HPH SCC Blog – During NCSAM, HSCC CWG Advocates for Patient Safety at HHS

As National Cyber Security Awareness Month (NCSAM) passes its halfway point this October, it is important to note that the healthcare sector – both industry and government – is stepping up to address accelerating cybersecurity threats affecting healthcare operations, data, and patient safety.  In the late summer of 2018, the HHS Office of the National Coordinator (ONC), which works to ensure the healthcare industry’s compliance with security and privacy regulations of the Health Insurance Portability and Accountability Act, asked the industry a number of questions – through a request for information – directed at how to better ensure that electronic health records technology is secure in both design and management.

On October 17, the Health Sector Coordinating Council sent a response to ONC with recommendations that address those RFI questions:

  1. What reporting criteria could provide information on meaningful differences between products in the ease and effectiveness that they enable end users to meet their security and privacy needs?
  2. Describe other useful security and privacy features or functions that a certified health IT product may offer beyond those required by HIPAA and the ONC Health IT Certification Program, such as functions related to requirements under 42 CFR Part 2.
  3. Discuss the merits and risks of seeking a common set of measures for the purpose of real world testing that health IT developers could use to compare the usability of systems
  4. What information about a certified health IT product’s security and privacy capabilities and performance have acquisition decision makers used to inform decisions about acquisitions, upgrades, or use to best support end users’ needs?
  5. What, if any, types of information reported by providers as part of their participation in HHS programs would be useful for the EHR Reporting Program (e.g., to inform health IT acquisition, upgrade, or customization decisions)?

The HSCC CWG answers include:

  1. In order for purchasers to be better informed of the vendor’s security posture, they need to consider technical and policy aspects of the devices and systems ranging from readily available results of penetration testing, encrypted database features, software security analysis, to Payment Card Industry (PCI) Data Security Standard compliance, patient consent opt-in agreements, privacy policies and terms of conditions for portals.
  2. Automated features associated with patient privacy would be very helpful and desirable for providers; including vendor ability to track amendments to patient EHR, automating patient record sharing and disclosure preferences, and enabling patients to file complaints via portals.
  3. Adopting the NIST Cybersecurity Framework and encouraging the use of the OSI Reference Model or the “Open Systems Interconnection Reference Model,” can help accomplish better security.
  4. More information about third parties used by EHR vendors would be helpful such as the location of contracted third parties (domestic or abroad) and supporting documentation to enable purchasers to conduct better risk assessments.
  5. Vendors sell upgrades in a variety of ways and there is no standard way of reporting security issues. Consideration should be given to having a more uniform way to do this.

The bottom line is that the healthcare sector is working to get ahead of the threats facing the sector and its patient population.  We’re doing this as a partnership – with government and across critical healthcare subsectors like direct patient care, health IT, medical devices, pharmaceuticals, and health plans and insurance.  This isn’t just an IT security problem or a regulatory compliance problem, but one that needs the attention of health providers, chief medical officers, CIO’s, general counsels, and the C-suite in general.  In this way, we can collaboratively diagnose our cyber health, prescribe a regimen of treatment and move us closer to inoculation against an epidemic of cyber vulnerability.

The Fight to Secure Vulnerable Medical Devices From Hackers

View All Press & Releases

Health Sector Council Pushes for Changes in Federal Cybersecurity Rules

View All Press & Releases

Health Sector Council Letter to CMS on Stark Exception

View All Press & Releases

Health Sector Mobilizes Against Cyber Threats

June 29 Health Sector Council Meeting in Washington gathers 120 industry and government leaders to meet the threat

Washington, DC – July 17 - More than 100 healthcare providers, associations, pharmaceutical, medical device and health IT companies met with government officials in Washington DC June 29 to report and build on their collective progress toward implementing stronger cyber security protections across the healthcare sector.  Executives met under the umbrella of the Healthcare and Public Health Sector Coordinating Council (HSCC), established under presidential executive order to identify and mitigate sector-wide threats and vulnerabilities against the delivery of healthcare services and assets.

The HSCC Joint Cybersecurity Working Group (JCWG) – composed of industry and government organizations - reorganized at the beginning of the year to respond to wide-ranging recommendations made by the 2017 Health Care Industry Cybersecurity Task Force (HCIC), an industry-government collaboration appointed by the Department of Health and Human Services in accordance with the Cyber Security Act of 2015. The HCIC presented 6 major imperatives and 105 action items that the sector should address to improve the security and resiliency of healthcare services and patient safety.

In February, the JCWG established 13 task groups organized around implementing many of those action items in partnership with HHS and other government agencies. Task Group leaders on June 29 presented the JCWG with an assessment of progress and a call to accelerate momentum toward meeting our collective cyber security challenges.

In remarks for the June 29 meeting, HHS Deputy Secretary Eric D. Hargan, who leads the agency’s internal and external cybersecurity coordination, said that the joint gathering was “a testament to the hard work done by the Healthcare Sector Coordinating Council to expand its membership and organize task groups to turn the report’s recommendations into action.” He added, “I commend the hard work all of you have done on this top priority for HHS, and I look forward to more progress being made today, and in the days ahead.”

Greg Garcia, Executive Director of the JCWG, observed during the meeting that, “as cyber threats against the healthcare sector proliferate and become more sophisticated, we have realized that we can best mobilize against them as a collaboration, with strength in numbers and expertise. And if we’re successful,” he said, “we’re never done, only better.”

About the HSCC JCWG. The Healthcare and Public Health Sector Coordinating Council (HSCC) is one of 16 critical industry sectors identified under presidential executive order (PDD-63, HSPD 7 and PPD 21) and the National Infrastructure Protection Plan. The HSCC Joint Cybersecurity Working Group (HSCC JCWG) is co-chaired by Terry Rice, Chief Information Security Officer of Merck, and Bryan Cline, Vice President of Standards and Analysis for HITRUST. It is focused on addressing the recommendations of the Health Care Industry Cybersecurity (HCIC) Task Force report released in June 2017 under the sponsorship of HHS, the sector specific agency for the healthcare sector. To do this, the council significantly increased the membership’s numbers and representation, and hired a full time executive director to manage the process – former DHS Assistant Secretary for Cyber Security Greg Garcia.

Surging Engagement Across the Sector

Health care organizations are stepping up to the challenge as the threats accelerate:

  • Since January 2018, private sector organization members increased by 130, from 60 to 190, including providers, companies, associations and other collaborative alliances across 5 subsectors
  • National and state industry association members increased from 5 to 30
  • Private health sector personnel members increased by 249, from 58 up to 307
  • Subsector representation expanded from primarily healthcare providers, to many more in pharmaceuticals, health information technology and medical devices, and plans and payers.
  • Total government personnel are at 50, representing 7 federal agencies and 44 personnel, and one member each from 3 state agencies; 1 county and 1 city organization.

About the Work Plan

The thirteen JCWG task groups – such as medical technology security, supply chain security, workforce development, and information sharing - are co-led by healthcare sub-sector executives and cyber experts, and range in membership from one dozen to three dozen members. They are focused on specific deliverables and outcomes intended to measurably improve the security and resiliency of the sector.

For example:

    • A medical technology and health I.T. cybersecurity task group, co-chaired by a provider organization and medical technology company, is working closely with FDA to develop guidance from HCIC “Imperative 2”, which calls for improved cybersecurity practices in the production, use and management of medical technology. They are developing a joint plan for cyber risk management commitments between device makers, health IT and provider/customers. This new workstream will engage broad stakeholder discussion and input around software bills of materials – scope, principles and deployment - so that users have better asset management and visibility into the products and systems they install;
    • A task group focused on HCIC “Imperative 5” is working to improve critical intellectual property data security such as pharmaceutical research and life-saving device patents;
    • A workforce development task group responds to “Imperative 3” by compiling best practices for employee/clinician cyber training and cybersecurity curricula in medical and nursing schools; considering how to attract more cyber security talent to the healthcare sector; and matching skills to job descriptions;
    • A pre-existing collaboration between the industry and HHS, now under the sector coordinating council umbrella, is responding to Section 405(d) of the 2015 Cyber Security Act to develop voluntary, consensus-based cybersecurity best practices for healthcare organizations. The guidance is currently being pre-tested with several healthcare organizations across the country;
    • Other task groups, with varying deliverables and timelines for completion, include:
      • Supply Chain Cyber Risk Management
      • Telemedicine Cyber Risk Management
      • Cross-Sector Engagement
      • Exercises
      • Cyber Risk Assessment
      • Information Sharing
      • Future Technologies
      • Marketing and Outreach
      • Policy and Regulation

The next progress report will occur in conjunction with the October meeting of the JCWG in Nashville.

For more information: www.HealthSectorCouncil.org
HSCC JCWG Executive Director: Greg.Garcia@HealthSectorCouncil.org

View All Press & Releases

The Healthcare Sector Coordinating Council and the NH-ISAC: Two Sides of the Same Critical Infrastructure Coin

Every stakeholder of the healthcare system and the subsector they represent, including direct patient care, pharmaceuticals, device manufacturers, health IT and supplies, plans and payers, and mass fatality management, is part of an interdependent ecosystem that is facing sophisticated and targeted cybersecurity threats and vulnerabilities that can cascade across the value chain of the healthcare sector, ultimately affecting patient safety and security. These stakeholders increasingly recognize a collective responsibility to pool our resources and develop industry-wide policy and operational solutions to our shared challenges.

This responsibility is in fact captured in three iterations of a Presidential Executive Order dating to 1998, the most recent being Presidential Policy Directive 21 in 2013. These executive orders express national policy that identifies 16 critical industry sectors that are essential to homeland and national security, economic security, and public health and safety – industry sectors such as healthcare, electricity, telecommunications, financial services, transportation and more. These industry sectors are stepping up to those tactical and strategic responsibilities with their government partners.

The policy further acknowledges that 80-90% of these sectors are owned and operated by the private sector, which must be responsible for self-organizing around the protection and resilience of those assets and services we depend on. That critical infrastructure protection function takes the form of both tactical/operational, and strategic policy collaboration among major stakeholders within a sector.

These functions are specifically called out in the policy: Information Sharing and Analysis Centers and Sector Coordinating Council (SCC’s). ISACs, including our NH-ISAC, handle day-to-day watch, warning, incident response and best practices cooperation across the sector and with government. SCCs acknowledge daily incidents and cyber-attacks as a given, leaving response to the ISACs, and instead look over the horizon at improving ways – both policy and business strategy – to get ahead of the threat and strengthen national confidence in the security and resiliency of essential services. Whereas ISAC membership consists of many technical and operational leaders within their organizations, the Sector Coordinating Councils convene cross-disciplinary leadership, including general counsels, CTO’s and CISOs, government and regulatory affairs, risk and compliance management, and business operations.

The ISACs and SCC’s are in effect two sides of the same critical infrastructure coin. Together, ISAC’s and SCC’s work with the government in a public-private partnership called the National Infrastructure Protection Plan (NIPP) to develop strategies for how the sector will mitigate threats and vulnerabilities and how it will partner with the government toward that end. The U.S. Department of Homeland Security works with every sector on these plans, known as Sector Specific Plans that are updated every 3-4 years, and with each sector specific agency that is assigned to the sector corresponding with agency authorities. The Department of Health and Human Services is the designated healthcare SSA.

A closer look at the Healthcare Sector Coordinating Council (HSCC). The HSCC is in effect an association of associations, which includes their enterprise and executive members, convening at the “big table” to identify and attack those cross cutting threats and vulnerabilities that challenge our ability to deliver safe and secure healthcare to the nation. We do this both independent of, and in partnership with, the Department of Health and Human Services – our sector specific agency. In all working sessions between government and industry under this structure, competitive and regulatory equities are left outside the door, and sensitive information discussed with the government is afforded protection from public disclosure under special advisory committee status.

While every association member that participates in the HSCC maintains its identity and business-as-usual programs, the HSCC affords its members a 360-degree visibility into other subsector perspectives and work initiatives, and a coordination mechanism to minimize conflict or duplication. Organizations join the HSCC at no cost, but commit “sweat equity” – your expertise, experience and thought leadership – to the development and implementation of policy and operational improvements to the security and resiliency of the sector.

Over the past year, one component of the HSCC – the HSCC Cybersecurity Working Group - has undertaken a number of important cybersecurity initiatives , and additional workstreams are expected to get underway for medical device and health IT security strategy and, more broadly, implementation of the Healthcare Industry Cybersecurity Task Force Report recommendations released in June 2017.

So this is a call to action to you and your organizations. It is recognized that the sector’s cybersecurity mission should be robustly represented – both numerically and substantively -- across the six major subsectors: Direct Patient Care; Health Information Technology; Health Plans & Payers; Mass Fatality Management Services; Medical Materials; and Labs, Blood & Pharmaceuticals. It is important - indeed, your responsibility - to ensure that your organizations, representing the most critical service and technology providers with the most extensive economic concentration and population reach, are at the table providing expertise and experience to deal collaboratively with complex problems.

The HSCC Cyber Working Group – currently co-chaired by Terry Rice of Merck and Bryan Cline of HITRUST – is embarking on a membership acceleration initiative to ensure we have robust participation and cross-sector representation. An organizing meeting of the member industry association will take place at the beginning of February to reaffirm our collective commitment and prioritize our work plan. We will consider what we must tackle first and over the longer term - problems such as the balance between medical device security and user cyber hygiene; best practices for small rural hospitals and family practices; alignment of data security and data privacy; identification of relevant cyber intelligence and information sharing needs from the government; cyber incident exercises; and regulatory harmonization to ensure focused and effective cybersecurity risk management, among many others.

But we need to do this work together: None of us individually is as smart as all of us collectively.

For more information, contact HSCC Cybersecurity Executive Director Greg Garcia: greg.garcia@HealthSectorCouncil.org.

View Press & Releases