Every stakeholder of the healthcare system and the subsector they represent, including direct patient care, pharmaceuticals, device manufacturers, health IT and supplies, plans and payers, and mass fatality management, is part of an interdependent ecosystem that is facing sophisticated and targeted cybersecurity threats and vulnerabilities that can cascade across the value chain of the healthcare sector, ultimately affecting patient safety and security. These stakeholders increasingly recognize a collective responsibility to pool our resources and develop industry-wide policy and operational solutions to our shared challenges.
This responsibility is in fact captured in three iterations of a Presidential Executive Order dating to 1998, the most recent being Presidential Policy Directive 21 in 2013. These executive orders express national policy that identifies 16 critical industry sectors that are essential to homeland and national security, economic security, and public health and safety – industry sectors such as healthcare, electricity, telecommunications, financial services, transportation and more. These industry sectors are stepping up to those tactical and strategic responsibilities with their government partners.
The policy further acknowledges that 80-90% of these sectors are owned and operated by the private sector, which must be responsible for self-organizing around the protection and resilience of those assets and services we depend on. That critical infrastructure protection function takes the form of both tactical/operational, and strategic policy collaboration among major stakeholders within a sector.
These functions are specifically called out in the policy: Information Sharing and Analysis Centers and Sector Coordinating Council (SCC’s). ISACs, including our NH-ISAC, handle day-to-day watch, warning, incident response and best practices cooperation across the sector and with government. SCCs acknowledge daily incidents and cyber-attacks as a given, leaving response to the ISACs, and instead look over the horizon at improving ways – both policy and business strategy – to get ahead of the threat and strengthen national confidence in the security and resiliency of essential services. Whereas ISAC membership consists of many technical and operational leaders within their organizations, the Sector Coordinating Councils convene cross-disciplinary leadership, including general counsels, CTO’s and CISOs, government and regulatory affairs, risk and compliance management, and business operations.
The ISACs and SCC’s are in effect two sides of the same critical infrastructure coin. Together, ISAC’s and SCC’s work with the government in a public-private partnership called the National Infrastructure Protection Plan (NIPP) to develop strategies for how the sector will mitigate threats and vulnerabilities and how it will partner with the government toward that end. The U.S. Department of Homeland Security works with every sector on these plans, known as Sector Specific Plans that are updated every 3-4 years, and with each sector specific agency that is assigned to the sector corresponding with agency authorities. The Department of Health and Human Services is the designated healthcare SSA.
A closer look at the Healthcare Sector Coordinating Council (HSCC). The HSCC is in effect an association of associations, which includes their enterprise and executive members, convening at the “big table” to identify and attack those cross cutting threats and vulnerabilities that challenge our ability to deliver safe and secure healthcare to the nation. We do this both independent of, and in partnership with, the Department of Health and Human Services – our sector specific agency. In all working sessions between government and industry under this structure, competitive and regulatory equities are left outside the door, and sensitive information discussed with the government is afforded protection from public disclosure under special advisory committee status.
While every association member that participates in the HSCC maintains its identity and business-as-usual programs, the HSCC affords its members a 360-degree visibility into other subsector perspectives and work initiatives, and a coordination mechanism to minimize conflict or duplication. Organizations join the HSCC at no cost, but commit “sweat equity” – your expertise, experience and thought leadership – to the development and implementation of policy and operational improvements to the security and resiliency of the sector.
Over the past year, one component of the HSCC – the HSCC Cybersecurity Working Group - has undertaken a number of important cybersecurity initiatives , and additional workstreams are expected to get underway for medical device and health IT security strategy and, more broadly, implementation of the Healthcare Industry Cybersecurity Task Force Report recommendations released in June 2017.
So this is a call to action to you and your organizations. It is recognized that the sector’s cybersecurity mission should be robustly represented – both numerically and substantively -- across the six major subsectors: Direct Patient Care; Health Information Technology; Health Plans & Payers; Mass Fatality Management Services; Medical Materials; and Labs, Blood & Pharmaceuticals. It is important - indeed, your responsibility - to ensure that your organizations, representing the most critical service and technology providers with the most extensive economic concentration and population reach, are at the table providing expertise and experience to deal collaboratively with complex problems.
The HSCC Cyber Working Group – currently co-chaired by Terry Rice of Merck and Bryan Cline of HITRUST – is embarking on a membership acceleration initiative to ensure we have robust participation and cross-sector representation. An organizing meeting of the member industry association will take place at the beginning of February to reaffirm our collective commitment and prioritize our work plan. We will consider what we must tackle first and over the longer term - problems such as the balance between medical device security and user cyber hygiene; best practices for small rural hospitals and family practices; alignment of data security and data privacy; identification of relevant cyber intelligence and information sharing needs from the government; cyber incident exercises; and regulatory harmonization to ensure focused and effective cybersecurity risk management, among many others.
But we need to do this work together: None of us individually is as smart as all of us collectively.
For more information, contact HSCC Cybersecurity Executive Director Greg Garcia: greg.garcia@HealthSectorCouncil.org.
View Press & Releases
- Cyber Working Group Vice Chair Theresa Meadows on Why Medical Device Security Is So Challenging November 20, 2019
- The 405(d) Post Volume Two November 19, 2019
- Protecting Critical Healthcare Innovation Capital From Cyber Theft – NCSAM Blog October 28, 2019
- Connected Health and Cybersecurity: Advice for the Device – NCSAM Blog October 22, 2019
- The Healthcare Cyber Circulatory System: Supply Chain Security – NCSAM Blog October 16, 2019
- Health Sector Publishes Guidance on Supply Chain Cybersecurity Risk Management October 15, 2019
- HSCC Applauds Stark Waiver and HHS for Cybersecurity Assistance to Health Systems October 9, 2019
- Leadership and Cybersecurity Infographic October 7, 2019
- Clinical Cybersecurity: Beating the Cyber Virus Like the Human Virus – NCSAM Blog October 3, 2019
- Patient Safety Depends on Cyber Safety – HSCC JCWG Blog Celebrates NCSAM October 1, 2019
- The 405(d) Post: Healthcare Industry Cybersecurity News and Emerging Issues September 11, 2019
- Health Industry Publishes Matrix of Cybersecurity Information Sharing Organizations September 9, 2019
- HSCC JCWG 2019 Mid-Year Report July 25, 2019
- HSCC Releases the Healthcare Industry Cybersecurity Workforce Guide June 17, 2019
- HICP’s 5 Threat Weekly Webinar Series March 18, 2019
- Join the HICP Five Threat Presentation Series in March and April 2019 February 14, 2019
- HSCC Cybersecurity Working Group releases the 2018 Annual Report February 8, 2019
- HSCC Releases the Medical Device and Health IT Joint Security Plan January 28, 2019
- HHS and HSCC Release Voluntary Cybersecurity Practices for the Health Industry January 2, 2019
- Next HSCC Joint Cybersecurity Working Group meeting: April 3-4, 2019, San Diego. December 10, 2018
- Erik Decker on Cybersecurity Best Practices November 16, 2018
- HSCC Wants Healthcare Cybersecurity Waiver to Anti-kickback Rules October 30, 2018
- HPH SCC Blog – Patient Safety Would Benefit from Cybersecurity Exception to Anti-Kickback Statute October 29, 2018
- HPH SCC Cybersecurity Working Group Comments on HHS OIG Anti-Kickback Statute RFI October 26, 2018
- HPH SCC Blog – Building a Stronger Healthcare Workforce for Cybersecurity October 24, 2018
- HPH SCC Blog – During NCSAM, HSCC CWG Advocates for Patient Safety at HHS October 19, 2018
- HSCC CWG Policy Task Group Comments on HHS ONC RFI October 17, 2018
- Preventing a ‘Doomsday’ Healthcare Cyber Event October 10, 2018
- HPH-SCC Set To Issue Cybersecurity Best Practices for Healthcare October 10, 2018
- CHIME-KLAS 2018 Medical Device Security Survey October 5, 2018
- HPH-SCC Blog–National Cyber Security Awareness Month October 1, 2018
- The Fight to Secure Vulnerable Medical Devices From Hackers August 31, 2018
- Health Sector Council Pushes for Changes in Federal Cybersecurity Rules August 31, 2018
- Health Sector Council Letter to CMS on Stark Exception August 28, 2018
- Health Sector Mobilizes Against Cyber Threats July 16, 2018
- The Healthcare Sector Coordinating Council and the NH-ISAC: Two Sides of the Same Critical Infrastructure Coin March 14, 2018