HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Cybersecurity Services Being Outsourced Due to Lack of Skilled Staff

A lack of suitable personnel with appropriate skills to improve cybersecurity defenses is leading many CISOs and CIOs to look outside their organizations for assistance. Businesses and healthcare providers and now increasingly hiring third party experts to provide cybersecurity services, according to a new report by Cybersecurity Ventures.

Wave of Attacks Increases Demand for Trained Cybersecurity Staff


Cybersecurity incidents have risen by 48% over the course of the previous 12 months and industry experts predict that the volume of security incidents will rise further still throughout 2015 and 2016. This is not a problem that will just go away. Improving cybersecurity defenses to resist highly sophisticated attacks requires skilled staff, and with the complexity of attacks increasing there is no time to lose.

The quarterly Cybersecurity Market Report indicates that the increased risk of attack has led many businesses to create new positions for cybersecurity officers; however the dearth of talent has seen 209,000 of those cybersecurity jobs remain unfulfilled. Over the next three years, demand for skilled personnel is likely to increase further; exacerbating the current problem.

Unfortunately, the elevated threat level means that positions cannot remain unfulfilled for long. The only option available for many companies is to outsource the positions and recruit outside experts to provide the security services required.

Please see the HIPAA Journal Privacy Policy

Time is critical when it comes to dealing with a data breach. Action needs to be taken fast, especially in heavily regulated industries such as the financial services and the healthcare if fines are to be avoided. It is therefore no surprise that healthcare providers in particular are bringing in the experts when they discover hackers or malicious insiders have accessed and copied Protected Health Information (PHI).

In recent years there has been an explosion in the number of cybersecurity firms. These companies can offer businesses – and healthcare providers – the services needed to protect confidential data from external attacks, including developing customized solutions to minimize cybersecurity risk. Many of these firms are now specializing; dealing with the healthcare industry only or offering services exclusively to federal and government agencies.

Huge Demand Has Led Many CISOs and CIOs to Set up Cybersecurity Firms


One problem that is occurring across a number of industries is the loss of trained staff. CISOs and CIOs are leaving their employers to set up their own private cybersecurity firms. Demand at an all-time high and a severe lack of staff with the appropriate skills and qualifications means there is considerable money to be made by going private. Over the coming two years if the lack of personnel is not addressed, a great deal more security staff may break free and set up their own ventures compounding the current problem.

There are of course a number of advantages to outsourcing cybersecurity. By recruiting expert help, HIPAA covered entities can ensure that risk assessments are conducted thoroughly, all security vulnerabilities are addressed and a tailored action plan is implemented to address all security risks and minimize the probability of suffering a data breach.

Healthcare providers looking to introduce new technology must conduct a full and through risk assessment before the technology can be used to make sure that Protected Health Information (PHI) is properly safeguarded (in accordance with the standards demanded by the Health Insurance Portability and Accountability Act.)

Every time new technology is introduced, staff need to be trained to run the new tech, or new staff must be recruited. With the current pace of advances in technology, systems often become obsolete very quickly and the whole process must start again. Outsourcing may cost more in the short term, but in the medium term savings can certainly be made.

However, unless the lack of staff is addressed – on a national level – HIPAA-covered entities may be left with no choice but to outsource to private cybersecurity companies, regardless of the cost. When the cost of a data breach is taken into consideration, outsourcing cybersecurity requirements to third party experts seems very cheap by comparison.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.