Health Sector Council Cyber Working Group Introduction

The Healthcare and Public Health Sector Coordinating Council (HSCC) is a coalition of industry associations and their members. It has been a platform for collaboration among healthcare industry leaders and the government for more than a decade to address the most pressing security and resiliency challenges to the healthcare sector as a whole. Specifically, your organization is part of an interdependent ecosystem that is facing increasingly sophisticated operational and cybersecurity threats and vulnerabilities that can cascade across the value chain of the healthcare sector, ultimately affecting patient safety, security and privacy. It is our collective responsibility to deliver industry-wide policy and operational solutions to this shared challenge. Many organizations are stepping up to this responsibility by joining the HSCC and its Cybersecurity Working Group (CWG). When combined with government partners, we are the Joint Cybersecurity Working Group. All healthcare sector stakeholders who have expertise and resources to contribute are encouraged to do the same.

About the HSCC. The responsibility of all Sector Coordinating Councils (SCC) is captured in three iterations of a Presidential Executive Order dating to 1998, the most recent being Presidential Policy Directive 21 in 2013, which calls on 16 critical industry sectors to self-organize – in partnership with the government – around the mission to protect essential assets and services from existential threats, both physical/operational and cyber. Every critical industry sector, including healthcare, financial services, electricity, emergency services, communications, water, transportation, and others, has been stepping up to this mission. We do this with two essential functions: the day-to-day operational protection, threat analysis and incident response of the Health Information Sharing and Analysis Center (H-ISAC) and related information sharing and analysis organizations, and the longer-term strategic and policy-oriented mission of the HSCC. Under the executive order, the HSCC is recognized as the private industry partner to the Department of Health and Human Services, which looks to us – in a non-regulatory, partnership posture – to help develop policy and operational improvements that enable our sector to better protect against and respond to threats, vulnerabilities and incidents.

Eligibility Requirements for the HSCC Cybersecurity Working Group. To be eligible as a voting member of the HSCC CWG, an organization must be defined as a “Covered Entity” or “Business Associate” under HIPAA, or as one that develops technology or services regulated by the FDA. Organizations not meeting those definitions may be eligible to participate in the CWG and its task groups as non-voting “Advisors” only at the invitation of the CWG or task group leadership.

How is the HSCC different from an industry association?

  • The HSCC is in effect an association of associations plus our member providers and companies working collectively to solve policy and strategic challenges shared across all 6 of our critical healthcare subsectors – Direct Patient Care; Health Information Technology; Health Plans & Payers; Labs, Blood & Pharmaceuticals, Mass Fatality Management Services; and Medical Materials.
  • During designated joint working sessions between government and industry, competitive and regulatory equities are left outside the door, and sensitive information discussed with the government is afforded protection from regulatory action and public disclosure under special advisory committee status not provided to individual associations.
  • Further, there are no membership dues to participate in the HSCC – only the contribution of your organization’s available expertise toward the development and implementation of policy and operational improvements to the security and resiliency of the sector.

Call to Action. The HSCC Cybersecurity Working Group has organized its work plan primarily toward addressing recommendations made by the Healthcare Industry Cybersecurity Task Force Report for improving healthcare cybersecurity, released in June of 2017. The initiative is what drives the formation of outcome-oriented task groups made up of member organizations collaborating to produce specific deliverables that meet the outcome objectives, such as white papers, best practices, and guidance documents. Groups meet on their own determined schedule with agreed deliverables and timelines.

Further, all task groups and members-at-large meet in person twice a year at “all-hands” gatherings in April and October in different locations to assess progress and refine work plans.

The following list of task groups constitutes the Healthcare Sector’s work plan for 2020.


We encourage your organization to join the CWG. Every organizational member should assign a primary point of contact and work internally to appropriately resource participation in one or more of the task groups according to organizational priorities. Each task group decides on its specific objectives, scope, output and timeline. Skill sets in the HSCC CWG are multi-disciplinary, including those responsible for:

  • Cyber risk management
  • Information and data management
  • Information technology (IT) and operational technology (OT)
  • Patient safety
  • Product security
  • Privacy and security compliance
  • Policy, regulatory and legal affairs

Meaningful and forward-thinking work products are continually being pushed out of the HSCC CWG to our strategic partners and the public. The success of our on-going projects is defined by the time and human capital your organization is willing to commit.

We hope you will join us for this important responsibility. For more information about task group objectives and membership expectations, please contact Cyber Working Group executive director Greg Garcia at

The following pages provide you more information on what is expected of HSCC members, and how task groups work.

What are the Terms of Membership?


  • Membership is open to any healthcare sector company, provider, nonprofit and association whose principal function falls under any of the six identified subsectors of Direct Patient Care; Plans & Payers; Health Information and Medical Technology; Pharma, Labs & Blood; Medical Materials; and Mass Fatality Management Services.
  • To be eligible as a voting member of the HSCC CWG, an organization must be defined as a “Covered Entity” or “Business Associate” under HIPAA, or as one that develops technology or services regulated by the FDA. Industry associations or professional societies that represent the aforementioned are also eligible for membership in the HSCC.
  • Organizations not meeting those definitions may be eligible to participate in the CWG and its task groups as non-voting “Advisors” only at the invitation of the CWG or task group leadership.
  • The integrity of the HSCC CWG deliberative and decision-making process involving sensitive vulnerability, threat and mitigation matters requires a trusted environment without the presence of security vendors, consultants, or other non-healthcare-specific organizations that would participate primarily for business development purposes, rather than for contributing to collective critical infrastructure protection programs.

What Does It Cost?

  • No SCC can charge dues if its work with the government is to be exempted from public disclosure.
  • The practical cost of membership is sweat equity – contribution of work, expertise, and as available, resources in-kind, such as staff time, travel, facilities, or communications channels to a broader audience.
  • From time to time, certain projects may require substantial “heavy lift”, which may be outsourced and financed by volunteering organizations who offer one-time contributions for a specific purpose, such as a consulting firm to perform a national survey, or to develop a white paper. One or more members may decide to contribute funds for such a purpose. Other examples include simple contributions like sponsoring group meals or networking events associated with a meeting. “Special assessments” are imposed only on those who contribute; this will rarely happen.

How do Members Participate?

  • In general, SCCs are cross-disciplinary in composition. Because the Council deals with strategic and policy solutions to shared problems, member organizations and associations can assign individuals from various management and subject matter functions, such as CISO’s and their teams, risk and compliance, government relations, legal, marketing and others, according to the needs of a given topical work stream.
  • Every organizational member of the HSCC CWG will maximize the efficiency of its participation – and its utility to the HSCC – if there is a single point of contact for their organization who is responsible for ensuring a coherent enterprise point of view and contribution to the work of the SCC. The Member POC should know everyone within the organization who is involved in the HSCC CWG so that he or she can coordinate internal resources, and work with the HSCC CWG Executive Director and/or HSCC CWG staff to support the membership and maintain an accurate membership roster. We expect in time that membership registration, management and other services will be offered through a dedicated software tool via a members-only online portal.
  • Organizational members are encouraged to assign HSCC CWG participation to as many staff as are deemed necessary and available to represent the organization’s interest in the HSCC CWG work plan. Organizational members can choose to be represented on as many task groups as they deem necessary, but to be most effective, member representatives should concentrate their efforts on one task group and not spread themselves too thin. If votes ever are needed in a given task group or the HSCC CWG as a whole and more than one representative from an organization serves in the TG or full CWG, the organization gets just one vote.
  • A key member contribution to the HSCC, particularly from associations, is to help market or implement final HSCC work products to their broader membership, other stakeholders, and the public at large. Associations are the force multipliers, and we require their support by distributing final sector products through their normal communications channels, and generally promote positions, statements, campaigns, and best practices that are consistent with their own policies whenever possible. When broadly adopted, the network effect is what distinguishes the HSCC as a truly cross-sector collaboration.

Guidance for Managing and Participating in Task Groups

Purpose and Principles

  1. Task Groups are created to complete specifically defined objectives with identified deliverables and outcomes by a specified date or timeframe. Once an objective is completed the task group should expect to disband. If there is related follow-on work or new developments that require establishing a new objective, the task group may elect to continue in operation and reach out for new volunteer members to scope the new work.
  2. The first order of business for any TG initiatives is to canvas the member associations for preexisting work on the relevant subject matter to compile, compare and reconcile before starting something new; the purpose of the HSCC and its task groups is to coordinate.


  1. The purpose of the initial meetings should be to agree on the scope of the Task Group: issue identification; problem to be solved; specific outcome the TG will work toward; key deliverables that will contribute to achievement of the outcome; and timeline for completion.
  2. Consider starting with weekly meetings to build initial momentum, and then adjust work flow and level of effort with TG members after objectives have been defined and progress commences.
  3. Set and circulate agendas in advance of meetings and conference calls (concalls) with specific outcomes recommended for each meeting/concall. If work is underway and only brief status updates are necessary then TG Leads may consider bringing in guest speakers relevant to the task at hand.
  4. Take roll using the TG Roster to track member participation, or, if available, HSCC CWG staff will be on hand to take roll and track attendance over time.
  5. Record action items emerging from each meeting/call and report-out to the group within 2 business days to keep non-attending members informed.
  6. Executive Director will attempt to participate in/support as many TG calls as possible but 100% cannot be guaranteed.
  7. Share TG Rosters with your members and feel free to recruit more members as necessary.
  8. TG progress reporting routines will be determined by the leadership, through either regular CWG meetings/calls or electronically as available.
  9. All HSCC member representatives are welcome on any Task Group. If you recruit new members to your TG or members ask to join, please let Exec. Dir. know the individuals’ contact information and their names will be added to the member list. We will consider efficient ways to manage these lists and emails listserves.


As members of this organization and participants in these meetings, we need to be mindful of the constraints of the antitrust laws:

There shall be no discussions of agreements or concerted actions that may restrain competition.  This prohibition includes the exchange of information concerning individual company rates, coverages, market practices, claims settlement practices or any other competitive aspect of an individual company’s operation.  Each member or participant is obligated to speak up immediately for the purpose of preventing any discussion falling outside the bounds indicated.

PDF version: HSCC_CWG_introduction