HEALTH SECTOR COORDINATING COUNCIL
CYBERSECURITY WORKING GROUP – 2023
- Healthcare is designated under U.S. national policy as “critical infrastructure” along with 15 other industry sectors, such as financial services, energy, telecommunications, water, transportation and more, represented by industry-organized “sector coordinating councils (SCCs).” These SCC’s and their government counterparts form a national public-private partnership coordinated overall by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA).
Composition and Mission
- An industry-led advisory council involving almost 400 organizations in direct patient care; pharmaceuticals, labs and blood banks; medical technology; plans and payers; digital health and health I.T. health; and public health. Includes government agencies when meeting as the Joint Cybersecurity Working Group
- A designated industry partner under Presidential Policy Directive 21, which advises its Sector Risk Management Agency – the U.S. Department of Health and Human Services and other government agencies – on critical healthcare cybersecurity policy and operations
- A mission to identify systemic cybersecurity threats to critical healthcare infrastructure and collaborate toward guidance and policies for mitigating those risks, and promote threat preparedness and incident response activities.
- Organized into outcome-oriented task groups that meet regularly to develop best-practices for various healthcare cybersecurity disciplines (see below), based heavily on recommendations contained in the 2017 Health Care Industry Cybersecurity (HCIC) Task Force
- Producing major best-practices, freely available to sector stakeholders and the public.
Critical Healthcare Ecosystem Supported by HSCC
Since January 2019, the HSCC has published cybersecurity guidance documents for the many components of cybersecurity management, such as health provider cybersecurity controls, medical device security, supply chain cybersecurity, workforce development and more. In 2023, the CWG is developing five-year strategic plan that assesses progress to date against the HCIC Task Force recommendations and considers how the evolving healthcare system will present new and continuing cybersecurity challenges that the sector must prepare for and measure progress against. The CWG also will continue to focus on its strategic, policy and operational recommendations, including those contained in the HCIC Task Force report, through function-specific task groups involving industry and government leaders. The following task groups constitute the HSCC Cybersecurity Working Group’s 2023 Priorities.
- 405(d) – HEALTH INDUSTRY CYBERSECURITY PRACTICES – (Joint HHS-SCC publication)
Update and amplify the HICP (Health Industry Cybersecurity Practices 2023) with supporting collateral material and timely cyber events, marketing and partnerships. Version 2 to be published Spring 2023. See: https://405d.hhs.gov/
- 5-YEAR STRATEGIC PLAN
Develop industry-wide 5-year strategic recommendations and success measures for healthcare cybersecurity, and tactical council programs and initiatives to facilitate achievement of industry objectives
- INCIDENT RESPONSE AND BUSINESS CONTINUITY
Develop a healthcare cyber incident response and business continuity plan aligned with existing physical incident response protocols.
Developing methodology and inventory for relevant cyber measures; serving as clearinghouse for measurement efforts of other task groups
- MEDICAL TECHNOLOGY CYBERSECURITY (Joint Security Plan v2 – “JSP2”)
Review and update 2019 Medical Device and Health IT Joint Security Plan to reflect developments in medical device security and to integrate subsequent work products on legacy device security, model cybersecurity contract language for medical technology, and vulnerability communications standardization
- MEDICAL TECHNOLOGY LEGACY DEVICES
February 2023 publication of guidance on shared responsibility for managing cybersecurity of installed medical devices reaching end of support / end of life. Fielding implementation feedback.
- MODEL CONTRACTS
Published March 2022; Monitoring implementation feedback for eventual v2
- MEDICAL TECHNOLOGY VULNERABILITY COMMUNICATIONS
Provide guidance to differing stakeholders (MDMs, HDO’s, clinicians, patients) on preparing, receiving and acting on medical device vulnerabilities. First publication April 2022 on patient awareness. Second version on HDO preparedness in process.
- OUTREACH and AWARENESS
CWG brand and document formatting templates, and marketing strategy for publications and messaging.
Activates as needed for policy proposals and response.
- PRIVACY-SECURITY COLLABORATION
Facilitate the interdependence of security and privacy risk to confidentiality, integrity, and availability of entity systems, data, etc., in patient safety and care.
- PUBLIC HEALTH CYBERSECURITY
Identify strategies for strengthening the cybersecurity and resilience of SLTT public health agencies with the support of private sector and academic organizations.
- RISK ASSESSMENT
March 2023 publication of Joint HSCC-HHS guidance for health industry NIST Cyber Framework Implementation. New initiatives may include developing guidance for aligning enterprise controls with NIST CSF implementation tiers and possibly using the CSF to identify, measure and manage cyber risk to patient safety and privacy.
- SUPPLY CHAIN CYBERSECURITY
Results of survey on critical supplier risk management will inform subsequent development of related best practices.
- WORKFORCE DEVELOPMENT
Produced series of cybersecurity training videos for clinicians and healthcare students on specific aspects of cybersecurity. Release mid-2023.
- Charter-based governance with elected chair, vice chair and executive committee;
- As a federal advisory committee with government participation, charging dues is not permitted, but accepting donations is, such as for a funded executive director and voluntary project-based contributions;
- Open to any organization that is: a) covered entity or business associate under HIPAA; b) a health plan or payer; c) regulated by FDA as medical device or pharmaceutical company; d) regulated by HHS Office of the National Coordinator as a health IT company; e) a public health organization and f) a healthcare industry association or professional society. Organizational membership of non-healthcare “Advisor” entities is capped at 15% of CWG industry membership and permitted to participate and support CWG initiatives pro bono.