Do we have enough healthcare security professionals? Has the skill become so important that it is ahead of the industry? IT professionals can hardly keep up with the latest technology. Throw an intense layer of security on it, and it becomes difficult to keep up with.

The need for healthcare security professionals has changed drastically in the last 3 years. There is now a cost associated with it, and sometimes the price tag is too high. Calling it a consistently “strategic pitfall in the cybersecurity environment,” the Atlantic Council’s Director of the Cyber Statecraft Initiative Josh Corman said that healthcare is simply used to doing more with budgets that are smaller than what they need.

Corman is part of the HHS’ Health Care Industry Cybersecurity Task Force. Created by the Cybersecurity Information Sharing Act of 2015, the team is tasked with analyzing the state of healthcare security, including healthcare security professionals..

While the report won’t be released until later this month, Corman shared a few startling details with Healthcare IT News.

Across the board, all sectors are facing a shortage of healthcare IT professionals a recent Information Systems Audit and Control Association report found. More than a quarter of all businesses take six months to fill the security role. The reason? The majority of those applying aren’t qualified.

This statistic becomes even more untenable for hospitals and medical practices in smaller, less desired areas that are forced to get creative when it comes to finding and retaining healthcare security professionals.

Corman explained that these hospitals and practices are already facing financial hardships, but also struggle to keep healthcare security professionals on staff due to their location.

“The entire industry lacks a talent pool: there just aren’t enough chief information security officers on the planet to fill all of the needed positions,” Corman said. “And it’s just not affordable.”

Many of these hospitals are running at break-even budgets before adding any additional costs,” he said. “One healthcare security person just isn’t enough to defend against these highly-connected networks.”

In fact, small, medium and rural hospitals and practices are often so strapped for funding that some organizations are lacking even a single IT person. And in some instances, nurse practitioners were designated as IT security officers.

“Some of these fill-in IT people were looking for a crash-course,” Corman explained. “Others had employees teaching themselves how to be in the position.”

Clever and collaborative hospital leaders, meanwhile, are even pooling resources with neighboring institutions to hire healthcare security professionals to share within the region or tapping into a virtual CISO who serves multiple health entities.

“There’s a pretty big delta between what we’d expect organizations to have in place and what we’re finding,” Corman added. “Large hospitals tend to have the staff, but we’re trying to determine a healthy ratio of security staff to the size of the organization.”