Healthcare Sector Coordinating Council Cybersecurity Working Group

The Healthcare and Public Health Sector Coordinating Council’s (HSCC) Cybersecurity Working Group (CWG) is a standing working group established by the HSCC with the recognition that cyber threats to the healthcare sector are becoming more numerous, more frequent, and more severe, and thus require concerted and coordinated mitigation efforts across the sector.

The mission of the HSCC CWG is to collaborate with the Department of Health and Human Services and other federal agencies to develop and encourage adoption of recommendations and guidance for policy, regulatory and market-driven strategies to facilitate collective mitigation of cybersecurity threats to the sector that affect patient safety, security, and privacy, and consequently, national confidence in the healthcare system.

HSCC CWG membership is open to all for-profit and not-for-profit healthcare associations, providers and related companies representing critical healthcare industry subsectors.

As defined in its Sector-Specific Plan, the Healthcare and Public Health (HPH) sector consists of organizations representing multiple sub-sectors:
• Direct Patient Care
• Health Plans and Payers
• Pharmaceuticals, Laboratories, and Blood
• Medical Devices and Materials
• Mass Fatality Management Services
• Health IT
• Public Health

The HSCC is a private-sector organized and managed policy council within the framework promulgated by Executive Order 13636 (2013) and its companion Presidential Policy Directive (PPD) 21. This framework establishes a consultative process to coordinate improvements to the cybersecurity of critical infrastructure, and requires the Secretary of Homeland Security to engage Sector Coordinating Councils through the National Infrastructure Protection Plan (NIPP). The NIPP establishes a public-private partnership for critical infrastructure protection between sector coordinating councils and their assigned sector-specific government agencies (SSA’s).

The SSA for the healthcare sector is the Department of Health and Human Services. Engagement between these parties is designated as a Critical Infrastructure Protection Advisory Committee (CIPAC), which protects information exchanged between SSC’s and SSA’s from Freedom of Information Act requests and regulatory jeopardy when voluntary coordination and decision making with the government concerns sensitive and protected critical infrastructure information.

One primary guidance document for managing risk to the sector is the “Sector Specific Plan (SSP),” which is developed jointly by government and healthcare sector stakeholders, and updated every 3-4 years, as a statement of commitment and collaboration toward sector security and resiliency. The Healthcare and Public Health (HPH) SSP rolls up into the NIPP, which encompasses all 16 critical industry SSP’s. Ad hoc and standing working groups under the HSCC are expected to execute the broad objectives articulated in the SSP.

The SSP identifies cybersecurity as a sector-wide threat and lays out broad objectives for mitigating the threat. Accordingly, the HSCC delegates responsibility for coordinating sector-wide cyber threat mitigation to the CWG.

The HSCC CWG mission imperative was augmented by the enactment of the Cybersecurity Act of 2015, which outlines new requirements for the Department of Homeland Security (DHS), Sector-Specific Agencies (including the Department of Health and Human Services (HHS)), and private industry. The Act established in §405(c) the Health Care Industry Cybersecurity Task Force, which published in June 2017 a series of recommendations for improving the sector’s cybersecurity risk management, and in §405(d) a consultative process for the development of “voluntary, consensus-based and industry-led guidelines, best practices, methodologies, procedures and processes” for cybersecurity risk management in the healthcare sector.