| TASK GROUP 1A |
RISK MANAGEMENT (INCL. ID, ASSESSMENT, TOLERANCE): | CHAIR(S) : | SAMPLE DELIVERABLES: | TASK GROUP COMPOSITION: |
|---|---|---|---|---|
| Coordinate the development of a tailored, Sector-wide HPH Implementation Guide of the NIST Cybersecurity Framework, leveraging existing documents and efforts. Identify, measure and manage elements of risk across subsectors through the prism of patient safety and privacy. | Bryan Cline, HITRUST | Introductory chapter laying out structure for “healthcare cybersecurity best practices” | CISO staff; GRC; Threat and incid response; Association SMEs; HHS/NIST (as approp) | |
| HCIC Task Force Recommendation : 1.2 / 1.4 / 3.1 / 3.2 / 4.3 | ||||
| TASK GROUP 1B |
MEDICAL TECHNOLOGY CYBER SECURITY RISK MANAGEMENT: | CHAIR(S) : | SAMPLE DELIVERABLES: | TASK GROUP COMPOSITION: |
|---|---|---|---|---|
| Develop best practices for secure design and development of medical devices and EHR systems; establish shared management responsibility protocols between device/EHR vendors and provider/users. | Rob Suarez, BD; Kevin Mc Donald, Mayo Clinic; Aftin Ross, HHS FDA |
Guidance document – stand-alone and as annex – that can be scaled to large and small institutions; Marketing and distribution by relevant associations and HHS/FDA | Product security; Threat/incid resp; GRC; Association SME’s; Procurement & Contracts | |
| HCIC Task Force Recommendation : 2.1 – 2.5 / 4.2 | ||||
| TASK GROUP 1C |
INTELLECTUAL PROPERTY DATA PROTECTION: | CHAIR(S) : | SAMPLE DELIVERABLES: | TASK GROUP COMPOSITION: |
|---|---|---|---|---|
| Best practices for managing research and development intellectual property in pharmaceutical and medical device subsectors, as distinct from PHI, IT & OT data security. | Greg Barnes, Amgen; Russell Koste, Alexion |
Guidance document – stand-alone and as annex – that can be scaled to large and small institutions; Marketing and distribution by relevant associations and HHS/FDA | CISO staff; GRC; Threat/incid resp; Association SMEs; HHS/NIST (as approp) | |
| HCIC Task Force Recommendation : 5 | ||||
| TASK GROUP 1D |
SUPPLY CHAIN / THIRD PARTY CYBER RISK MANAGEMENT: | CHAIR(S) : | SAMPLE DELIVERABLES: | TASK GROUP COMPOSITION: |
|---|---|---|---|---|
| Best practices for managing risk in connected products and services. | Darren Vianueva, Trinity Health; Chris Van Schijndel, J&J |
Guidance document – stand-alone and as annex – that can be scaled to large and small institutions; Marketing and distribution by relevant associations and HHS/FDA | CISO staff; GRC; legal/contracts/Threat/incid resp; Association SMEs; HHS/NIST (as approp) | |
| HCIC Task Force Recommendation : 4.2 / 4.3 | ||||
| TASK GROUP 1E |
TELEMEDICINE: | CHAIR(S) : | SAMPLE DELIVERABLES: | TASK GROUP COMPOSITION: |
|---|---|---|---|---|
| Standards of practice for secure provision of web-based or other connected medical services. | Mark Jarrett, Northwell Health; Kathy Downing, AHIMA |
Guidance document – stand-alone and as annex – that can be scaled to large and small institutions; Marketing and distribution by relevant associations and HHS/FDA | CISO staff; GRC; Threat/incid resp; Association SMEs;HHS/NIST (as approp) | |
| HCIC Task Force Recommendation : 4.2 | ||||
| TASK GROUP 1F |
REFRESH OF “TOP 10 CYBERSECURITY BEST PRACTICES”: | CHAIR(S) : | SAMPLE DELIVERABLES: | TASK GROUP COMPOSITION: |
|---|---|---|---|---|
| Develop guidelines for minimum level best practices for healthcare cybersecurity. | Erik Decker, University of Chicago Medical Center; Julie Chua, Department of Health and Human Services |
Guidance document scalable to large and small organizations | CISO staff; GRC; Threat/incid resp; Association SMEs; HHS/NIST (as approp) | |
| HCIC Task Force Recommendation : 1.2 / 1.4 / 2.1 / 4.3 / 5.2 | ||||
| TASK GROUP 2 |
REGULATION & POLICY: | CHAIR(S) : | SAMPLE DELIVERABLES: | TASK GROUP COMPOSITION: |
|---|---|---|---|---|
| Work with HHS to identify and reconcile duplicative or conflicting regulations that impede cybersecurity risk management; Propose positive policy changes to facilitate threat and vulnerability mitigation efforts. Consider policy incentives for adoption of cyber risk management best practicea; Standing responsibility for initial analysis of and draft response to regulatory/legislative proposals affecting healthcare cyber security. | Mari Savickis, CHIME; Theresa Meadows, Cook Childrens Healthcare System; Carl Anderson, HITRUST |
|
Association Govt Relations; Legal; GRC; HHS (as approp) | |
| HCIC Task Force Recommendation : 1.2 / 1.4 / 2.1 / 4.3 / 5.2 | ||||
| TASK GROUP 3 |
WORKFORCE DEVELOPMENT: | CHAIR(S) : | SAMPLE DELIVERABLES: | TASK GROUP COMPOSITION: |
|---|---|---|---|---|
| Develop guidance or best practices for: 1) mapping healthcare cyber professional skills to job roles (e.g., NICE Framework/800-181); 2) provider workforce training and enforcement on user cyber hygiene; 3) marketing campaign to attract cyber professionals to healthcare sector. | Sean Murphy, Premer; Brandyn Blunt, Trinity Health |
Guidance document that can be scaled to large and small institutions; Marketing and distribution by relevant associations and HHS/FDA | CISO staff; HR; Association SME’s; NIST; HHS (as approp) | |
| HCIC Task Force Recommendation : 3.1 / 3.2 / 4.1 / 4.3.5 / 4.5 | ||||
| TASK GROUP 4 |
CROSS-SECTOR ENGAGEMENT: | CHAIR(S) : | SAMPLE DELIVERABLES: | TASK GROUP COMPOSITION: |
|---|---|---|---|---|
| Proactive outreach with key interdependent sectors (e.g., electricity, communications, transportation, water) to identify and measure asset and service vulnerabilities and threats. | Ryan Lewis, Hospital Sisters Health System; Denise Anderson, NH-ISAC |
Scheduled information exchanges with other SCC’s on selected topics; possible white papers on interdependencies between sectors as basis for possible future joint initiatives | CISO, OT, IT , GRC, Legal, Govt. Relations | |
| HCIC Task Force Recommendation : N/A | ||||
| TASK GROUP 5 |
INFORMATION SHARING: | CHAIR(S) : | SAMPLE DELIVERABLES: | TASK GROUP COMPOSITION: |
|---|---|---|---|---|
| Analyze existing and encourage new information-sharing activities regarding threat information, security incidents including exploits, breaches, and general cybersecurity information between government and private sector; develop or leverage existing timely, actionable incident management and cybersecurity alerts/guidance/best practices/educational materials, etc. for different types of audiences. | Nickol Todd, HHS ASPR; Sara Hall, NH-ISAC |
N/A | N/A | |
| HCIC Task Force Recommendation : 5.1.5 / 5.1.6 / 6.1 / 6.2 | ||||
| TASK GROUP 6 |
FUTURE GAZING: | CHAIR(S) : | SAMPLE DELIVERABLES: | TASK GROUP COMPOSITION: |
|---|---|---|---|---|
| Develop an ongoing dialogue on how to incorporate new technology into healthcare and public health practice without compromising patient safety or access by individuals to their data as required by law. | Mark Jarrett, Northwell Health; Peter Katona, UCLA School of Medicine |
N/A | N/A | |
| HCIC Task Force Recommendation : 5.1.3 / 5.1.4 | ||||
| TASK GROUP 7 |
MARKETING & OUTREACH: | CHAIR(S) : | SAMPLE DELIVERABLES: | TASK GROUP COMPOSITION: |
|---|---|---|---|---|
| Establish HSCC brand (including website and other platforms), communications protocols, and general outreach and awareness strategy. Work with HHS and DHS to integrate relevant work products from other CWG Task Groups in a series of marketing campaigns to small and medium enterprises and providers. | Leon Vinci, Health Promotion Consultants; Sri Bharadwaj, UCI Health |
Development of general and specific measures for marketing penetration and outcomes demonstrating enhanced security; Creation of general marketing plan with identified infrastructure and roles & responsibilities | Association SME’s; HR; Marketing; HHS (as approp) | |
| HCIC Task Force Recommendation : 4.5 / 4.6 | ||||
| TASK GROUP AD-HOC Support |
EXERCISES: | CHAIR(S) : | SAMPLE DELIVERABLES: | TASK GROUP COMPOSITION: |
|---|---|---|---|---|
| Work with NH-ISAC, ISAO’s, HHS & DHS to plan and execute cyber exercises for specific scenarios and subsectors to inform ongoing refinement of information sharing requirements, best practices and governance models; emphasis on C-suite participation. | Ed Brennan, NH-ISAC; Garrett Hagood, Coastal Bend Regional Advisory Council |
Two cross-sector exercises per year, with after-action reports and recommendations | CISO staff; Threat/Incid Resp; Privacy; IT/OT; Legal; GRC; HHS (as approp) | |
| HCIC Task Force Recommendation : 6.3 | ||||