Healthcare Sector Coordinating Council Cybersecurity Working Group

The Healthcare and Public Health Sector Coordinating Council (HSCC) is a coalition of industry associations and their members. It has been a platform for collaboration among healthcare industry leaders and the government for more than a decade to address the most pressing security and resiliency challenges to the healthcare sector. Specifically, your organization is part of an interdependent ecosystem that is facing increasingly sophisticated operational and cybersecurity threats, and vulnerabilities that can cascade across the value chain of the healthcare sector, ultimately affecting patient safety, security and privacy. It is our collective responsibility to deliver industry-wide policy and operational solutions to this shared challenge. Many organizations are stepping up to this responsibility by joining the HSCC and its Cybersecurity Working Group (CWG). When combined with government partners, we are the Joint Cybersecurity Working Group. All healthcare sector stakeholders who have expertise and resources to contribute are encouraged to do the same.

The responsibility of all Sector Coordinating Councils (SCC) is captured in three iterations of a Presidential Executive Order dating to 1998, the most recent update being Presidential Policy Directive 21 in 2013, which calls on 16 critical industry sectors to self-organize – in partnership with the government – around the mission to protect essential assets and services from systemic threats, both physical/operational and cyber. Every critical industry sector, including healthcare, financial services, electricity, emergency services, communications, water, transportation, and others, has been stepping up to this mission. We do this with two essential functions: the day-to-day operational protection, threat analysis and incident response of the Health Information Sharing and Analysis Center (H-ISAC) and related information sharing and analysis organizations, and the longer-term strategic and policy-oriented mission of the HSCC. Under the executive order, the HSCC is recognized as the private industry partner to the Department of Health and Human Services, which looks to us – in a non-regulatory, partnership posture – to help develop policy and operational improvements that enable our sector to better protect against and respond to threats, vulnerabilities and incidents.

To be eligible as a voting member of the HSCC CWG, an organization must be defined as a “Covered Entity” or “Business Associate” under HIPAA, or as one that develops technology or services regulated by the FDA. Organizations not meeting those definitions may be eligible to participate in the CWG and its task groups as non-voting “Advisors” at the invitation of the CWG or task group leadership.

How is the HSCC different from an indsutry association?

  • The HSCC is in effect a body of associations plus our member providers and companies working collectively to solve policy and strategic challenges shared across all 6 of our critical healthcare subsectors – Direct Patient Care; Health Information Technology; Health Plans & Payers; Labs, Blood & Pharmaceuticals, Mass Fatality Management Services; and Medical Materials.
  • During designated joint working sessions between government and industry, competitive and regulatory equities are left outside the door, and sensitive information discussed with the government is afforded protection from regulatory action and public disclosure under special advisory committee status not provided to individual associations.
  • Further, there are no membership dues to participate in the HSCC– only the contribution of your organization’s available expertise toward the development and implementation of policy and operational improvements to the security and resiliency of the sector.

The HSCC Cybersecurity Working Group has organized much of its work plan toward addressing recommendations made by the Healthcare Industry Cybersecurity Task Force reporr for improving healthcare cybersecurity, released in June of 2017. The initiative is what drives the formation of outcome-oriented task groups made up of member organizations collaborating to produce specific deliverables that meet the outcome objectives, such as white papers, best practices, and guidance documents. Groups meet on their own determined schedule with agreed deliverables and timelines. Further, all task groups and members-at-large meet in person twice a year at “all-hands” gatherings in April and October in different locations to assess progress and refine work plans.

The following list of task groups constitutes the Healthcare Sector’s work plan for 2020. New initiatives are under consideration for 2019.


We encourage your organization to join the CWG. Every organizational member should assign a primary point of contact and work internally to appropriately resource participation in one or more of the task groups according to organizational priorities. Each task group decides on its specific objectives, scope, output and timeline. Skill sets in the HSCC CWG are multi-disciplinary, including those responsible for:

• Cyber risk management
• Information and data management
• Information technology (IT) and operational technology (OT)
• Patient safety
• Product security
• Privacy and security compliance
• Policy, regulatory and legal affairs

Meaningful and forward-thinking work products are continually being pushed out of the HSCC CWG to our strategic partners and the public. The success of our on-going projects is defined by the time and human capital your organization is willing to commit.

We hope you will join us for this important responsibility. For more information about task group objectives and membership expectations, please contact Cyber Working Group executive director Greg Garcia at