Dwight Hobbs, a member of the Fuel Board of Directors, is a security services engineer at Lancaster General Health. Previously, Dwight worked to design and build educational capture-the-flag competitions where he has used Palo Alto Networks technologies for the past 6 years.
Fuel HQ talked to Dwight about his experience making the jump between industries and the unique challenge of cybersecurity in healthcare.
Fuel HQ: How has your experience working in a healthcare environment affected the way you approach cybersecurity?
Dwight Hobbs (DH): Working in healthcare has been a huge shift for me, previously coming from the security research community. One big change in moving to healthcare is the way that legacy devices (or devices running legacy operating systems) have to be treated. Any healthcare IT worker can tell you that hospitals are notorious for maintaining legacy equipment and the reason is: the cost of replacing this equipment. When system replacement runs into 6-figures, the idea of replacing just because the operating system is outdated becomes untenable.
It’s our responsibility as security professionals to secure these devices as best we can, even though they’re no longer running the most current software. A lot of this relies on education: keeping up to date with current trends and best practices, whether that’s next-gen endpoint protection or new strategies for micro-segmentation.
The other big change is the ultimate focus on the users. All IT departments work for the users of their organization, but, in healthcare, our users are providing medical care and small problems can end up impacting patient care. The last thing you want to hear when you’re in a hospital is that there are technical issues causing a delay or problem. Most healthcare professionals, my team included, take this very seriously. Whether it’s change control or using test environments, we always need to strive to understand the ultimate impact of our decisions and changes.
Fuel HQ: Jumping industries, what sort of challenges did you encounter? Anything that surprised you? Did you need to get additional training?
DH: Making a big change in industry always comes with a lot of different challenges. Luckily for me, I didn’t need any specific additional training to move to my current job, but that certainly doesn’t mean there isn’t a lot to learn.
Moving from an education/research-focused position at a company with a startup attitude to an engineer position at a 100-year-old hospital was certainly a big shift. While there are a lot of differences, I think the biggest surprise for me was how much there was in common between healthcare and the other industries I’ve interacted with. While the specifics of working with, and defending, any system will change, the best practices you use and the way you approach the problem stay the same. While working in healthcare has expanded the breadth of different systems I interact with, I still rely on the skills I've learned about security tools and tactics every day.
Get Involved!As Dwight touched upon, while many healthcare organizations rely on legacy systems, outdated technology creates an unsecure environment. Healthcare organizations are beginning to modernize their operations and invest in new technologies to meet regulatory compliance demands, increase efficiency and promote innovation.
Interested in the intricacies of cybersecurity in healthcare IT? According to the U.S. Department of Laor's Bureau of Labor Statistics, IT roles within the healthcare industry are expected to be one of the fastest-growing occupational groups from 2014 to 2024. Request to join the Healthcare Special Interest Group and join the conversation on this hot topic in the Fuel Discussion Forums