Health Sector Mobilizes Against Cyber Threats

Washington, DC – July 17 – More than 100 healthcare providers, associations, pharmaceutical, medical device and health IT companies met with government officials in Washington DC June 29 to report and build on their collective progress toward implementing stronger cyber security protections across the healthcare sector.  Executives met under the umbrella of the Healthcare and Public Health Sector Coordinating Council (HSCC), established under presidential executive order to identify and mitigate sector-wide threats and vulnerabilities against the delivery of healthcare services and assets.

The HSCC Joint Cybersecurity Working Group (JCWG) – composed of industry and government organizations – reorganized at the beginning of the year to respond to wide-ranging recommendations made by the 2017 Health Care Industry Cybersecurity Task Force (HCIC), an industry-government collaboration appointed by the Department of Health and Human Services in accordance with the Cyber Security Act of 2015. The HCIC presented 6 major imperatives and 105 action items that the sector should address to improve the security and resiliency of healthcare services and patient safety.

In February, the JCWG established 13 task groups organized around implementing many of those action items in partnership with HHS and other government agencies. Task Group leaders on June 29 presented the JCWG with an assessment of progress and a call to accelerate momentum toward meeting our collective cyber security challenges.

In remarks for the June 29 meeting, HHS Deputy Secretary Eric D. Hargan, who leads the agency’s internal and external cybersecurity coordination, said that the joint gathering was “a testament to the hard work done by the Healthcare Sector Coordinating Council to expand its membership and organize task groups to turn the report’s recommendations into action.” He added, “I commend the hard work all of you have done on this top priority for HHS, and I look forward to more progress being made today, and in the days ahead.”

Greg Garcia, Executive Director of the JCWG, observed during the meeting that, “as cyber threats against the healthcare sector proliferate and become more sophisticated, we have realized that we can best mobilize against them as a collaboration, with strength in numbers and expertise. And if we’re successful,” he said, “we’re never done, only better.”

About the HSCC JCWG. The Healthcare and Public Health Sector Coordinating Council (HSCC) is one of 16 critical industry sectors identified under presidential executive order (PDD-63, HSPD 7 and PPD 21) and the National Infrastructure Protection Plan. The HSCC Joint Cybersecurity Working Group (HSCC JCWG) is co-chaired by Terry Rice, Chief Information Security Officer of Merck, and Bryan Cline, Vice President of Standards and Analysis for HITRUST. It is focused on addressing the recommendations of the Health Care Industry Cybersecurity (HCIC) Task Force report released in June 2017 under the sponsorship of HHS, the sector specific agency for the healthcare sector. To do this, the council significantly increased the membership’s numbers and representation, and hired a full time executive director to manage the process – former DHS Assistant Secretary for Cyber Security Greg Garcia.

Surging Engagement Across the Sector

Health care organizations are stepping up to the challenge as the threats accelerate:

• Since January 2018, private sector organization members increased by 130, from 60 to 190, including providers, companies, associations and other collaborative alliances across 5 subsectors
• National and state industry association members increased from 5 to 30
• Private health sector personnel members increased by 249, from 58 up to 307
• Subsector representation expanded from primarily healthcare providers, to many more in pharmaceuticals, health information technology and medical devices, and plans and payers.
• Total government personnel are at 50, representing 7 federal agencies and 44 personnel, and one member each from 3 state agencies; 1 county and 1 city organization.

About the Work Plan

The thirteen JCWG task groups – such as medical technology security, supply chain security, workforce development, and information sharing – are co-led by healthcare sub-sector executives and cyber experts, and range in membership from one dozen to three dozen members. They are focused on specific deliverables and outcomes intended to measurably improve the security and resiliency of the sector.

For example:

• A medical technology and health I.T. cybersecurity task group, co-chaired by a provider organization and medical technology company, is working closely with FDA to develop guidance from HCIC “Imperative 2”, which calls for improved cybersecurity practices in the production, use and management of medical technology. They are developing a joint plan for cyber risk management commitments between device makers, health IT and provider/customers. This new workstream will engage broad stakeholder discussion and input around software bills of materials – scope, principles and deployment – so that users have better asset management and visibility into the products and systems they install;
• A task group focused on HCIC “Imperative 5” is working to improve critical intellectual property data security such as pharmaceutical research and life-saving device patents;
• A workforce development task group responds to “Imperative 3” by compiling best practices for employee/clinician cyber training and cybersecurity curricula in medical and nursing schools; considering how to attract more cyber security talent to the healthcare sector; and matching skills to job descriptions;
• A pre-existing collaboration between the industry and HHS, now under the sector coordinating council umbrella, is responding to Section 405(d) of the 2015 Cyber Security Act to develop voluntary, consensus-based cybersecurity best practices for healthcare organizations. The guidance is currently being pre-tested with several healthcare organizations across the country;
• Other task groups, with varying deliverables and timelines for completion, include:
  • Supply Chain Cyber Risk Management
  • Telemedicine Cyber Risk Management
  • Cross-Sector Engagement
  • Exercises
  • Cyber Risk Assessment
  • Information Sharing
  • Future Technologies
  • Marketing and Outreach
  • Policy and Regulation

The next progress report will occur in conjunction with the October meeting of the JCWG in Nashville.

For more information: www.HealthSectorCouncil.org
HSCC JCWG Executive Director: Greg.Garcia@HealthSectorCouncil.org