Skip to main content
Hscc Logo Mark

Healthcare Sector Coordinating Council Cybersecurity Working Group

The Healthcare and Public Health Sector Coordinating Council (HSCC) is a coalition of industry associations and their members. It has been a platform for collaboration among healthcare industry leaders and the government for more than a decade to address the most pressing security and resiliency challenges to the healthcare sector. Specifically, your organization is part of an interdependent ecosystem that is facing increasingly sophisticated operational and cybersecurity threats, and vulnerabilities that can cascade across the value chain of the healthcare sector, ultimately affecting patient safety, security and privacy. It is our collective responsibility to deliver industry-wide policy and operational solutions to this shared challenge. Many organizations are stepping up to this responsibility by joining the HSCC and its Cybersecurity Working Group (CWG). When combined with government partners, we are the Joint Cybersecurity Working Group. All healthcare sector stakeholders who have expertise and resources to contribute are encouraged to do the same.

About the HSCC

he Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) is a government-recognized critical infrastructure industry council of more than 400 healthcare providers, pharmaceutical and medtech companies, payers and health IT entities partnering with government to identify and mitigate cyber threats to health data and research, systems, manufacturing and patient care. The CWG membership collaboratively develops and publishes freely-available healthcare cybersecurity best practices and policy recommendations, and produces outreach and communications programs emphasizing the imperative that cyber safety is patient safety.

Eligibility Requirements for the HSCC Cybersecurity Working Group

Membership in the HSCC CWG is open to any organization that is:

  1. a covered entity or business associate under HIPAA;
  2. a health plan or payer;
  3. regulated by FDA as a medical device or pharmaceutical company;
  4. regulated by the HHS Office of the National Coordinator as a health IT company;
  5. a public health organization and/or
  6. a healthcare industry association or professional society.

Entities not meeting the above criteria, such as consulting, law or security firms, may participate as non-voting “Advisors” at the invitation of the chair.  Advisor-members contribute pro bono and are capped at 15% of total CWG Voting membership.

How is the HSCC different from an industry association?

The HSCC is in effect a body of associations plus our member providers and companies working collectively to solve policy and strategic challenges shared across all 6 of our critical healthcare subsectors – Direct Patient Care; Health Information Technology; Health Plans & Payers; Labs, Blood & Pharmaceuticals, Mass Fatality Management Services; and Medical Materials.
During designated joint working sessions between government and industry, competitive and regulatory equities are left outside the door, and sensitive information discussed with the government is afforded protection from regulatory action and public disclosure under special advisory committee status not provided to individual associations.
Further, there are no membership dues to participate in the HSCC– only the contribution of your organization’s available expertise toward the development and implementation of policy and operational improvements to the security and resiliency of the sector.

Call to Action

The guiding principle of the HSCC Cybersecurity Working Group and our Health Industry Cybersecurity Strategic Plan (HICSP) is that cybersecurity responsibility in the health sector is a shared responsibility. If we are to upgrade the diagnosis of healthcare cybersecurity from “critical” to “stable condition”, it will take the collective and collaborative efforts of all private sector and government stakeholders.  This means investing in, demanding, implementing, and incentivizing the many cybersecurity practices in this wellness plan.  It also means actively promoting and advocating the enablers of “Cyber Safety is Patient” across the ecosystem in a sustained and proactive national campaign.  Start now: sign the HICSP Statement of Support.

The following Task Groups constitute the
HSCC Cybersecurity Working Group’s 2024 work plan.

405(D) – Health Industry Cybersecurity Practices

Update and amplify the HICP (Health Industry Cybersecurity Practices 2023) with supporting collateral material and timely cyber events, marketing and partnerships.  Version 2 to be published Spring 2023.  See: https://405d.hhs.gov/.

Incident Response And Business Continuity

Develop a healthcare cyber incident response and business continuity plan aligned with existing physical incident response protocols.

Under-Resourced Provider Cybersecurity Advisory Group

A series of documented listening sessions with management of under-resourced providers to hear perspectives about cybersecurity, financial and operational challenges, and the providers’ needs for incentives and other assistance to meet cybersecurity obligations.

Medical Technology Vulnerability Communications

Provide guidance to differing stakeholders (MDMs, HDO’s, clinicians, patients) on preparing, receiving and acting on medical device vulnerabilities.  First publication April 2022 on patient awareness.  Second version on HDO preparedness in process.

Operational Manufacturing Technology Cybersecurity

Develop leading practices for cybersecurity management of operational/manufacturing technology.  Initially focused on medical technology and pharmaceutical subsectors.

Public Health Cybersecurity

Identify strategies for strengthening the cybersecurity and resilience of SLTT public health agencies with the support of private sector and academic organizations.

Outreach And Awareness

Developing CWG brand and document formatting templates, and marketing strategy for publications and messaging.

Risk Assessment

Finalized NIST Cyber Framework Implementation guide; under review by HHS for co-branding.  New initiatives may include developing guidance for aligning enterprise controls with NIST CSF implementation tiers and possibly using the CSF to identify, measure and manage cyber risk to patient safety and privacy.