HSCC Cybersecurity Working Group Task Groups

  •  
    • 405(d) – HEALTH INDUSTRY CYBERSECURITY PRACTICES
      Joint Industry/HHS Task Group (from §405(d) of the Cybersecurity Act of 2015) created the HICP (Health Industry Cybersecurity Practices) and is developing supporting collateral material and timely cyber events, marketing and partnerships.
    • 5-YEAR PLAN
      Update the Health Care Industry Task Force (HCIC) recommendations as a five-year plan reflecting emerging threat scenarios in a rapidly evolving healthcare system
    • EMERGING TECHNOLOGY
      Assess emerging technologies used in healthcare may present cybersecurity risks.  First publication pending on artificial intelligence.  Next assessment on how to protect/encrypt systems, data and identity against malicious use of quantum computing.
    • INCIDENT RESPONSE AND BUSINESS CONTINUITY
      Develop a healthcare cyber incident response and business continuity plan aligned with existing physical incident response protocols.
    • INTERNATIONAL
      No specific deliverables, except developing content for webinars on international healthcare cybersecurity policy, operations and coordination.
    • MEASUREMENT
      A Measurement Task Group with scope TBD: e.g., a) measurement methodology;  b) measure sector adoption of cybersecurity frameworks such as NIST CSF, HSCC HICP; c), measuring sector-wide security performance; and/or d) measuring patient impact from a cyber event
    • MEDICAL DEVICE VULNERABILITY COMMUNICATIONS
      Provide guidance to differing stakeholders (MDMs, HDO’s, clinicians, patients) on preparing, receiving and acting on medical device vulnerabilities.  First publication pending on patient awareness.  Second version on HDO preparedness.
    • MEDICAL TECHNOLOGY CYBERSECURITY
      First published in January 2019, the Medical Device and Health IT Joint Security Plan will be updated to reflect ongoing developments in medical device security and to integrate subsequent work products soon to be published on legacy device security, model cybersecurity contract language for medical technology, and vulnerability communications standardization.
    • OUTREACH and AWARENESS
      Focused, resourced and creative attention on leveraging government, industry associations and other stakeholders to build national health sector awareness and adoption of HSCC cybersecurity resources, NIST CSF and others.
    • POLICY
      Activates as needed for policy proposals and response
    • RISK ASSESSMENT
      Finalized NIST Cyber Framework Implementation guide; under review by HHS for co-branding.  New initiatives may include developing guidance for aligning enterprise controls with NIST CSF implementation tiers and possibly using the CSF to identify, measure and manage cyber risk to patient safety and privacy.
    • SUPPLY CHAIN
      Results of pending survey on critical supplier risk management will inform subsequent development of related best practices.
    • WORKFORCE DEVELOPMENT
      Preparing series of cybersecurity training videos for clinicians and healthcare students on specific aspects of cybersecurity.  Pending funding source support will be needed for content development.

___________________________________________________________________________

­

FINALIZING WORK FOR PUBLICATION – CONSIDER DISBANDING SUBSEQUENTLY

      • MODEL CONTRACTS
        Published Q1 2022
      • LEGACY MEDICAL DEVICES
        Ongoing – Publication expected Q2 2022