Health Sector Coordinating Council Cybersecurity Working Group
Foundational Authority
Healthcare is designated under U.S. national policy as “critical infrastructure” along with 16 other industry sectors, such as financial services, energy, telecommunications, water, transportation and more, represented by industry-organized “sector coordinating councils (SCCs).” These SCC’s and their government counterparts form a national public-private partnership coordinated by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
Composition and Mission
The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) is a government-recognized critical infrastructure industry council of more than 470 healthcare providers, pharmaceutical and medical technology companies, payers, health IT, public health and government agencies partnering to identify and mitigate cyber threats to health data and research, systems, manufacturing and patient care. The CWG membership collaboratively develops and publishes free healthcare cybersecurity leading practices, engages with government partners to consider policy and programmatic options for sector-wide cybersecurity preparedness and response, and produces outreach and communications emphasizing the imperative that cyber safety is patient safety.
The CWG is:
- A government-recognized industry partner advising the U.S. Department of Health and Human Services as its Sector Risk Management Agency on critical healthcare cybersecurity policy and operations;
- A charter-based member council with policy, procedures and elected leadership;
- Organized into outcome-oriented task groups that meet regularly to develop freely available sound cyber practices for a range of healthcare cybersecurity disciplines such as health provider cybersecurity controls, medical device security, supply chain cybersecurity, incident response and business continuity, and more.
- Pursuing achievement of its five-year Health Industry Cybersecurity Strategic Plan to upgrade the diagnosis of healthcare cybersecurity from “critical condition” to “stable condition” by 2029.
2025 Priorities
The HSCC Joint Cybersecurity Working Group published on February 27, 2024 the “Health Industry Cybersecurity Strategic Plan 2024-29”, intended to coalesce the entire health sector around long term cybersecurity goals and objectives to measurably raise the level of cybersecurity preparedness and resiliency by 2029. The priority for 2025 and beyond is to mobilize its implementation and develop an agreed set of measurable outcomes and metrics for success. See Health Industry Cybersecurity Strategic Plan 2024-2029.
The CWG also will continue to focus on its strategic, policy and operational recommendations, including those contained in the Strategic Plan, through function-specific task groups involving industry and government leaders.
Task Groups 2025
The HSCC Cybersecurity Working Group is organized into outcome-oriented task groups that meet regularly to develop freely available sound cyber practices for a range of healthcare cybersecurity disciplines such as health provider cybersecurity controls, medical device security, supply chain cybersecurity, incident response and business continuity, and more. See the active 2025 Task Groups.