Meeting the Cybersecurity Challenge through Competition

Jennifer A. Kurtz, MBA


"Learning is experience; everything else is just information." (Albert Einstein)

The gap between the number of cybersecurity professionals required by all organizations, and the number with the multiple years of experience desired by the healthcare industry specifically, continues to grow. A 2010 report on meeting the cybersecurity staffing challenge within the US Government (and especially, the US Department of Defense), stresses the training benefits of student competitions designed around a mock cyber incident.i The 4th annual Rocky Mountain Regional Collegiate Cyber Defense Competition (RMCCDC), hosted by Regis University February 27 and 28, 2015,ii offered eight teams from regional universitiesiii the opportunity to test their skills and problem-solving abilities in a simulated healthcare environment.

The competition scenario was realistic: the fictitious Regis HMO was expanding to include remote clinics about which no risk assessment information was readily available. The eight competition teams were asked to check the security status of equipment and networks, port the email system over from the Unix to the Exchange environment, and maintain business services using the electronic health records (EHR) management system, OpenEMR, with no downtime.

The competition planners, including ten Regis graduate students whose participation counted as their MS capstone project (in lieu of a thesis), populated the challenge with devices commonly used in medical facilities—tablets, a camera positioned in a room as part of medical experiment, printer, Unix and Exchange email servers, Raspberry Pis (credit-card-sized computer), wireless access points (that were added to the competition's network environment on the second day). Because of the quality of the teams (eight members each, with up to four alternates), the Red Team was challenged to inject extra, ad hoc problems into the environment. The script was expanded on day two to include deploying patient monitors to the network environment (decommissioned equipment loaned temporarily by Boulder Community Hospital), a roof collapse from heavy snowfall, compromised server, and a message from Two Men and A Boy moving company, who had moved systems but were not sure that everything was in place.

National sponsors Raytheon and INSCOM joined forces with other sponsors from private industry, the State of Colorado, the Colorado National guard, and key IT professional organizations (AITP, OWASP, ISACA, ISSA) to contribute some 104,000 volunteer hours to producing this learning experience for the students. Their ROI was the opportunity to observe talented students (and prospective job candidates) in action, earn 3.5 CPE credits, and promote awareness about the specific security issues related to the healthcare and medical industry.

According to Fred Gray, Regis associate professor of Physics and Astronomy, the competition was beneficial to students who acted as planners and as competitors. "I saw them working hard and being innovative, while teaching themselves some things about technology." They were learning by doing, gaining the experience that Einstein so valued and that government agencies and private industry recruiters are looking for.

The winning team was a first-time RMCCDC competitor, Southern Utah University. Regis University's team placed second, and the US Air Force Academy team placed third.

i Stuart Starr, Daniel Kuehl, and Terry Pudas (2010), "Perspectives on building a cyber force structure," Conference on Cyber Conflict Proceedings 2010. Retrieved from https://ccdcoe.org/publications/2010proceedings/Starr%20-%20Perspectives%20on%20Building%20a%20Cyber%20Force%20Structure.pdf
iiSee <http://academic.regis.edu/cias/rmccdc/>
iiiUniversity of Colorado, Colorado State University, US Air Force Academy, University of Kansas, University of Nebraska (Omaha), Southern Utah University, LDS Business College