FAQs



HEALTHCARE SECTOR COORDINATING COUNCIL

What Is It?

  • The cross-sector coordinating body representing one of 16 critical infrastructure sectors identified in Presidential Executive Order (PPD-21)
  • A trust-community partnership convening companies, non-profits and industry associations across six subsectors with HHS, DHS, law enforcement, and intelligence community
  • Mission: to identify cyber and physical risks to the security and resiliency of the sector, and develop planning guidance in a 3-year Sector Specific Plan and implementing task groups for mitigating those risks
  • In meeting with government, it is the “Healthcare & Public Health SCC (HPH SCC”)
  • Focused on longer-term critical infrastructure policy and strategy, complementing the operational National Health Information Sharing and Analysis Center, which serves as the sector’s tactical watch, warning, incident response, forensics, and best practices hub for intra-sector and government information sharing

Who Is In It?

  • The HSCC is composed of major stakeholders from the six HHS-identified subsectors – industry associations and their member organizations & individuals:
    • Direct Patient Care
    • Health Information and Medical Technology
    • Health Plans and Payers
    • Laboratories, Blood and Pharmaceuticals
    • Mass Fatality Management Services
    • Medical Materials
  • The Department of Homeland Security defines critical infrastructure owners and operators, and thus membership in the SCC, as: “…those entities that own and invest in infrastructure assets, in the systems and processes to secure them, and that are held responsible by the public for their operations and response and recovery when their infrastructures or key
    resources are disrupted.”

How Does It Operate?

  • Serves as a coordinating body – “the big table”- for industry associations and their members to unify effort toward policy and strategic solutions to shared security and resiliency challenges
  • Does not supplant association work but coordinates their visibility, prioritization, and deconfliction
  • Organized along functional and policy working groups with specific deliverables
  • Regular meetings and conference calls and ongoing interaction with HHS as the principal sector specific agency (SSA)
  • Forges joint work products – separately and with the government – that can be implemented across the sector to improve security and resiliency
  • Strives to address cross-cutting issues affecting two or more subsectors, requiring industry associations and members to use their governing structures to enable accurate representation of their positions and agree to joint initiatives and outcomes

Healthcare Sector Coordinating Council Cybersecurity Working Group Proposed Structure

How is the HSCC Different from a Trade Association?

  • The HSCC is an association of associations and their members, with one unified focus: coordinated critical infrastructure protection (CIP) – both cyber and physical, working toward the common good
  • As a recognized partner with the government under presidential executive orders (PPD 21 as amended), the HSCC-HHS ongoing partnership is given special protection from Freedom of Information Act exposure, per below
  • To encourage and protect exchange of sensitive CIP information and planning, all SCC’s – not individual trade associations – when collaborating with government are designated as “CIPACs” – Critical Infrastructure Protection Advisory
    Committees
  • In order to maintain its CIPAC status, an SCC cannot directly lobby the way an association or company can
  • The SCC does not / cannot charge dues in order to retain its FOIA-exempt status when collaborating with government (dues are considered exclusionary)

Why Participate in the HSCC?

  • Collectively develop and implement policy and operational improvements to the security & resiliency of individual enterprises and the sector
  • Build relationships and engage regularly with senior government officials in a trusted environment outside of – and protected from – any regulatory, public disclosure or competitive risks
  • Gain visibility into other associations’ initiatives and positions to deconflict and coordinate for efficient resource management and effectiveness
  • Contribute to unity of effort as a counter-balance against regulatory or legislative intervention
  • Demonstrate thought leadership toward the common good
  • Step up to your organization’s responsibility for the nation’s public health and safety



CYBERSECURITY WORKING GROUP

What is the HSCC Cybersecurity Working Group?

  • One of the standing Working Groups under the HSCC umbrella
  • Tasked with identifying major cybersecurity threats and vulnerabilities to the security and resiliency of the healthcare
    sector, and developing cross-sector policy and strategic approaches to mitigating those risks

What Executive Roles are Required for Participation?

The Cybersecurity Working Group is composed of senior executives with decision-making authority from industry associations, healthcare enterprises and providers who have technical or managerial responsibility for:

  • Cyber risk management
  • Information and data management
  • Information technology (IT) and operational technology (OT)
  • Patient safety
  • Product security
  • Privacy and security compliance
  • Policy, regulatory and legal affairs

Results of Reorganization and Membership Campaign

Since February 6 2018 Organizing Meeting:

  • Private sector organization members increased by 126, from 60 (including 12 vendors and consultants) to 186, including providers, companies, associations and other collaborative alliances across 5 subsectors
  • National and state industry association members increased from 5 to 30
  • Private health sector personnel members increased by 241, from 58 up to 299
  • Providers make up the majority of subsector representation, with Pharma, HIT, Medical Device/Materials, and Plans/Payers open for additional representation
  • Total government personnel are relatively unchanged at 53, representing 7 federal agencies and 48 personnel, and one member each from 3 state agencies; 1 county and 1 city organization.

What is Ahead for the HSCC Cybersecurity Working Group?

13 Task Groups appointed to work with HHS, FDA and other government partners to implement the Healthcare Industry Cyber Security Task Force recommendations:

  1. Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity
  2. Increase the security and resilience of medical devices and health IT
  3. Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities
  4. Increase healthcare industry readiness through improved cybersecurity awareness and education
  5. Identify mechanisms to protect R&D efforts and intellectual property from attacks and exposure
  6. Improve information sharing of industry threats, risks, and mitigations

2018 New Initiatives

HEALTHCARE CYBER RISK MANAGEMENT & GOVERNANCE REGULATION & POLICY
HEALTHCARE CYBERSECURITY RISK ASSESSMENT WORKFORCE DEVELOPMENT
MEDICAL DEVICE SECURITY AND MANAGEMENT CROSS-SECTOR ENGAGEMENT
INTELLECTUAL PROPERTY DATA PROTECTION INFORMATION SHARING
SUPPLY CHAIN / THIRD PARTY CYBER RISK MANAGEMENT MARKETING AND OUTREACH
TELEMEDICINE FUTURE GAZING
“TOP TEN” BEST PRACTICES EXERCISES



Greg Garcia, Executive Director
greg.garcia@HealthSectorCouncil.org