The Healthcare Sector Coordinating Council and the NH-ISAC: Two Sides of the Same Critical Infrastructure Coin

Every stakeholder of the healthcare system and the subsector they represent, including direct patient care, pharmaceuticals, device manufacturers, health IT and supplies, plans and payers, and mass fatality management, is part of an interdependent ecosystem that is facing sophisticated and targeted cybersecurity threats and vulnerabilities that can cascade across the value chain of the healthcare sector, ultimately affecting patient safety and security. These stakeholders increasingly recognize a collective responsibility to pool our resources and develop industry-wide policy and operational solutions to our shared challenges.

This responsibility is in fact captured in three iterations of a Presidential Executive Order dating to 1998, the most recent being Presidential Policy Directive 21 in 2013. These executive orders express national policy that identifies 16 critical industry sectors that are essential to homeland and national security, economic security, and public health and safety – industry sectors such as healthcare, electricity, telecommunications, financial services, transportation and more. These industry sectors are stepping up to those tactical and strategic responsibilities with their government partners.

The policy further acknowledges that 80-90% of these sectors are owned and operated by the private sector, which must be responsible for self-organizing around the protection and resilience of those assets and services we depend on. That critical infrastructure protection function takes the form of both tactical/operational, and strategic policy collaboration among major stakeholders within a sector.

These functions are specifically called out in the policy: Information Sharing and Analysis Centers and Sector Coordinating Council (SCC’s). ISACs, including our NH-ISAC, handle day-to-day watch, warning, incident response and best practices cooperation across the sector and with government. SCCs acknowledge daily incidents and cyber-attacks as a given, leaving response to the ISACs, and instead look over the horizon at improving ways – both policy and business strategy – to get ahead of the threat and strengthen national confidence in the security and resiliency of essential services. Whereas ISAC membership consists of many technical and operational leaders within their organizations, the Sector Coordinating Councils convene cross-disciplinary leadership, including general counsels, CTO’s and CISOs, government and regulatory affairs, risk and compliance management, and business operations.

The ISACs and SCC’s are in effect two sides of the same critical infrastructure coin. Together, ISAC’s and SCC’s work with the government in a public-private partnership called the National Infrastructure Protection Plan (NIPP) to develop strategies for how the sector will mitigate threats and vulnerabilities and how it will partner with the government toward that end. The U.S. Department of Homeland Security works with every sector on these plans, known as Sector Specific Plans that are updated every 3-4 years, and with each sector specific agency that is assigned to the sector corresponding with agency authorities. The Department of Health and Human Services is the designated healthcare SSA.

A closer look at the Healthcare Sector Coordinating Council (HSCC). The HSCC is in effect an association of associations, which includes their enterprise and executive members, convening at the “big table” to identify and attack those cross cutting threats and vulnerabilities that challenge our ability to deliver safe and secure healthcare to the nation. We do this both independent of, and in partnership with, the Department of Health and Human Services – our sector specific agency. In all working sessions between government and industry under this structure, competitive and regulatory equities are left outside the door, and sensitive information discussed with the government is afforded protection from public disclosure under special advisory committee status.

While every association member that participates in the HSCC maintains its identity and business-as-usual programs, the HSCC affords its members a 360-degree visibility into other subsector perspectives and work initiatives, and a coordination mechanism to minimize conflict or duplication. Organizations join the HSCC at no cost, but commit “sweat equity” – your expertise, experience and thought leadership – to the development and implementation of policy and operational improvements to the security and resiliency of the sector.

Over the past year, one component of the HSCC – the HSCC Cybersecurity Working Group - has undertaken a number of important cybersecurity initiatives , and additional workstreams are expected to get underway for medical device and health IT security strategy and, more broadly, implementation of the Healthcare Industry Cybersecurity Task Force Report recommendations released in June 2017.

So this is a call to action to you and your organizations. It is recognized that the sector’s cybersecurity mission should be robustly represented – both numerically and substantively -- across the six major subsectors: Direct Patient Care; Health Information Technology; Health Plans & Payers; Mass Fatality Management Services; Medical Materials; and Labs, Blood & Pharmaceuticals. It is important - indeed, your responsibility - to ensure that your organizations, representing the most critical service and technology providers with the most extensive economic concentration and population reach, are at the table providing expertise and experience to deal collaboratively with complex problems.

The HSCC Cyber Working Group – currently co-chaired by Terry Rice of Merck and Bryan Cline of HITRUST – is embarking on a membership acceleration initiative to ensure we have robust participation and cross-sector representation. An organizing meeting of the member industry association will take place at the beginning of February to reaffirm our collective commitment and prioritize our work plan. We will consider what we must tackle first and over the longer term - problems such as the balance between medical device security and user cyber hygiene; best practices for small rural hospitals and family practices; alignment of data security and data privacy; identification of relevant cyber intelligence and information sharing needs from the government; cyber incident exercises; and regulatory harmonization to ensure focused and effective cybersecurity risk management, among many others.

But we need to do this work together: None of us individually is as smart as all of us collectively.

For more information, contact HSCC Cybersecurity Executive Director Greg Garcia: greg.garcia@HealthSectorCouncil.org.