for convenience.

For some, working from home also inevitably draws questions. IBM, for years one of the staunchest supporters of telework, now backtracks on the culture it built, telling workers they need to regularly be in the office if they want to stay employed. The policy shift follows similar moves by Yahoo!, among others.

GDIT’s Hiltbrand says because its staff works at company locations as well as on government sites, remote work is common.

“We have a large population of people who have full or part-time teleworking,” he says. “We are not backing away from that model. If anything, we’re trying to expand on that culture of being able to work from anywhere, anytime and on any device.”

Of course, that’s not possible for everyone. Staff working at military and intelligence agencies don’t typically have that flexibility. “But aside from that,” adds Hiltbrand, “we’re putting a priority on the most flexible work arrangements possible to satisfy employee needs.”

Related Articles

GDIT Recruitment 600×300
GM 250×250
GDIT HCSD SCM 5 250×250 Truck
GDIT Recruitment 250×250
Vago 250×250
Military Aims to Maintain Its Cyber Mission Force Roster

Military Aims to Maintain Its Cyber Mission Force Roster

What the U.S. military is trying to achieve in building its Cyber Mission Force is akin to building an airplane – as it flies coast to coast. Even before the armed services achieve their goal of building a fully operational elite corps, they’re already putting those teams to work battling it out in cyberspace.

It’s no secret cyber talent can practically name its price in today’s job market. Last year, for example, Google – already known for its top dollar salaries – announced 20 percent pay hikes for its cyber experts.

But money it turns out, is only part of the equation.

“This is a huge challenge for the military,” said Lt. Col. Daniel Huynh, a researcher with the Army Cyber Institute at the U.S. Military Academy. “The Army stood up a task force specifically to address this issue of retention. For us it boiled down to this issue of talent management – there’s acquiring the right people, there’s developing them, deploying them and retaining them. The Army’s putting a lot of emphasis on how we crack this problem.”

To help find, manage and keep cyber talent, the military services are:

  • Creating specific cyber specialties. The Army and Air Force have carved out new cyber career fields for both its officer and enlisted troops. The Marine Corps is now in the process of creating a new Cyber Military Occupational Specialty as well. While the Navy still manages its enlisted cyber sailors from within the more traditional IT and cryptologic ratings, it has launched a Cyber Warfare Engineer specialty for officers.
  • Awarding big bonus incentives to encourage cyber reenlistments. The Marine Corps now offers some cyber specialists a $98,000 re-enlistment bonus. And the Air Force expanded its re-enlistment bonus program this year to include senior enlisted cyber troops who are nearing retirement eligibility.
  • Exploring direct commissioning programs to hire cyber experts directly into the military as officers. By treating civilian cyber professionals more like how the services treat lawyers, chaplains and doctors, the military aims to bring in as mid – or even senior – level officers at levels commensurate with their professional experience – a significant change from current practice. Army leaders expect to begin a pilot program later this year, they are the first of the services to act on congressional direction to test direct cyber accessions by 2020.

These moves are all aimed at helping U.S. Cyber Command develop its main “action arm” – the Cyber Mission Force (CMF). Modeled after elite special operations units, the CMF will comprise about 6,200 military and civilian personnel divided into 133 specialized teams in each of the four military services. These units will be to the cyber fight what Special Forces and SEAL teams are to physical combat.

Yet while the CMF is not expected to reach Full Operational Capability (FOC) until Oct. 1, 2018, many of its teams are already fully engaged in operations.

“We employ teams before they are FOC, which is comparable to employing fighter squadrons before they are fully manned or equipped,” acknowledged Navy Adm. Mike Rogers, current commander of both U.S. Cyber Command and director of the National Security Agency, in congressional testimony in May.

“Achieving and sustaining readiness is going to require a comprehensive set of solutions, ranging from an agreed upon readiness model between U.S. CYBERCOM and the services, to ensuring the manpower depth necessary to accommodate professional development, technical proficiency and career predictability,” Rogers said.

Filling the Replacement Stream
Retired Army Lt. Gen. Bob Wood, executive vice president of the Armed Forces Communications and Electronics Association (AFCEA), said “Cybercom is doing well in manning their Cyber Mission Force elements.”

Can Contractors Help Alleviate Cyber Mission Force Skills Shortages?

Contractors can’t actually “fight” as cyber-warriors, but they can do many of the basic tasks required to keep the Cyber Mission Forces operationally ready:

  • Contractors can ensure best practices are being followed in operating and maintaining critical networks and infrastructure. Enforcing good Cyber Hygiene minimizes potential vulnerabilities and allows the CMF to focus on more difficult threats.
  • Contractors can help train the CMF.
  • Contractors can build and maintain the cyber operations ranges CMF need to perfect their skills and operations.
  • Contractors can research technologies and provide advanced capabilities CMF can use in performing their missions.
  • Contractors can provide the needed expertise and capacity to provide the all source intelligence needed to support all aspects of the Cyber domain mission.

By complementing CMF with contractors, DoD can focus uniformed personnel on their really tough problems, helping satisfy needs for both challenging their staff and advancing their skills. Contractors can also provide an alternative for transitioning military who want to stay with the mission, but can no longer commit to a military career and lifestyle. The nation benefits when those “former” cyber warriors continue to support the mission even after they take off the uniform.

Just as the services need at least two units for every one that’s forward deployed – one that’s getting ready to go and one that’s just returned – so it is with the CMF teams, Wood said.

“I do know that the pipeline, the replacement stream for the fielded forces, remains a problem,” he added. “Sustaining the force seems to be more a problem than initial manning. This is not unexpected, given the focus on rapid buildup.”

The services are well aware of the challenges.

“The gut reaction is to say that it’s all about pay, but there’s also that intangible piece that is more about service and having a real mission,” the Army Cyber Institute’s Huynh told GovTechWorks. “Putting your skills to something that is a really hard and important problem. We’ve realized that to keep the right folks, they want to be challenged. If guys are bored, they’ll want to move on to a different job.”

Air Force Maj. William Parker IV authored a white paper on Cyber Workforce Retention for the Air Force University’s Research Institute, arguing that the services must be more creative if they hope to keep their best cyber talent.

“In the current environment, shortages in all flavors of cyber experts will increase, at least in the foreseeable future,” he wrote. “Demand for all varieties of cybersecurity-skilled experts in both the private and public sectors is only rising.”

Just as civilian airlines and logistics firms vie for military pilots, private industry is eager to hire military-trained cyber professionals, Parker told GovTechWorks. “Given the skills sets they’re receiving, they’re just too marketable on the civilian side,” he said. “We wised up a little bit with our pilots when we talk about retention in the aviation community. We still have a ways to go on the cyber side. We’ve really got to be proactive.”

When the Air Force asked cyber specialists why they chose to reenlist or to leave the service for civilian opportunities, those who chose to stay cited job security, medical benefits, retirement benefits and education and training opportunities as the deciding factors.

By contrast, those who separated cited civilian job opportunities and better pay in the private sector. Several airmen said they chose to separate despite deep pride and love of serving in the Air Force because they believed their skills were not being fully utilized. Indeed, even among those who reenlisted, many cited similar concerns.

Motivated by Mission
AFCEA President and retired Marine Lt. Gen. Robert M. Shea says mission-relevance is critical to job satisfaction.

“The thing that really motivates people is not necessarily the pay, but the mission, the training and keeping them working with up-to-date technology,” he said. Money is important – “it’s probably more important than people would like to admit,” he said. But “if we think it’s the whole solution, we’re making a mistake: You’ve got to focus on the mission,” he said. “You’ve got to make them believe what they’re doing is important.”

Just as critical is to continue to raise the bar, just as special operations forces do with physical and other training. What sets any elite force apart from the rest of the military is the high standards required to stay in, not just to get in. The question to ask, Shea said, is: “Are we keeping the people we must keep – or just the people we can keep? I just think we’re setting the bar too low.”

Worse could be a disconnect on planners’ understanding of what it takes to hone and develop cyber skills – how quickly the technology develops and how fast skills can atrophy. By not ensuring skills remain sharp, the CMF risks losing the technological edge its designers have worked so hard to create.

‘A Hollow Cyber Force’

Sen. John McCain (R-Ariz.), chairman of the Senate Armed Services Committee, cited statistics suggesting the country is “headed down the path to a hollow cyber force.”

Out of 127 Air Force cyber officers that completed their first tour on the CMF, McCain said, not one went back to a cyber-related job.

“That is unacceptable and suggests a troubling lack of focus,” he warned. “It should be obvious that the development of a steady pipeline of new talent and the retention of the ones we’ve trained already is essential to the success of the Cyber Mission Force.”

Maj. Gen. Christopher Weggeman, commander of the 24th Air Force and of Air Forces Cyber (AFCYBER), said that McCain’s concern “gets to a really, really important problem.”

The Air Force, he said, must improve in terms of how it manages the force and balances the requirements of the CMF against “the broader enterprise needs of our services for a cyber IT workforce.”

This cuts to the heart of the problem: The Air Force is still adjusting to its IT specialists, long seen as back-office support for front-line warriors, as something more. Indeed, the most advanced cyber specialists are more like Air Force fighter and bomber pilots than the support staff from which they emerged: They too are war fighters.

Yet the services still wrestle with how to balance their internal needs for creating basic IT service talent with combatant commanders’ needs for skilled cyber warriors. The existing training pipeline was built for the former; but the latter group needs “to go to advanced cyber schools, like the Cyber Network Operations Defense program at NSA and also our Cyber Weapons Instructor Course,” Weggemen said. As with pilots and other skills in high demand or short supply, retaining and enhancing cyber talent requires a more flexible approach than the institutional one the military typically takes when it comes to managing manpower. When there’s no shortage of similarly skilled service members, the risk of losing one good staff sergeant is minimal. But that changes when skills are in short supply.

Consider the story Huynh tells about his Cyber Protection Team experience. This team was one of the CMF units charged with defending networks from attack and one of Huynh’s best operators on the team was a staff sergeant who loved both his job and serving in the Army.

“He was awesome, absolutely amazing,” he said. But when it came time for the soldier to reenlist, family reasons compelled him to ask that he not be assigned to a new duty station.  “For some reason, the Army couldn’t make it work and we couldn’t get that in writing when it was time to reenlist,” Huynh recalled. “So because of that uncertainty, he got out.”

Not long after, the former staff sergeant was hired back into government as a GS-13, the civilian equivalent of a major, a significant promotion in terms of responsibility, if not necessarily pay.

Similar scenarios play out regularly in all the services.

“The agility that we need to retain these very, very talented people, we have to think of new ways to do that,” Marine Maj. Gen. Loretta Reynolds, commander of Marine Forces Cyber Command, told congressional leaders in May. “It’s very difficult to compete with industry on this. We give them the best training. We give them Top Secret clearances. And importantly, we give them phenomenal experience.”

Reynolds said she needs more flexibility to directly hire Marines getting out of the service rather than meeting existing requirements to allow open competition for every job. It’s not that she objects to competition, but rather that it simply takes longer. Job seekers can’t afford to wait months or even weeks in a competitive job market.

“In the Department of the Navy, I’ve got to compete – I have to open up a job before I can direct hire somebody that I know already has the clearance, already has the skill set, already has the experience.”

Related Articles

GDIT Recruitment 600×300
GM 250×250
GDIT HCSD SCM 5 250×250 Truck
GDIT Recruitment 250×250
Vago 250×250
IT Staffs Lag in Job Satisfaction vs. Non-IT Workers

IT Staffs Lag in Job Satisfaction vs. Non-IT Workers

Information Technology staff are more likely than other workers to feel disconnected from the missions of their overall organizations, a principal reason for diminished job satisfaction, according to a new study of 5,000 employees in 500 different technology organizations.

TinyPulse, a Seattle, Wash. specialist in employee morale and company culture surveyed workers about job satisfaction, happiness at work and company values. They found tech employees less satisfied than others.

“What we found to be the most surprising was technology workers’ misalignment with their organization’s purpose and values,” TinyPulse CEO David Niu told GovTechWorks. “Only 28 percent of them know their company’s mission, vision and values, versus 43 percent for non-IT employees.”

Other significant disparities included the extent to which their personal values matched those of their employers.

“For non-IT employees, 45 percent responded with a [top score of] 9 or 10,” Niu said, versus 34 percent for IT workers. “That’s surprising, given how much we see in the popular press about how technology companies like Google and Facebook preach their culture and work-life balance.”

Among areas of concern:

  • Only 19 percent of IT employees gave a strongly positive answer when asked how happy they were on the job. That compares to 22 percent among non-IT workers “which is a statistically significant difference that makes us worry,” the report stated. Employee engagement is key. “The creativity and passion we need from workers in the tech space can’t thrive without it. So when IT employees, some of our best and brightest, tell us that they’re so much unhappier than people in other industries, we need to pay attention and find out why.”
  • IT employees are less likely to see a clear career path ahead of them. Roughly half of all non-IT employees see clear promotion and career paths ahead versus lightly more than 1 in 3 IT employees.
  • Only a slim 17 percent of IT employees feel strongly valued at work, compared with 22 percent for non-IT employees. “We asked employees if they would reapply for their current job, then compared those answers to how valued they feel at work,” the report claimed. “The two go hand in hand: Even if they stick around, an unappreciated worker is not a motivated one. Recognition communicates to employees that their work matters, driving them to keep putting in that effort.”
  • Only 47 percent of IT employees say they have strong relationships with their coworkers, versus 56 percent for non-IT employees. “Peers are the number one reason that motivates employees to excel,” reads the report. “It’s not their salary, it’s not their boss — it’s not even their own passion for the field. Tactics like awarding raises and measuring job fit are important, but they can’t substitute for colleagues.”

IT staff working for government contractors and embedded in government offices may face particular challenges. They have to support both the government customer’s mission and their mission as a contractor. While most of the time those two challenges are aligned, sometimes they are not.

“Open and honest communication and trusted relationships are critical,” says Collen Nicoll, director of talent acquisition at systems integrator General Dynamics Information Technology (GDIT). “If the relationship is strong and built on mutual transparency from the beginning, whatever disconnects might arise can be dealt with and eliminated quickly and easily. When it’s not, that’s when problems arise. Onsite managers are there to ensure alignment, make sure they are meeting the customer’s needs and work through problems when and if they occur. For most employees, there should be no question about the alignment between the company’s values, their work and that of the government customer.”

Getting that relationship and tone right is especially important for younger, less experienced employees – the heart of the future workforce. Job satisfaction and career progression are the most critical factors in determining their propensity to stay with the same employer.

“One of the most pressing concerns for employees is to know where they’re going at a company,” the TinyPulse report states. “Our internal research found that among millennials — the largest generation in the workplace — 75 percent would consider looking for a new job if they didn’t have opportunities for professional growth.”

Daniel Todd, CEO and Founder of Affinity Influencing Systems in Kirkland, Wash., said, “Keeping people motivated is often times a mix of giving them clear, detailed direction while simultaneously talking about the big picture and how each element of what they are working on fits into the big picture.”

What can leaders do to improve IT staff morale?

  • Foster professional growth. Make sure employees fit with their jobs and know where they’re going in the organization. Managers should routinely discuss career development with employees.
  • Build the right team. Leaders should understand what kind of culture they want to create, and hire with it in mind. They should understand how a new hire will fit in before they bring them aboard.
  • Prioritize positive feedback. There’s an epidemic of feeling undervalued at work, leading to disengagement and attrition. Acknowledging employees accomplishments every day and talking to them when things go right, as well as wrong, builds confidence and trust.
  • Align employees with the company mission. If the mission isn’t clear to the team, the team won’t pull in the same direction. Clearly communicating core values and hiring the people who fit them helps ensure everyone is on the same page.

Unhappy employees “directly impact others with their work, so disengagement and unhappiness has ripple ef­fects throughout [an organization],” the report concludes. Helping unhappy employees improve their situation – and solving the underlying causes – are among the most important things leaders do.

But that doesn’t mean leaders need to do it all by themselves. Admir Hadziabulic, knowledge supervisor at Heavy Construction System Specialist (HCSS), which creates system software in Sugar Land, Texas, leans on employees to spread the company culture to new hires.

“HCSS evolved over time to develop its culture,” says Hadziabulic, “and we try to ensure that everyone who works here has a hand in that culture.”

Each new employee receives a “Culture Book,” a document written by employees and designed to help new hires integrate “into our established culture,” Hadziabulic says. New employees also go through a culture overview class that “explains why we do things the way we do.”

By helping employees understand and buy into that culture, he says, they’re more likely to stick around.

“Job satisfaction starts with the hiring process and then the employees’ start in the workplace,” says Nicoll of GDIT. “Cultures are hard to change, but morale is fluid and always a function of leadership. Hiring the right people is the first, best step. Next comes aligning them with our company values, this includes giving them the tools, training and support they need to succeed. And finally, celebrating their successes – and helping them to learn from their failures – is also important. Morale is just higher when leaders follow that approach.”

Related Articles

GDIT Recruitment 600×300
GM 250×250
GDIT HCSD SCM 5 250×250 Truck
GDIT Recruitment 250×250
Vago 250×250
Securing Health Data Means Going Well Beyond HIPAA

Securing Health Data Means Going Well Beyond HIPAA

A two-decade-old law designed to protect patients’ privacy may be preventing health care organizations from doing more to protect vulnerable health care data from theft or abuse.

The Health Insurance Portability and Accountability Act (HIPAA) established strict rules for how health data can be stored and shared. But in making health care providers vigilant about privacy protection, HIPAA may inadvertently distract providers from focusing on something just as important: overall information security.

“Unfortunately I think HIPAA has focused healthcare organizations too much on data privacy and not enough on data integrity, data loss, disrupted operations and patient safety. You can get your identity back at some point, but not your life,” warns Denise Anderson, president of the National Health Information Sharing and Analysis Center (NH-ISAC). “Many of the attacks we are seeing, such as WannaCry, are disruptive attacks and are not data theft attacks. Organizations should be driven to focus on enterprise risk management and it should come from the Board and CEO level on down.”

“Cybersecurity in Health Care crosses a wide spectrum of issues,” adds Sallie Sweeney, principal cyber solutions architect in the Health and Civilian Solutions Division of systems integrator General Dynamics Information Technology (GDIT). “It’s not just protecting patient data. It includes protecting their financial data and making sure the medical equipment works the way it’s supposed to, when it’s supposed to, without potential for error. Think about the consequences of a Denial of Service attack aimed at the systems monitoring patient vital signs in the ICU. You have to look at the whole picture.”

Many public health agencies and smaller businesses are under-resourced or under-skilled in cyber defense, leaving them reliant on products and service solutions they may not fully understand themselves.

NH-ISAC members have access to support and services, such as Cyber-Fit, a non-profit set of services ranging from simple information services to benchmarking assessments of organizations’ cyber health and security posture; shared risk assessments; and cyber services, including penetration testing, vulnerability management and incident response.

Maggie Amato HHS

Maggie Amato

Maggie Amato, deputy director of security, design and innovation at the Department of Health and Human Services (HHS), believes increased sharing is at least part of the answer.

“We have to build alliances of threat-sharing capabilities,” Amato says. “The speed, ferocity and depth of attack cannot be dealt with by individual agencies alone.”

Indeed, improved information sharing of threats, weakness and mitigation is one of the key recommendations of the June 2017 Health Care Industry Cybersecurity Task Force.

But getting companies to share threat data is a challenge. Built-in financial incentives drive some firms to minimize publicity and the potential risk it might pose to their businesses. But Anderson says she can see progress.

“I think the public and private sector came together well during the WannaCry incident,” Amato says. Though gaps clearly still exist, the swift response was encouraging.

Anderson’s NH-ISAC could play a key role in improving that response further and narrowing the gaps. NH-ISAC is a non-profit, member-driven organization linking private and public hospitals, providers, health insurance firms, pharmaceutical and biotech manufacturers, laboratories, medical device manufacturers, medical schools and others.

The group is one of 21 non-profit information sharing centers designed to help protect specific industries against cyber threats.

“I think within the NH-ISAC the membership did a phenomenal job of sharing indicators, snort signatures, hashes, mitigation strategies, malware analysis, patching issues and other best practice information. We tried as well to get the information out broadly beyond our membership,” she says. “NH-ISAC is a stellar example of how a community can pull together during an incident to help each other out.”

What HIPAA’s Security Rule Requires

The Office for the National Coordinator for Health Information Technology, which is responsible for overseeing the standards and rules applying to electronic health records writes in its Guide to Security of Electronic Health Information that the HIPAA Security Rule requires:

  • Administrative actions, policies and procedures to prevent, detect, contain and correct security violations and ensure development, implementation and maintenance of security measures to protect electronic personal health information (ePHI).
  • Physical measures, policies and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion to protect and control access to ePHI.
  • Reasonable and appropriate policies and procedures to comply with government requirements, including requirements for contracting with IT services providers, for maintaining data over time and for periodically reviewing policies and procedures.

She has a long way to go, however. While health care represents one of the largest sectors, the NH-ISAC has garnered only about 200 members since its founding in 2010. By contrast, the financial services ISAC has more 6,000 members.

Anderson joined the health ISAC from the finance sector ISAC in part to help drum up participation.

“One of the greatest challenges for the NH-ISAC and all ISACs is the lack of awareness amongst the critical infrastructure owners and operators – particularly the smaller owners and operators – that the ISACs exist and are a valuable tool,” Anderson told the House Energy and Commerce subcommittee on oversight and investigations in April. “Numerous incidents have shown that effective information sharing amongst robust trusted networks of members’ works in combatting cyber threats.” She suggests tax breaks for new members might help encourage wider participation.

“Protecting highly sensitive information – whether it’s patient records; financial data or sensitive government information, is something that has to be baked into every Information system,” said GDIT’s Sweeney. “Too often, we have a health care IT system where security is an afterthought – and trying to bolt on the kinds of protections we need becomes painful and expensive.” Sweeney, whose background includes securing large scale health care information databases and systems for government clients, concluded “Health care systems should be no less secure than financial systems in banks.”

Another new tool for promoting intelligence and threat sharing among health providers is the new Healthcare Cybersecurity and Communications Integration Center (HCCIC), launched by the HHS in May.

Modeled after the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), the new HCCIC (pronounced “Aych-Kick) has been criticized as potentially duplicating the NCCIC and other organizations. But Anderson defends the new center as a valuable community tool for funneling information from the many fragmented parts of HHS into a central healthcare information security clearing house.

She concedes, however, that HCCIC will have to prove itself.

“One potential downside of pulling together HHS components into one floor could be, a slowdown of sharing from the private sector as ‘government’ is involved,” she wrote in a written follow up to questions posed by Rep. Tim Murphy (R-PA). “Another downside could be that even though all of the components are brought together, sharing could still take place in a fragmented, unproductive manner. There could be risk of inadvertent disclosure or risk of post-hoc regulatory penalties for a reported breach. Finally if efforts are not effectively differentiated from the NCCIC environment, duplication of effort and additional costs for staffing and resources can result.”

HCICC, in fact, played a key role in the government’s response to May’s WannaCry ransomware attacks. “HCCIC analysts provided early warning of the potential impact of the attack and HHS responded by putting the secretary’s operations center on alert,” testified Leo Scanlon, deputy chief information security officer at HHS before a House Energy and Commerce subcommittee June 8. “This was the first time that a cyber-attack was the focus of such a mobilization,” he said. HCCIC was able to provide “real-time cyber situation awareness, best practices guidance and coordination” with the NCCIC.

Anderson sees further upside potential. Based on her prior experience with the financial services ISAC, “the HCCIC should be successful if carried out as envisioned and if it is voluntary and non-regulatory in nature,” she told GovTechWorks. “This will result in improved dissemination within the sector. In addition, by bringing all of the components of HHS under one roof, increased situational awareness and cyber security efficiencies will result.”

Related Articles

GDIT Recruitment 600×300
GM 250×250
GDIT HCSD SCM 5 250×250 Truck
GDIT Recruitment 250×250
Vago 250×250