Introduction

Health Sector Council Cyber Working Group Introduction

The Healthcare and Public Health Sector Coordinating Council (HSCC) is a coalition of industry associations and their members. It has been a platform for collaboration among healthcare industry leaders and the government for more than a decade to address the most pressing security and resiliency challenges to the healthcare sector as a whole. Specifically, each of your organizations is part of an interdependent ecosystem that is facing increasingly sophisticated operational and cybersecurity threats and vulnerabilities that can cascade across the value chain of the healthcare sector, ultimately affecting patient safety, security and privacy. It is our collective responsibility to deliver industry-wide policy and operational solutions to this shared challenge. Many organizations are stepping up to this responsibility by joining the HSCC and its Cybersecurity Working Group. All healthcare sector stakeholders who have expertise and resources to contribute are encouraged to do the same.

About the HSCC. The responsibility of all critical sector coordinating councils is captured in three iterations of a Presidential Executive Order dating to 1998, the most recent being Presidential Policy Directive 21 in 2013, which calls on 16 critical industry sectors to self-organize – in public-partnership with the government – around the mission to protect essential assets and services from existential threats, both physical/operational and cyber. Every critical industry sector, including healthcare, financial services, electricity, emergency services, communications, water, transportation, and others, has been stepping up to this mission. We do this with two essential functions: the day-to-day operational protection, threat analysis and incident response of the National Health Information Sharing and Analysis Center (NH-ISAC) and related information sharing and analysis organizations, and the longer-term strategic and policy-oriented mission of the Healthcare Sector Coordinating Council (HSCC). Under the executive order, the HSCC is recognized as the private industry partner to the Department of Health and Human Services, which looks to us – in a non-regulatory, partnership posture – to help develop policy and operational improvements that enable our sector to better protect against and respond to threats, vulnerabilities and incidents.

The HSCC handles both physical/operational delivery issues, such as natural disaster response, supply chain disruption, active shooter, etc., and cybersecurity.


How is the HSCC different from an industry association?

  • The HSCC is in effect an association of associations plus our member providers and companies working collectively to solve policy and strategic challenges shared across all 6 of our critical healthcare subsectors – Direct Patient Care; Health Information Technology; Health Plans & Payers; Labs, Blood & Pharmaceuticals, Mass Fatality Management Services; and Medical Materials.
  • During designated joint working sessions between government and industry as the Healthcare and Public Health Sector Coordinating Council, competitive and regulatory equities are left outside the door, and sensitive information discussed with the government is afforded protection from regulatory action and public disclosure under special advisory committee status not provided to individual associations.
  • Further, there are no membership dues to participate in the HSCC – only the contribution of your organization’s available expertise toward the development and implementation of policy and operational improvements to the security and resiliency of the sector.

Call to Action. On February 6 of this year, the leadership of the HSCC Cybersecurity Working Group – co-chairs Terry Rice, CISO of Merck, and Bryan Cline, VP of Standards for HITRUST – convened almost three dozen national- level healthcare associations, councils, and in a meeting in Washington, DC as part of a member recruitment and program enhancement campaign to counter the accelerating cyber threats to our sector.

At this meeting, healthcare sector executives were briefed on the HSCC Cybersecurity Working Group and our responsibility to participate, and we discussed the priority cybersecurity challenges we should collectively tackle, drawing primarily on recommendations made by the Healthcare Industry Cybersecurity Task Force Report released last June. The following list of initiatives resulted in the formation of outcome oriented task groups that constitute the Healthcare Sector’s work plan for the year ahead. Your organization’s participation and leadership in at least one these groups are essential to their success.

HEALTHCARE CYBER RISK MANAGEMENT REGULATION & POLICY
HEALTHCARE CYBER RISK ASSESSMENT WORKFORCE DEVELOPMENT
MEDICAL TECHNOLOGY CYBER RISK MANAGEMENT CROSS-SECTOR ENGAGEMENT
INTELLECTUAL PROPERTY DATA PROTECTION INFORMATION SHARING
SUPPLY CHAIN / 3RD PARTY CYBER RISK MANAGEMENT MARKETING AND OUTREACH
TELEMEDICINE FUTURE GAZING
“TOP TEN” BEST PRACTICES EXERCISES


We encourage your organization to join the Cyber Working Group. Every organizational member should assign a primary point of contact and work internally to appropriately resource participation in one or more of the task groups according to organizational priorities. Each task group decides on its specific objectives, scope, output and timeline. Skill sets in the HSCC CWG are multi-disciplinary, including those responsible for:

  • Cyber risk management
  • Information and data management
  • Information technology (IT) and operational technology (OT)
  • Patient safety
  • Product security
  • Privacy and security compliance
  • Policy, regulatory and legal affairs

As of mid-April, the task group leaders are initiating kickoff calls for the new task groups to scope the work product, expected outcomes and success measures, and timelines.

We hope you will join us for this important responsibility. For more information about task group objectives and membership expectations, please contact Cyber Working Group executive director Greg Garcia at greg.garcia@HealthSectorCouncil.org

The following pages provide you more information on what is expected of HSCC members, and how task groups work. In the next few weeks we also will be updating the CWG Charter to guide members on the governance process for leadership selection, workstream management and work product approvals; and developing a CWG website, which over time we envision will offer members-only pages for draft document retrieval and editing, member search and chat functions.


What are the Terms of Membership?

Eligibility

  • Membership is open to any healthcare sector company, provider, nonprofit and association whose principal function falls under any of the six identified subsectors of Direct Patient Care; Plans & Payers; Health Information and Medical Technology; Pharma, Labs & Blood; Medical Materials; and Mass Fatality Management Services.
  • The integrity of the HSCC CWG deliberative and decision-making process about sensitive vulnerability, threat and mitigation matters requires a trusted environment without the presence of security vendors, consultants, or other non-healthcare-specific businesses that would participate primarily for business development purposes, rather than for contributing to collective critical infrastructure protection programs.

What Does It Cost?

  • Nothing. No Sector Coordinating Council can charge dues if it is to maintain its exemption from FOIA when interacting with the government.
  • The practical cost of membership is sweat equity – contribution of work, expertise, and resources in-kind, such as your organization’s staff time, travel, facilities, or communications channels to a broader audience as needed.
  • From time to time, certain projects may require substantial “heavy lift”, which may be outsourced and financed by volunteering organizations who offer one-time contributions for a specific purpose, such as a consulting firm to perform a national survey, or to develop a white paper. One or more members may decide to contribute funds for such a purpose. Other examples include simple contributions like sponsoring group meals or networking events associated with a meeting. “Special assessments” are imposed only on those who agree to contribute. But this does not happen often.

How do Members Participate?

  • In general, Sector Coordinating Councils are cross-disciplinary in composition. Because the Council deals with strategic and policy solutions to shared problems, member organizations and associations can assign individuals from various management and subject matter functions, such as CISO’s and their teams, risk and compliance, government relations, legal, marketing and others, according to the needs of a given topical work stream.
  • Every organizational member of the HSCC CWG will maximize the efficiency of its participation – and its utility to the HSCC – if there is a single point of contact for their organization’s membership. The Member POC should know everyone within the organization who is involved in the HSCC CWG so that (s)he can coordinate internal resources, and work with the HSCC CWG executive director to support its membership and maintain an accurate membership roster. We expect in time that membership registration, management and other services will be offered through a dedicated software tool via a members-only online portal.
  • Organizational members are encouraged to assign HSCC CWG participation to as many staff as are deemed necessary and available to represent the organization’s interest in the HSCC CWG work plan. Organizational members can choose to be represented on as many task groups as they deem necessary. If votes ever are needed in a given task group or the HSCC CWG as a whole and more than one representative from an organization serves in the TG or full CWG, the organization gets just one vote.
  • A key member contribution to the HSCC, particularly from associations, is to help market or implement final HSCC work products to their broader membership, other stakeholders, and the public at large. Associations are the force multipliers, and whenever possible they should offer their support by distributing final sector products through their normal communications channels, and generally promote positions, statements, campaigns, and best practices that are consistent with their own policies. When broadly adopted, the network effect is what distinguishes the HSCC as a truly cross-sector collaboration.

Guidance for Managing and Participating in Task Groups

Purpose and Principles

  1. Task Groups are created to complete specifically defined objectives with identified deliverables and outcomes by a specified date or timeframe. Once an objective is completed the task group should expect to disband. If there is related follow-on work or new developments that require establishing a new objective, the task group may elect to continue in operation and reach out for new volunteer members to scope the new work.
  2. The first order of business for any TG initiatives is to canvas the member associations for preexisting work on the relevant subject matter to compile, compare and reconcile before starting something new; the purpose of the HSCC and its task groups is to coordinate.

Procedures

  1. The purpose of the initial meetings should be to agree on the scope of the Task Group: issue identification; problem to be solved; specific outcome the TG will work toward; key deliverables that will contribute to achievement of the outcome; and timeline for completion.
  2. Consider starting with weekly meetings to build initial momentum, and then adjust work flow and level of effort with TG members after objectives have been defined and progress commences
  3. Set and circulate agendas in advance of meetings/concalls with specific outcomes recommended for each meeting/concall. If work is underway and only brief status updates are necessary then TG Leads may consider bringing in guest speakers relevant to the task at hand.
  4. Take roll using the TG Roster to track member participation, or, if available, the HSCC CWG Executive Director will be on hand to take roll and track attendance over time.
  5. Record action items emerging from each meeting/call and report-out to the group within 2 business days to keep non-attending members informed.
  6. Executive Director will attempt to participate in/support as many TG calls as possible but 100% cannot be guaranteed.
  7. Share TG Rosters with your members and feel free to recruit more members as necessary.
  8. TG progress reporting routines will be determined by the leadership, through either regular CWG meetings/calls or electronically as available.
  9. All HSCC member representatives are welcome on any Task Group. If you recruit new members to your
    TG or members ask to join, please let Exec. Dir. know the individuals’ coordinates and their names information will be added to the member list. We will consider efficient ways to manage these lists and emails listserves.

Antitrust

As members of this organization and participants in these meetings, we need to be mindful of the constraints of the antitrust laws.