HEALTHCARE AND PUBLIC HEALTH SECTOR COORDINATING COUNCIL – CYBERSECURITY WORKING GROUP
The Healthcare and Public Health Sector Coordinating Council (HSCC) is a coalition of critical healthcare industry stakeholders working with government to address the most pressing security and resiliency challenges to the healthcare sector, a federally designated Critical Infrastructure Sector. Healthcare stakeholders operate interdependently in an ecosystem that is facing increasingly sophisticated operational and cybersecurity threats and vulnerabilities that can cascade systemically across the healthcare sector, ultimately affecting patient safety, security and privacy. It is our collective responsibility to partner with government to jointly identify and mitigate these systemic risks through operational and policy improvements.
The responsibility of this public-private partnership is captured in several iterations of presidential executive orders dating back to 1998, the most recent update being Presidential Policy Directive 21 in 2013, and the 2021 Defense Authorization Act (§9002), which call on federal government agencies with specific sectoral responsibility to partner with their critical industry sector in the protection of essential assets and services from systemic threats, both physical/operational and cyber.
These protection activities are performed with two essential functions: the day-to-day threat sharing, analysis and incident response of the Health Information Sharing and Analysis Center (H-ISAC) and related information sharing and analysis organizations, and the longer-term strategic and policy-oriented mission of the HSCC. Under the executive orders, the Department of Health and Human Services is designated as the lead government partner to the health sector, whose critical infrastructure strategic planning is coordinated by the HSCC. Other key government partners include the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA); National Institute of Standards and Technology; law enforcement and intelligence agencies.
Many organizations are stepping up to this responsibility by joining the HSCC and its Cybersecurity Working Group (CWG). When combined with government partners, we become the Joint Cybersecurity Working Group, engaging in privileged communications protected under a special federal advisory committee exemption called Critical Infrastructure Partnership Advisory Council, or CIPAC. This ensures a trusted forum in which critical infrastructure stakeholders can discuss with government sensitive threat and vulnerability information that should not be made public.
ELIGIBILITY REQUIREMENTS FOR THE HSCC CYBERSECURITY WORKING GROUP
To be eligible as a voting member of the HSCC CWG, an organization must be a “Covered Entity” or “Business Associate” under HIPAA, one that develops technology or services regulated by the FDA; a public health entity, or an industry group or professional society representing any of the above. Organizations not meeting those definitions may be eligible to participate in the CWG and its task groups as non-voting “Advisors” at the invitation of the CWG or task group leadership.
How is the HSCC different from an industry association?
- The HSCC is in effect a body of associations plus our member providers and companies working collectively to solve policy and strategic challenges shared across all 7 of our critical healthcare subsectors – Direct Patient Care; Health Information Technology; Health Plans & Payers; Labs, Blood & Pharmaceuticals, Mass Fatality Management Services; Medical Materials, and Public Health.
- During designated joint working sessions between government and industry, competitive and regulatory equities are left outside the door, and sensitive information discussed with the government is afforded protection from regulatory action and public disclosure under special advisory committee status not provided to individual associations.
- Further, there are no membership dues to participate in the HSCC– only the contribution of your organization’s available expertise toward the development and implementation of policy and operational improvements to the security and resiliency of the sector.
CALL TO ACTION
The HSCC Cybersecurity Working Group has organized much of its work plan toward addressing recommendations made by the Healthcare Industry Cybersecurity Task Force report for improving healthcare cybersecurity, released in June of 2017. The initiative is what drives the formation of outcome-oriented task groups made up of member organizations collaborating to produce specific deliverables that meet the outcome objectives, such as white papers, best practices, and guidance documents. Groups meet on their own determined schedule with agreed deliverables and timelines. Further, all task groups and members-at-large meet in person twice a year at “all-hands” gatherings in April and October in different locations to assess progress and refine work plans.
The following list of task groups constitutes the Healthcare Sector’s work plan for 2022.
2022 HSCC CYBERSECURITY WORKING GROUP INITIATIVES
(new list TBD)
We encourage your organization to join the CWG. Every organizational member should assign a primary point of contact and work internally to coordinate participation in one or more of the task groups according to organizational priorities. Each task group decides on its specific objectives, scope, output and timeline. Skill sets in the HSCC CWG are multi-disciplinary, including those responsible for:
• Cyber risk management
• Information and data management
• Information technology (IT) and operational technology (OT)
• Patient safety
• Product security
• Privacy and security compliance
• Policy, regulatory and legal affairs
Meaningful and forward-thinking work products are continually being published as open-source resources by the HSCC CWG for adoption and implementation by sector stakeholders. The success of our on-going projects is defined by the time and human capital your organization is willing to commit.
We hope you will join us for this important responsibility. For more information about task group objectives and membership expectations, please contact Cyber Working Group executive director Greg Garcia at Greg.Garcia@HealthSectorCouncil.org.