For over 600 years, physicians have recognized that the practice of medicine requires different specialties. In the 1500s, the Royal College of Physicians was chartered separately from the Royal College of Surgeons, whose lineage dated from the mid-1300s. Six centuries later, the practice of medicine has further specialized. Today, the American Board of Medical Specialties has 24 different medical boards to license 36 specialties and hundreds of sub-specialties. Unmistakably, there is acceptance that not one medical specialty is the sole source of truth, but more importantly, that advancements in medicine have exceeded the ability of one person to be an expert in all areas. For this reason, physicians are comfortable referring patients to other specialties when the medical condition requires different expertise.
Managing a medical practice also requires clinical and non-clinical staff and technology to support routine clinical and business operations. These individuals, just like physicians, have specialties. These individuals, with few exceptions, are not interchangeable, as skills required to manage the different processes are unique.
The New World
There has been an increase in independent and group practices outsourcing the management of electronic health records and patient financial processes to third parties. It was not long after patients’ medical and financial records were moved to electronic systems that criminals and other hackers recognized the value of this data and started hacking into physician computer systems. Identifying cybersecurity risks and then implementing a risk treatment plan is challenging because the threats are constantly evolving. The solution is to leverage individuals with special cybersecurity skills and experience. We should leverage the lessons learned from the American Board of Medical Specialties and seek out specialists to address these unique challenges.
The HIPAA Security Rule has grouped security compliance into administrative,physical, and technical safeguards. Of these requirements, only 22 percent have an information technology focus while the remaining security controls require skills not typically found in the traditional IT staff. The remaining 78 percent of security requirements—those outside of a traditional IT focus—have been identified as a root cause for the majority of reported breaches.
Seeking the Cybersecurity Equivalent to Medical Specialties
Addressing cybersecurity risks requires unique skills and a repeatable process to quantify and prioritize risk as well as the implementation of new processes and technology to reduce risks to an acceptable level. The National Institute of Standards and Technology (NIST) published the Cyber Security Framework (CSF) in 2013 that offers more clarity than the HIPAA Security Rule, but closely mirrors the required actions. The NIST CSF provides clarity and also takes a chronological approach to the security requirements. Simply stated, the NIST CSF has five objectives, each with many controls:
- Identify your assets, systems, and infrastructures
- Protect the things that are valuable
- Detect any attacks
- Respond to attacks
- Recover systems
Technology plays an important part in some of these objectives, but the vast majority (78 percent) are management processes, not technology. To support these requirements, NIST also developed the National Initiative For Cybersecurity Education (NICE), a framework of six cybersecurity categories defining a total of 24 specialties. Similar to the human lifecycle, these specialties address the life cycle of cybersecurity management. For example, the first step in developing a security program is to conduct a comprehensive risk analysis to identify all the ways threats can either disrupt or steal data. This includes assessing potential weaknesses both inside and outside the organization. This is analogous to a pediatrician’s role as they assess the health of the newborn infant, in that they should also identify risks in the family environment that will support that infant.
Pediatricians often vaccinate their patients, comparable to the NIST CSF requirement to “protect” the infrastructure. We understand that vaccinations are not a one-time event, but ongoing throughout the patient’s life, just as protecting a practice requires updating and changing controls in response to new threats. Physicians often rely on patients to detect illness, but several medical specialties have developed, including genetics and genomics, to help identify issues before symptoms appear.
The last two NIST CSF objectives, respond and recover, are used after cyber incidents have occurred. This requires individuals with specialized forensics skills to identify the threat and understand the damage. Other individuals are needed to manage the recovery process. Physicians have similar specialties, including emergency medicine to respond to immediate threats, then other specialties like pathology and radiology to identify diseases, and finally oncology and surgery to repair damage.
By now, it should be obvious that cybersecurity is a separate specialty than information technology. While the primer is the same, the career paths are different. Practioners in the cybersecurity field take different education paths and obtain different certifications, just as physicians rely on 26 different medical boards to manage all of the specialties.
As physician practices look to identify and reduce their cybersecurity risks, consider the probability of success and the risk of failure if you pick the wrong specialty to treat your own patient – your practice.