Health Sector Coordinating Council Cybersecurity Working Group
Foundational Authority
Healthcare is designated under U.S. national policy as “critical infrastructure” along with 15 other industry sectors, such as financial services, energy, telecommunications, water, transportation and more, represented by industry-organized “sector coordinating councils (SCCs).” These SCC’s and their government counterparts form a national public-private partnership coordinated overall by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA).
Composition and Mission
An industry-led advisory council involving more than 420 regulated healthcare organizations, industry associations, non-voting advisor consultancies and government agencies involved in direct patient care; pharmaceuticals, labs and blood banks; medical technology; plans and payers; digital health and health I.T.; and public health. Includes government agencies when meeting as the Joint Cybersecurity Working Group;
A designated industry partner under National Security Memorandum 22, which advises its Sector Risk Management Agency – the U.S. Department of Health and Human Services and other government agencies – on critical healthcare cybersecurity policy and operations;
Charter-based governance with elected leadership and a mission to: identify systemic cybersecurity threats to critical healthcare infrastructure; collaborate on guidance and policies for mitigating those risks; and promote threat preparedness and incident response awareness and activities;
Organized into outcome-oriented task groups (see below) that meet regularly to develop freely available sound cyber practices for a range of healthcare cybersecurity disciplines such as health provider cybersecurity controls, medical device security, supply chain cybersecurity, workforce development and more.
Membership
As a federal advisory committee with government participation, charging dues is not permitted, but accepting financial and in-kinds contributions is, such as for a salaried executive director and voluntary project-based contributions;
Membership eligibility
Membership in the HSCC CWG is open to any organization that is:
- a covered entity or business associate under HIPAA;
- a health plan or payer;
- regulated by FDA as a medical device or pharmaceutical company;
- regulated by the HHS Office of the National Coordinator as a health IT company;
- a public health organization and/or
- a healthcare industry association or professional society.
Entities not meeting the above criteria, such as consulting, law or security firms, may participate as non-voting “Advisors” at the invitation of the chair. Advisor-members contribute pro bono and are capped at 15% of total CWG Voting membership.
2024 Priority
The HSCC Joint Cybersecurity Working Group published on February 27, 2024 the “Health Industry Cybersecurity Strategic Plan 2024-29”, intended to coalesce the entire health sector around long term cybersecurity goals and objectives to measurably raise the level of cybersecurity preparedness and resiliency by 2029. The priority for 2024 is to mobilize its implementation and develop an agreed set of measurable outcomes and metrics for success. See Health Industry Cybersecurity Strategic Plan 2024-2029.
The CWG also will continue to focus on its strategic, policy and operational recommendations, including those contained in the Strategic Plan, through function-specific task groups involving industry and government leaders.
The following task groups constitute the HSCC Cybersecurity Working Group’s 2024 Priorities.
Task Groups 2024
405(D) – Health Industry Cybersecurity Practices
Update and amplify the HICP (Health Industry Cybersecurity Practices 2023) with supporting collateral material and timely cyber events, marketing and partnerships. Version 2 published Spring 2023. See HHS’s 405d webpage.
Incident Response And Business Continuity
Publishing a series: healthcare cyber incident response plan, operational continuity checklist, and executive awareness guide aligned with existing physical incident response protocols.
Medical Technology Vulnerability Communications
Provide guidance to differing stakeholders (MDMs, HDO’s, clinicians, patients) on preparing, receiving and acting on medical device vulnerabilities. First publication April 2022 on patient awareness. Second version on HDO preparedness in process.
Operational Manufacturing Technology Cybersecurity
Develop leading practices for cybersecurity management of operational/manufacturing technology. Initially focused on medical technology and pharmaceutical subsectors.
Outreach And Awareness
Developing CWG brand and document formatting templates, and marketing strategy for publications and messaging
Public Health Cybersecurity
Identify strategies for strengthening the cybersecurity and resilience of SLTT public health agencies with the support of private sector and academic organizations.
Risk Assessment
Jointly published with HHS the Health Sector NIST Cybersecurity Framework Implementation guide. Version 2 underway.
Under-Resourced Provider Cybersecurity Advisory Group
A series of documented listening sessions with management of under-resourced providers to hear perspectives about cybersecurity, financial and operational challenges, and the providers’ needs for incentives and other assistance to meet cybersecurity obligations.