Q&A: UChicago Medicine’s Erik Decker on How to Attract Healthcare IT Talent

HEALTHTECH: What does the healthcare IT hiring landscape look like right now?

DECKER: It’s very challenging. There’s a huge need for talent and not enough talent out there. The traditional means — open up a job requisition, cull through candidates and find a couple who are really good — isn’t the only way it works anymore.

Most people in senior positions can pretty much write their own ticket. It takes a lot of outreach and enticements, and you have to look beyond normal boundaries.

HEALTHTECH: How have security challenges facing your staff evolved?

DECKER: Certainly, the level of sophistication of threat actors has increased. The barrier to entry to do harm is much lower than it has ever been. The ability to scale up ransomware can bring an organization to its knees. It’s very scary.

Let’s take the case of WannaCry. If you shut down a compromised system, suddenly you have no ability to provide treatment, and your organization is scrambling to send hundreds of patients somewhere else. 

The other significant change that everybody is talking about — and there’s a lot of dissenting opinion — is the vulnerability of medical devices: Can you hack them and cause harm? It’s so important for us to consider what’s going on in the IoT space.

MORE FROM HEALTHTECH: Learn how diverse healthcare IT teams can improve patient care for everyone.

HEALTHTECH: Where do you scout for talent?

DECKER: We certainly rely on internal recruiters who have their own tactics. Social media and leveraging my own network also are avenues that we use.

We’ve had internship programs that offer a great pipeline; sometimes we will lower the classification of a job and hire a more junior individual and work on training them into the skill set. That has been very successful for retention.

HEALTHTECH: What characteristics do you look for in a new hire?

DECKER: It depends on the job. If you’re hiring for a highly technical engineer, then you’re looking for skill sets to complement a deficiency on the team. You want diversity. That gives everyone their own little niche, which I think is helpful for ownership of the work that we do.

Generally speaking, I look for three qualities in every candidate: nice, bright and hardworking.

It sounds a little cliche and high level, but the ability to form a highly functioning team relies on it. Candidates who are technically proficient but lack interpersonal skills don’t make it to the top of the list. If you can’t work with your peers and inside the business, it’s a hindrance to the security program.

HEALTHTECH: How do those strengths help doctors and other personnel?

DECKER: The reality is, people don’t just follow a set of cybersecurity principles and guidelines because they’re there and written. They’ll do it if they are educated and given an opportunity to ask questions and buy in.

Policy is important, absolutely, but you also need to demonstrate that your program is there to assist and enable the organization. Your IT teams must be embedded in key business processes.

Maybe you’ve got certain leaders looking to contract with new vendors and bring in new technology, or to use data in a novel way. It’s one thing for me to talk with executives about our big strategic plans, but my own people have to walk the walk — knowing our rules and principles, being a service provider, and feeling the pulse of the organization to provide feedback and direction in the right way.

READ MORE: Can security awareness training really work against phishers?

HEALTHTECH: How are you using automated services and solutions to fill an expertise gap?

DECKER: There will never be enough hands to keep up with today’s modern threats, so automation must be part of the general strategy. It’s not a replacement for your people but rather a tool to enable your experts to work at their highest level of capability.

To achieve automation, you must first have strong and repeatable processes. It’s impossible to automate a process that changes every time you execute it. I recommend executing and testing your processes regularly and ensuring they get to high fidelity.

There are plenty of interesting tools out there to consider, from SOAR [security orchestration, automation and response] to GRC [governance, risk management and compliance], but all of them require your foundational process to be robust.

HEALTHTECH: What advice would you give other CISOs, especially in small or rural markets, to attract the right people?

DECKER: First, I would say check out the guide that was just put out by the Healthcare and Public Health Sector Coordinating Council. A bunch of smart, fantastic individuals have compiled a roadmap for building a qualified cybersecurity workforce.

For hospitals in rural areas or ones that might not have many resources, you’ve got to get a little more creative. There are virtual CISO types of service arrangements you can get into with third parties where you’re bringing top talent in but slicing their time. Organizations in incredibly remote areas might want to consider managed services as an option.