Alignment with Health Care Industry Cybersecurity (HCIC) Task Force Recommendations
| 2020 TASK GROUPS | INITIATIVE: | CHAIR(S): | PROPOSED DELIVERABLES: | HCIC ALIGNMENT: |
|---|---|---|---|---|
| 405(d) – HEALTH INDUSTRY CYBERSECURITY PRACTICES | HDO: Erik Decker, CISO, Universrity of Chicago Medical Center GCC: Julie Chua, Branch Chief, Risk Management, HHS OCIO |
Maintain reference toolkit for minimum level healthcare cybersecurity | 1.2 / 1.4 / 2.1 / 4.3 / 5.2 | |
| FUTURE GAZING | HDO: Mark Jarrett, CQO & Associate CMO, Northwell Health HDO: Shawn Savadkohi, CISO, San Mateo County Health GCC: Robert Bastani, HHS ASPR |
Identify emerging technologies relevant to healthcare and designate for detailed risk assessments | 5.1.3 / 5.1.4 | |
| HEALTH TECHNOLOGY RISK ANALYSIS (Future Gazing Sub-Group) |
MDM: Chris Tyberg, VP Information Security, Abbott, HDO: Shawn Savadkohi, CISO, San Mateo County Health GCC: Robert Bastani, HHS ASPR |
Assess identified emerging healthcare technologies and their potential cyber risks to healthcare delivery | 2.5.2 / 5.1.1 | |
| INFORMATION SHARING | CROSS-SECTOR: Errol Weiss, CSO, H-ISAC MDM: Bill Hagestad, Senior Principal, Product Security, Medtronic |
Improve awareness and use of cybersecurity information sharing tools and organizations | 5.1.5 / 5.1.6 / 6.1 / 6.2 | |
| INTELLECTUAL PROPERTY DATA PROTECTION | PHARMA: Greg Barnes, CISO, Amgen PHARMA: Russell Koste, CISO, Alexion |
Best practices for managing R&D intellectual property in pharmaceutical, medical device and academic research subsectors. | 5 | |
| INTERNATIONAL ENGAGEMENT | MDM: Dana-Megan Rossi, Becton Dickinson HDO: Lenny Levy, CISO, Security Cubed Consulting |
Engage healthcare sector counterparts OCONUS for introductory webinar/concall engagements to compare similarities and differences in sector-wide CIP | N/A | |
| MEDICAL TECHNOLOGY | MDM: Michael McNeil, Global Product Security Officer, Royal Philips HDO: Debra Bruemmer, Senior Mgr., Security Resilience Mayo Clinic GCC: Aftin Ross, Senior Science Health Advisor, FDA |
Best practices for secure design and development of medical devices and EHR systems. | 2.1 – 2.5 / 4.2 | |
| MEDTECH LEGACY DEVICES (MedTech Sub-Group) |
MDM: Ramki Pillai, Digital Product Security Officer, Elekta HDO: Mike Powers, Clinical Engineering Quality Manager, ChristianaCare GCC: Jessica Wilkerson, Cyber Policy Advisor, FDA |
Develop business solutions, best practices, incentives, and policies for end-of-supported product life management and replacement of legacy medical devices. | 2.1 | |
| MEDTECH MODEL CONTRACTS (MedTech Sub-Group) |
HDO: Michelle Bentley, Manager, Security Resilience, Mayo Clinic MDM: Jim Jacobson, Chief Product & Solution Security Officer, Siemens Healthineers GPO: Jason Ferri, Senior Director Strategic Supplier Engagement, Premier |
Develop model cybersecurity contract language between MDMs and HDOs for medical device procurements and servicing | 1.2 / 2.1 – 6 / 4.2 | |
| MEDTECH VULNERABILITY COMMUNICATIONS (MedTech Sub-Group) |
MDM: Chris Tyberg, VP Information Security, Abbott HDO: Abhishek Agarwal, CISO, Fresenius Medical GCC: Aftin Ross, Senior Science Health Advisor, FDA |
Develop standardized protocols for medical device cybersecurity vulnerability communications among stakeholders | 2.2 / 2.6 | |
| METRICS FOR CYBERSECURITY ADOPTION | HDO: Mark Jarrett, CQO & Assoc. CMO, Northwell Health GCC: Bob Bastani, Cyber Security Advisor, HHS ASPR |
Measure industry adoption of HSCC CWG published best practices and other cybersecurity references such as NIST Cybersecurity Framework | 1.2 / 1.4 | |
| POLICY | HDO: Mari Savickis, Vice President, Federal Affairs, CHIME CROSS-SECTOR: Carl Anderson, Chief Legal Officer, HITRUST |
Standing responsibility for initial analysis of and draft response to regulatory/legislative proposals affecting healthcare cyber security. | 1.3.1 / 1.3.4 / 1.3.5 / 1.5 / 4.3 | |
| REGULATORY HARMONIZATION (Policy Sub-Group) |
HDO: Dan Bowden, CISO, Sentara Healthcare MDM: Zach Hornberger, Director of Cybersecurity & Informatics, Medical Imaging Technology Association |
Recommend harmonization of healthcare cyber regulation where appropriate | 1.3 | |
| RISK ASSESSMENT | CROSS-SECTOR: Bryan Cline, Vice President, Standards & Analytics, HITRUST | Implementation Guide for the NIST Cybersecurity Framework. | 1.2 / 1.4 / 3.1 / 3.2 / 4.3 | |
| SUPPLY CHAIN CYBER RISK MANAGEMENT | MDM: Chris Van Schijndel, Application Security Architect, Johnson & Johnson PHARMA: Vish Gadgil, Director of IT Risk Management, Merck |
Best practices for developing a supply chain cybersecurity procurement organization. | 2.5.5 / 4.2 / 4.3 | |
| TELEMEDICINE | HDO: Mark Jarrett, CQO & Assoc. CMO, Northwell Health GCC: Matt Quinn, HHS Health Resources and Services Administration |
Standards of practice for secure provision of web-based or other connected medical services. | 4.2 | |
| WORKFORCE DEVELOPMENT | HDO: Brandyn Blunt, Clinical Engineering Systems Admin, Trinity Health GCC: Marian Merritt, Lead for Industry Engagement, NIST NICE |
Develop guidance for: 1) mapping healthcare cyber professional skills to job roles (e.g., NICE Framework/800-181); 2) cybersecurity curriculum for medical, nursing and pharmacy schools |
3.1 / 3.2 / 4.1 / 4.3.5 / 4.5 |