Task Groups

TASK
GROUP
1A
RISK MANAGEMENT (INCL. ID, ASSESSMENT, TOLERANCE): CHAIR(S) : SAMPLE DELIVERABLES: TASK GROUP COMPOSITION:
Coordinate the development of a tailored, Sector-wide HPH Implementation Guide of the NIST Cybersecurity Framework, leveraging existing documents and efforts. Identify, measure and manage elements of risk across subsectors through the prism of patient safety and privacy. Bryan Cline, HITRUST Introductory chapter laying out structure for “healthcare cybersecurity best practices” CISO staff; GRC; Threat and incid response; Association SMEs; HHS/NIST (as approp)
HCIC Task Force Recommendation : 1.2 / 1.4 / 3.1 / 3.2 / 4.3

 

TASK
GROUP
1B
MEDICAL TECHNOLOGY CYBER SECURITY RISK MANAGEMENT: CHAIR(S) : SAMPLE DELIVERABLES: TASK GROUP COMPOSITION:
Develop best practices for secure design and development of medical devices and EHR systems; establish shared management responsibility protocols between device/EHR vendors and provider/users. Rob Suarez, BD;
Kevin Mc Donald, Mayo Clinic;
Aftin Ross, HHS FDA
Guidance document – stand-alone and as annex – that can be scaled to large and small institutions; Marketing and distribution by relevant associations and HHS/FDA Product security; Threat/incid resp; GRC; Association SME’s; Procurement & Contracts
HCIC Task Force Recommendation : 2.1 – 2.5 / 4.2

 

TASK
GROUP
1C
INTELLECTUAL PROPERTY DATA PROTECTION: CHAIR(S) : SAMPLE DELIVERABLES: TASK GROUP COMPOSITION:
Best practices for managing research and development intellectual property in pharmaceutical and medical device subsectors, as distinct from PHI, IT & OT data security. Greg Barnes, Amgen;
Russell Koste, Alexion
Guidance document – stand-alone and as annex – that can be scaled to large and small institutions; Marketing and distribution by relevant associations and HHS/FDA CISO staff; GRC; Threat/incid resp; Association SMEs; HHS/NIST (as approp)
HCIC Task Force Recommendation : 5

 

TASK
GROUP
1D
SUPPLY CHAIN / THIRD PARTY CYBER RISK MANAGEMENT: CHAIR(S) : SAMPLE DELIVERABLES: TASK GROUP COMPOSITION:
Best practices for managing risk in connected products and services. Darren Vianueva, Trinity Health;
Chris Van Schijndel, J&J
Guidance document – stand-alone and as annex – that can be scaled to large and small institutions; Marketing and distribution by relevant associations and HHS/FDA CISO staff; GRC; legal/contracts/Threat/incid resp; Association SMEs; HHS/NIST (as approp)
HCIC Task Force Recommendation : 4.2 / 4.3

 

TASK
GROUP
1E
TELEMEDICINE: CHAIR(S) : SAMPLE DELIVERABLES: TASK GROUP COMPOSITION:
Standards of practice for secure provision of web-based or other connected medical services. Mark Jarrett, Northwell Health;
Kathy Downing, AHIMA
Guidance document – stand-alone and as annex – that can be scaled to large and small institutions; Marketing and distribution by relevant associations and HHS/FDA CISO staff; GRC; Threat/incid resp; Association SMEs;HHS/NIST (as approp)
HCIC Task Force Recommendation : 4.2

 

TASK
GROUP
1F
REFRESH OF “TOP 10 CYBERSECURITY BEST PRACTICES”: CHAIR(S) : SAMPLE DELIVERABLES: TASK GROUP COMPOSITION:
Develop guidelines for minimum level best practices for healthcare cybersecurity. Erik Decker, University of Chicago Medical Center;
Julie Chua, Department of Health and Human Services
Guidance document scalable to large and small organizations CISO staff; GRC; Threat/incid resp; Association SMEs; HHS/NIST (as approp)
HCIC Task Force Recommendation : 1.2 / 1.4 / 2.1 / 4.3 / 5.2

 

TASK
GROUP
2
REGULATION & POLICY: CHAIR(S) : SAMPLE DELIVERABLES: TASK GROUP COMPOSITION:
Work with HHS to identify and reconcile duplicative or conflicting regulations that impede cybersecurity risk management; Propose positive policy changes to facilitate threat and vulnerability mitigation efforts. Consider policy incentives for adoption of cyber risk management best practicea; Standing responsibility for initial analysis of and draft response to regulatory/legislative proposals affecting healthcare cyber security. Mari Savickis, CHIME;
Theresa Meadows, Cook Childrens Healthcare System;
Carl Anderson, HITRUST
  1. Document that maps overlapping / conflicting regulations with explanation of how cybersecurity mitigation is resultingly compromised; to include recommendations for reconciliation to Congress and/or regulators
  2. Paper on incentives for healthsector adoption of cyber risk management best practices
  3. AD HOC policy papers in response to government regulatory/legislative healthcare cybersecurity proposals
Association Govt Relations; Legal; GRC; HHS (as approp)
HCIC Task Force Recommendation : 1.2 / 1.4 / 2.1 / 4.3 / 5.2

 

TASK
GROUP
3
WORKFORCE DEVELOPMENT: CHAIR(S) : SAMPLE DELIVERABLES: TASK GROUP COMPOSITION:
Develop guidance or best practices for: 1) mapping healthcare cyber professional skills to job roles (e.g., NICE Framework/800-181); 2) provider workforce training and enforcement on user cyber hygiene; 3) marketing campaign to attract cyber professionals to healthcare sector. Sean Murphy, Premer;
Brandyn Blunt, Trinity Health
Guidance document that can be scaled to large and small institutions; Marketing and distribution by relevant associations and HHS/FDA CISO staff; HR; Association SME’s; NIST; HHS (as approp)
HCIC Task Force Recommendation : 3.1 / 3.2 / 4.1 / 4.3.5 / 4.5

 

TASK
GROUP
4
CROSS-SECTOR ENGAGEMENT: CHAIR(S) : SAMPLE DELIVERABLES: TASK GROUP COMPOSITION:
Proactive outreach with key interdependent sectors (e.g., electricity, communications, transportation, water) to identify and measure asset and service vulnerabilities and threats. Ryan Lewis, Hospital Sisters Health System;
Denise Anderson, NH-ISAC
Scheduled information exchanges with other SCC’s on selected topics; possible white papers on interdependencies between sectors as basis for possible future joint initiatives CISO, OT, IT , GRC, Legal, Govt. Relations
HCIC Task Force Recommendation : N/A

 

TASK
GROUP
5
INFORMATION SHARING: CHAIR(S) : SAMPLE DELIVERABLES: TASK GROUP COMPOSITION:
Analyze existing and encourage new information-sharing activities regarding threat information, security incidents including exploits, breaches, and general cybersecurity information between government and private sector; develop or leverage existing timely, actionable incident management and cybersecurity alerts/guidance/best practices/educational materials, etc. for different types of audiences. Nickol Todd, HHS ASPR;
Sara Hall, NH-ISAC
N/A N/A
HCIC Task Force Recommendation : 5.1.5 / 5.1.6 / 6.1 / 6.2

 

TASK
GROUP
6
FUTURE GAZING: CHAIR(S) : SAMPLE DELIVERABLES: TASK GROUP COMPOSITION:
Develop an ongoing dialogue on how to incorporate new technology into healthcare and public health practice without compromising patient safety or access by individuals to their data as required by law. Mark Jarrett, Northwell Health;
Peter Katona, UCLA School of Medicine
N/A N/A
HCIC Task Force Recommendation : 5.1.3 / 5.1.4

 

TASK
GROUP
7
MARKETING & OUTREACH: CHAIR(S) : SAMPLE DELIVERABLES: TASK GROUP COMPOSITION:
Establish HSCC brand (including website and other platforms), communications protocols, and general outreach and awareness strategy. Work with HHS and DHS to integrate relevant work products from other CWG Task Groups in a series of marketing campaigns to small and medium enterprises and providers. Leon Vinci, Health Promotion Consultants;
Sri Bharadwaj, UCI Health
Development of general and specific measures for marketing penetration and outcomes demonstrating enhanced security; Creation of general marketing plan with identified infrastructure and roles & responsibilities Association SME’s; HR; Marketing; HHS (as approp)
HCIC Task Force Recommendation : 4.5 / 4.6

 

TASK
GROUP
AD-HOC Support
EXERCISES: CHAIR(S) : SAMPLE DELIVERABLES: TASK GROUP COMPOSITION:
Work with NH-ISAC, ISAO’s, HHS & DHS to plan and execute cyber exercises for specific scenarios and subsectors to inform ongoing refinement of information sharing requirements, best practices and governance models; emphasis on C-suite participation. Ed Brennan, NH-ISAC;
Garrett Hagood, Coastal Bend Regional Advisory Council
Two cross-sector exercises per year, with after-action reports and recommendations CISO staff; Threat/Incid Resp; Privacy; IT/OT; Legal; GRC; HHS (as approp)
HCIC Task Force Recommendation : 6.3