A few weeks ago, HHS released the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients, a set of guidelines designed to help organizations of all types and sizes more effectively safeguard data. Though it was developed in response to a mandate set forth by the Cybersecurity Act of 2015 Section 405(d), the document that was born out of a two-year effort from more than 150 cybersecurity and healthcare experts is not a compliance framework. It’s not an HHS-produced document (although HHS did help facilitate the process).
What it is, according to Erik Decker, Chief Privacy and Security Officer at UChicago Medicine , is more of a “cookbook.” Yes, that’s right. In this interview, Decker likened the guidelines to a collection of recipes that are tailored to different types of facilities, and can be tweaked as needed. “You can substitute, and that’s perfectly fine. You might come up with a better dish, but you’ve got something to work off of, and that’s what this is,” he said. In our recent conversation, Decker also talked about the rigorous process of creating and editing the guidelines; how the group worked to incorporate feedback from so many different entities; what he believes was most important for both clinicians and IT professionals; and what are the next steps.
- Striking the right balance
- “You can’t react to every comment; you have to look at the underlying message.”
- Doing “meaningful” work
- Facilitated by HHS, but industry-led
- Cookbook analogy – “You’ve got something to work off of.”
- Next steps: education and awareness
- Cyber as a shared responsibility – “It is not entirely an IT problem.”
When you’re in this type of environment, you can’t always react directly to every comment. You have to look at the underlying message and thought behind it.
Turning this into a compliance framework would be counter to the whole purpose of what we’re trying to do.
Right out of the gate, everybody was charged and excited about taking this on, because we knew there was a deficiency, and we wanted to fill the gap.
Prevention requires an aware organization; you might have to turn off a workflow that the business wants to use, because it’s too risky. And so you need their support in order to do that. You need to be able to explain why that’s important.
What I found to be so powerful about this initiative was that it was 150 people reaching a consensus. It wasn’t one person’s perspective. Our individual perspectives are embedded into it, but it’s a reflection of a group of thought leaders.
Gamble: Was it difficult to come up with a set of guidelines that met everyone’s expectations? I can imagine it is, considering there were so many individuals involved.
Decker: I actually think we did a pretty good job of find that balance. When you’re in this type of environment, you can’t always react directly to every comment. You have to look at the underlying message and thought behind it. Then it becomes a question of, how do you articulate that properly? At the end of the day, when we had produced the file and sent it to the Task Group for approval, we asked if it was what they wanted, and 100 percent of them said yes. It was very validating.
Gamble: Sure. Now, I did want to clarify something. When the announcement came out in late December, it said, ‘HHS, in partnership with the industry, releases voluntary practices. What was HHS’ involvement in the process?
Decker: I’m glad you mentioned that. All of this was facilitated by HHS. They provided the framework and the logistics. They provided the support to bring all of us together to actually deliver this. One of the reasons we had such great participation from such fantastic leaders was that there was an inherent knowledge that this was going to be meaningful work, because HHS was supporting it. And they were very clear that this is industry-led; it’s not an HHS document. This is an industry-led document in partnership with HHS. That’s how it was directed, and it’s how we approached it.
Within HHS, they had a steering committee with representation from all the various agencies, because this had to go through clearance and approvals. And they were with us lock-step — nothing was a surprise as far as the various iterations. We also sought their input on the ‘gotcha’s’ we should watch out for, the language we used, and the process of obtaining support from all the operating divisions to produce the document. It’s been very collaborative.
Gamble: Right. You mentioned there was an underlying feeling that the work being done was going to be meaningful. I imagine that set a positive tone from the start.
Decker: It really did. Right out of the gate, everybody was charged and excited about taking this on, because we knew there was a deficiency, and we wanted to fill the gap.
Gamble: In terms of having two Technical Volumes, what was the reasoning behind that? Was it about being able to dive deep into the needs of small organizations and practices versus larger health systems?
Decker: Exactly. One thing we’ve come to realize as an industry is that small organizations are struggling with cybersecurity. But it’s not necessarily a lack of knowledge; it’s having very limited resources. You’re not going to have a 10-person security in a two-physician practice. It’s not realistic. They need guidelines that are meaningful and doable for them. Fortunately, we had some great advocates in the Task Group who made sure we were serving the small business community. That’s why we divided it into two volumes.
Gamble: I know this is a very broad question, but when you at what was produced, what would you say were really the biggest takeaways?
Decker: I’ve thought a lot about it, and this is what I came up with. Think of it as a cookbook. You have a bunch of recipes — in our case, it’s recipes for how to manage the five various threats. Within those recipes, you have ingredients that need to be mixed together. As with any cookbook, success depends on the skill of the baker or cook in assembling the ingredients the right way. And of course, you could substitute — and you might actually come up with a better dish. But what’s important is having something to work off of. That’s truly what this is: a cookbook.
I do want to clarify, however, that none of us want this to become a de facto standard or a definition of what reasonable cybersecurity diligence looks like. These are suggestions. And in fact, if you look at some of the sub-practices within the technical guides, you could do one or two of those things and manage your risks quite well. If you do all five, it could be quite costly, and you might not actually be managing risk in the most cost-effective way. Turning this into a compliance framework would be counter to the whole purpose of what we’re trying to do.
Gamble: What about next steps? I read that HHS is going to be working with stakeholders to raise awareness and implement these practices. How do you envision that happening?
Decker: There are a few things happening there. Today, we have about 30 different touchpoints within the industry — things like newsletters, articles, conferences, and webinars—where we feel we can reach out to the community and deliver the message. We’re leveraging the Healthcare Sector Coordinating Council (HSCC) and the associations within it, to amplify the message. Many of them have already done that.
We’re also working with industry groups to spread the word. We’re attending annual conferences and regional conferences, and reaching out to state and local agencies. In Illinois, for example, we have the Chicago Department of Public Health, the Illinois Hospital Association, and the Compliance Consortium. We’re engaging with all of them to get the message out, which has been great.
As a Healthcare Sector Coordinating Council, we’re thinking about how we’re going to measure what adoption looks like. We’re starting the conversation about how to create a good qualitative survey where we can hear feedback in a formal way about how it’s working.
There was actually a suggestion to put something on HHS’ website that says, ‘are you meeting HICAP?’ That is not what we want. That gets in the compliance realm — it’s not what we’ve set out to do. In fact, it would be counter to the positive message we’re trying to push out. Additionally, because this is a living document and a living initiative, we’re starting work on Version 2.
Gamble: And that will incorporate some of the feedback you’re hearing?
Decker: Yes, it will definitely incorporate that feedback. We’ll get input on what marketing and promotion channels to use. We’ll do lessons learned; we’ll take things we parking-lotted from the first version and bring them forward. We’ll get right back to work thinking about, how do we keep this modern and updated? What’s next? What else do we need to tackle?
Gamble: Do you anticipate practices or smaller organizations reaching out and asking, ‘How do we do this?’ And if so, is there anything in place for that?
Decker: That’s done through associations. Health Resources and Services Administration (HRSA) was part of the group. There are some incredibly strong leaders in that agency who are doing proactive outreach to the rural community, specifically about HICAP. They do monthly calls, and we’re going to be one of those calls to explain what’s happening.
Another positive from this is that it offers the vendor community a chance to look at the references and reach out to their clients and say, ‘here’s how we can help.’ I’ve heard feedback that vendors are excited to assist, which is great.
Gamble: Interesting. It goes along with one of the themes from HICAP, which is that cybersecurity is a shared responsibility. What are you seeing there?
Decker: The idea that that information or IT will solve this is just unrealistic. Cybersecurity is not entirely an IT problem. Intrinsically, there’s technology under the seams, which is why it’s called ‘cyber.’ But if you think about crime in general, you don’t expect the police department to stop all crime that exists inside of a city. They can’t. And so you can’t expect the cybersecurity department to stop all crime either.
It’s the same motivation. You need a police department, as well as many other agencies within your government and your structure — local businesses, safety protocols, etc. You need good preventative measures in place to help prevent it from happening in the first place. You need good community policing and outreach. You have to make sure you have a relationship with your constituents, your citizens. It’s the same concept inside of an organization; you have to have a solid relationship and partnership with your business and your business users so that they know who you are and they know how to engage with you. Because when something happens, you want to be on top of it as fast as you possibly can; you want to know what you’re supposed to do when an issue arises. You don’t want to make it up on the fly.
In security, we talk about prevention, detection, and response as the three main themes; you could align an entire security program based on those concepts. Detection and response require an aware organization. Prevention requires an aware organization as well; you might have to turn off a workflow that the business wants to use, because it’s too risky. And so you need their support in order to do that. You need to be able to explain why that’s important.
Gamble: When it’s time to start creating the next iteration, do you think it will be a smoother process because a rapport has been established among the group?
Decker: We have a rhythm, and we obviously have a deliverable to look at and think through. As far as what’s next, we as a group need to get back together to decide where we go from here; what is the next meaningful update to a practical, actionable, and implementable set of cybersecurity references and practices. Obviously I have my own thoughts, but what I found to be so powerful about this initiative was that it was 150 people reaching a consensus. It wasn’t one person’s perspective. Our individual perspectives are embedded into it, but it’s a reflection of a group of thought leaders. There’s a lot of power behind peer review and a lot of power to know you’re getting the best from all of these people.
Gamble: So, knowing what you do now and having gone through it, would you do it all over again?
Decker: I would — I am, in fact.
Gamble: Right. Well, that’s about it for now. Thanks so much for your time. This has been really helpful, and I look forward to speaking with you again.
Decker: Great. Thank you.