The journey to cybersecurity resilience in healthcare is not a solo endeavor. It requires coordination among several pivotal organizations.

At the heart of this collaborative effort is the Health Sector Coordinating Council Cybersecurity Working Group (HSCC CWG), a team designated by the U.S. government as a critical infrastructure advisory council.

The HSCC CWG exemplifies a public-private partnership that works hand in hand with the government to tackle systemic cyber threats through strategic initiatives and the development of cybersecurity best practices.

As the healthcare sector navigates this complex cyber landscape, a concerted effort from key stakeholders is crucial to transition the industry from a critical condition state, as it was diagnosed back in 2017, to stable and secure by 2029.

The role of HSCC in cyber resiliency

Through its Cybersecurity Working Group, the HSCC has galvanized over 400 organizations and their 1000 representatives from across the healthcare ecosystem to foster a proactive approach to cyber threats.

This group’s mission transcends the creation of defensive strategies. Their focus is on developing actionable best practices and guidance documents tailored to the unique needs of healthcare, including providers, pharmaceutical companies, medical technology, payers, and health IT firms. It also provides perspectives and advice to the government about policies and programs that can help mobilize the sector against evolving cyber threats.

The CWG is organized into various task groups, each focusing on specific cybersecurity challenges. These groups are led and populated by Chief Information Security Officers (CISOs) and their teams who are tackling specific problems head-on (e.g., securing aging medical devices, providing best practices for operational continuity, etc.).

Representatives across the industry, from large, well-equipped healthcare companies and providers to small healthcare organizations, offer their insights and perspectives as a public service, exemplifying a by-the-sector, for-the-sector approach.

The result is a unified effort among key stakeholders in the healthcare ecosystem that embodies the principle that “cyber safety is patient safety,” highlighting the intrinsic link between robust cybersecurity measures and the uninterrupted delivery of patient care.

The path to progress

Over the past two decades, the critical infrastructure sector coordinating council model has evolved through a series of presidential executive orders and laws.

These directives and legislative actions acknowledge that owners and operators of critical infrastructure have a responsibility to work with and alongside government agencies—principally the U.S. Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA)— to identify and mitigate threats that can impede their ability to deliver critical assets and services to the public.

With the enactment of Section 405(d) of the Cybersecurity Act of 2015, Congress added specificity for HHS and the industry to collaborate in the development of voluntary, consensus-based healthcare cybersecurity practices.

This program and the industry members recruited to join with HHS, were subsequently rolled up under the HSCC Cybersecurity Working Group in 2018.

The 405(d) collaboration resulted in the creation of the HICP (Health Industry Cybersecurity Practices), a flagship HSCC/HHS publication released in 2018 with a set of guidelines for enhancing the cybersecurity posture of all healthcare organizations.

The HICP was recently updated in 2023 to include new guidelines, including documents on operational continuity following a cyber incident, artificial intelligence, how to address new and evolving cybersecurity threats, and a range of other guidance.

These publications, and over 25 others (with more on the horizon), are freely available and accessible on HSCC’s site in the “cyber practices” section.

HHS’ strategy to harmonize healthcare cybersecurity

In addition to the HICP updates, HHS has started thinking more deliberately about cybersecurity in healthcare, as is evident from the Healthcare Sector Cybersecurity Strategy released in December 2023.

To develop a coherent and integrated cybersecurity strategy, HHS is exploring ways to organize and align all their various governing bodies, including:

  • Health and Human Services (HHS)
  • Office for Civil Rights (OCR)
  • Centers for Medicare & Medicaid Services (CMS)
  • Office of the National Coordinator for Health Information Technology (ONC)
  • Food and Drug Administration (FDA)
  • Administration for Strategic Preparedness and Response (ASPR)

To build on their efforts and actions to advance cyber resiliency in the healthcare sector, HHS included four core components in their cybersecurity strategy:

    1. Cybersecurity Performance Goals (CPGs) for the health sectorCISA has developed CPGs for all critical sectors, but HHS’ CPGs are tailored for healthcare to prioritize the minimum cybersecurity controls that everyone in healthcare should be accountable to.They are divided into “Essential CPGs” and “Enhanced CPGs” to prioritize the implementation of core cybersecurity practices. Many of these CPGs are also contained in the library of documented best practices that HSCC has published.

 

    1. AssistanceMany small and mid-sized healthcare organizations are operating at zero to negative margins. If the objective is to get them to invest in more cybersecurity risk management programs, they are going to need financial and technical assistance.In the FY2025 HHS Proposed Budget, there are incentives totaling $1.3 billion beginning in 2027, with disincentives beginning in 2029.

 

  1. Enforcement and accountabilityFunding and voluntary goals alone will not drive the cyber-related behavioral change that is needed across the healthcare sector. Given the increased risk profile of hospitals, HHS aspires to have all hospitals meeting sector-specific CPGs in the coming years. With additional authorities and resources, HHS will propose:
    • Incorporating HPH CPGs into existing regulations and programs to inform the creation of new enforceable cybersecurity standards
    • Cybersecurity requirements for hospitals through Medicare and Medicaid
    • Collaboration with the Office for Civil Rights (OCR) to update the HIPAA Security Rules that include the new cybersecurity requirements
  1. Mature and expand supportTo help ensure the healthcare industry can efficiently and effectively access sufficient support and services, ask cybersecurity-related questions, and get help addressing issues, the plan is for HHS to develop its portal. The new HPH Cybersecurity Gateway has been released and will provide a one-stop shop for healthcare cybersecurity. This component of the strategy will be led by the Administration of Strategic Preparedness and Response (ASPR).

 

HSCC’s five-year plan

In 2017, the Health Care Industry Cybersecurity (HCIC) Task Force published findings that healthcare cybersecurity was in critical condition. They also outlined what the health industry needed to do to get well.

HSCC took those findings, established task groups, and developed publications focused on addressing the HCIC recommendations.

Now, five years later, those recommendations have been produced and are ready for implementation. However, HSCC recognized that the healthcare industry has changed significantly since those findings were initially published in 2017, introducing continuing and new cyber security challenges.

To help prepare the healthcare industry, HSCC developed a five-year healthcare cybersecurity strategic plan in collaboration with 150+ leaders from their membership to reflect where the healthcare industry is going, the likely cybersecurity challenges, and strategies for addressing them.

This five-year plan represents a clear roadmap—a wellness plan, if you will—for how the healthcare industry can get from its critical condition diagnosis in 2017, to a stable condition by 2029.

To learn more about HSCC, the work they are doing to support HHS’ cybersecurity strategy, and their five-year plan, check out our webinar The Regulatory Roadmap with HSCC.

 

Content for this post was developed from insights provided by Greg Garcia, Executive Director of HSCC, and Kate Pierce, Executive Director, Subsidy Program at Fortified Health Security.