healthsystemCIO Founder and Editor-in-Chief Anthony Guerra talks with Health Sector Coordinating Council Director Greg Garcia at the Vive Conference about the structure and relationships among entitles like HHS, FDA, HSCC, the Health ISAC, and 405(d); the importance of the NIST framework and how HICP, JCP and other materials released by the HSCC can help healthcare organizations map to NIST; the chances of minimum cyber requirements becoming a reality; and the importance of getting cyber risk into the overall organizational risk discussion.
LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE.
Five years ago, 2017, they said healthcare cybersecurity is in critical condition. I want to be able to say in 2029 that healthcare cybersecurity is in stable condition.
… implementing NIST is not binary, it’s not yes or no, right? It’s continual. It’s a phased approach. It’s a measured approach. It’s a maturity model in a way.
… cybersecurity is patient security … we have to get the point across that we can actually hurt patients if we don’t do good cybersecurity.
Guerra: Greg, thanks for joining me.
Garcia: Good to be with you this morning.
Guerra: All right, let’s start off, tell me a little bit about your organization and role. As much as I’ve tried to dig into the relationships and the different government associated entities, it can get a little daunting, unless you have a giant whiteboard.
Garcia: The Health Sector Coordinating Council is one of 16 sector coordinating councils, each associated with a critical infrastructure industry sector. So healthcare is a critical infrastructure, just like telecommunications and electricity, oil and gas, financial services and more. And we are actually designated by the government as critical infrastructure. And the government needs to work with these critical industries to collectively and collaboratively identify and mitigate systemic threats to the sectors, whether they are natural threats, like pandemics or hurricanes, or whether they are manmade threats, like terrorism or cyber-attack.
So what we have here is a public private partnership. So we are an official partner to the government. We are totally industry organized and managed. We now have about 380 healthcare organizations from across the spectrum: health providers, medical device companies, pharmaceuticals, plans, payers, health IT. And we are all working together to think about how we get ahead of the cybersecurity threats, and we do it across the sector, and we do it with the government, understanding that market forces alone aren’t going to solve our cybersecurity problems, and regulation alone isn’t going to solve our cybersecurity problems. So we need to be working with industry and government creatively and resourcefully at trying to get ahead of the threats.
So that is primarily what we do. And we are a counterpart organization to the health ISAC (Information Sharing and Analysis Center), they do the same thing only at a tactical, operational way. They are the firefighters, they do the blocking and tackling. The Sector Coordinating Council looks over the horizon at the strategy, the policy for how we can do this better, how we can be more secure.
Guerra: Do you have a lot of interaction with the health ISAC?
Garcia: Yes, we do. We are a sister organization. Absolutely. They are a member of the Sector Coordinating Council. What we have in the council is this privileged relationship. Unlike other trade associations, the government agencies responsible for us – in this case is Health and Human Services and the FDA – they are essentially required under policy to work with the sector coordinating councils, and the councils need to be fully representative of the sector at large. And so the health ISAC is a big part of the sector, major trade associations like the American Hospital Association, AMA, Advamed, America’s Health Insurance Plans, they are all members of our organization, as are the companies and providers themselves.
Guerra: And where does 405(d) fall into this?
Garcia: 405(d) is one of the task groups. The nervous system of the cybersecurity working group is our task group structure. Task groups are focused on developing best practices and recommendations for very specific aspects of cybersecurity. 405d is one of those task groups that’s focusing on how to help provider systems do better at cybersecurity. We have a task group on medical device security. How do you design and build security into medical devices from the ground up? We have a task group on workforce development. We have a task group on information sharing intellectual property protection, everything that a chief information security officer needs to be concerned about. We are working on developing best practices specifically for the health sector.
Guerra: So let me ask you this. You say that the Health Sector Coordinating Council has task groups?
Garcia: Yes, 15 of them.
Guerra: Some of which are focused on topics.
Guerra: One of which is 405(d), which is not a topic, per se.
Garcia: Good point. Very good point. The 405(d) is named for Section 405(d) of the Cybersecurity Act 2015. Congress told HHS you need to work with industry to come up with best practices for cybersecurity, for healthcare, for health systems. Great. They did that. When the Sector Coordinating Council reorganized in 2017 after I came on, the 405(d) Task Group, which was already working, they were nearing the publication of their document called HICP, health industry cyber practices. They said, “The Sector Coordinating Council is now a more mature public private partnership. Let’s bring the 405(d) task group and roll it up under the Sector Coordinating Council with all of these other task groups. So it is one of many. The one difference is 405(d) is the result of an act of Congress. So HHS has to own that one task group. It’s driven primarily by industry people, but it’s managed by HHS, which is good, because that means we are actually doing joint publications.
Guerra: Okay. Okay.
Garcia: You’re looking a little confused, but that’s okay. Everybody is a little bit confused by it.
Guerra: A little bit, but I’m getting there (laughing). And then there is NIST and the framework they put out in 2018 that many are working towards. You recently put out a crosswalk or alignment that will help systems map to NIST. Tell me about that.
Garcia: It’s our way of emphasizing that the health sector should be paying attention to the NIST framework. So it’s one part marketing exercise; we’re trying to drive the health industry toward NIST, and then take NIST at a at a higher level of granularity. And then you’ve got HICP, which is what the 405(d) did. NIST is very broad, right? Identify, protect, detect, respond and recover; those five core functions. So we took that in the HICP, in the 405(d) process, and said, “Okay, let’s align to that, but let’s get really specific, speaking the healthcare language, like oh, we’ve got things like medical devices, they’re attached to human beings, and they are vulnerable to cyber-attack. We have health data that is regulated by HHS.” So we used the NIST framework as the overarching reference, but then take HICP, and let’s get really specific about how it matters to the healthcare industry. So we put those two together. And that’s what we’re trying to encourage and promote across healthcare.
Guerra: You’ve got NIST, which was useful and helpful and still is?
Garcia: Yes, and we’re about to publish the update, it’s going to be 2023. Any day now, in the next few days or weeks, it’s going to be published.
Guerra: So you’re big on HICP. That’s like your big, big publication.
Garcia: That is the flagship, particularly for health providers. But remember, we have all these other sub- sectors, like medical devices, and pharma and health IT, what about them? So they look to NIST. But then there’s another publication we did, one of our task groups on medical device security, the other flagship publication is called the JSP. The Food and Drug Administration has been promoting this, and that is industry driven, it’s called the Medical Device and Healthcare IT Joint Security Plan, the JSP. And this is about helping medical device companies.
Guerra: Did that come out recently?
Garcia: That came out in 2019, and JSP version 2 is coming in the spring or early summer. And that will be an update based on lessons learned from JSP 1. And this is just about how should medical device manufacturers design cybersecurity from the ground up, build it into their devices? And what should hospitals and clinicians expect from medical device companies about the security of the devices that they buy?
Guerra: Here’s what I’m thinking a CIO might like, a really short reading list, like what are the most important documents? So obviously, NIST is the gold standard, 2018 NIST, that’s there. Now, how do we get to that? We’ve got materials that help us get to this. We’ve got HCIP, we’ve got the JSP. These are things that are going to help us map to NIST, but it’s all about implementing NIST, right?
Garcia: Yes, implementing NIST is a very high-level thing, but it doesn’t tell you how to do things. It tells you what. The first thing you’ve got to do is identify, protect, detect, respond and recover. That’s what the NIST framework looks like. So what does identify mean? Well, you’ve got to identify your assets. What are you trying to protect? You need inventories. You can’t protect what you can’t see. So you’ve got to do that. Okay, well, then, how do you do that? So we take that. And HICP talks about how you do that. What’s the how part? The medical device joint security plan tells you how to build security into devices. Another task group says, How do you do information sharing? What’s the best way to take information you get ingested and make it actionable so that you can actually protect your enterprise from a cyber-attack? So we do a lot of the how. We have 18 publications so far.
Guerra: Could you map every one of those 18 to a NIST step? Like, these three go to this one, these three go to this one…
Garcia: I think, yes, I think you can do that for most of those, but we have other resources that may not be directly mapped, like workforce development. How do you attract and train and retain good cybersecurity talent in your clinical environment? That one doesn’t really identify, protect, detect, respond and recover. I don’t think that would map directly because there’s more to the world than NIST. And so we have to get down sometimes to a level of granularity. But we’re doing it in the health sector, with a language that health providers and healthcare companies understand.
So if you go to our website, the reading list you asked about is there, it’s healthsectorcouncil.org. And under the recommendations tab are 18 publications and counting. We’re releasing a video series. It’s called “Cybersecurity for the Clinician,” video training series, possibly tomorrow (3/28/23). It’s eight videos on different topics, six to seven minutes each. The on-camera host is an emergency room doctor from UC San Diego and a hacker. So he knows cybersecurity, and he knows healthcare. You’re a doctor, you’re a nurse, you’re a medical student, you’re a nursing student. And suddenly you’re touching patients. You’re touching technology, you’re touching data. You have a responsibility to cyber, too. It’s not just the CISO’s job. So we’re getting that across.
That’s not in NIST. Right? That’s not quite one of the NIST core functions. So we’re trying to get to those granular issues that have existential relevance to healthcare. And so we’re doing a lot of the how, and NIST provides this framework for a lot of the necessary stuff. But what makes healthcare unique? This is healthcare, we have patients, it’s live or die. We’ve had advice from other organizations, well, you’ve got medical devices that have vulnerabilities, just patch them up. But what happens when you patch a medical device? It reboots. What if that medical device is attached to a human, if it’s rebooting while it’s sustaining somebody’s life, you’re causing potential for patient harm.
So there are unique aspects for healthcare that NIST won’t cover, including we’re about to stand up a task group on operational technology, which is used in a variety of things like HVAC equipment and refrigeration, elevators in a hospital, but also manufacturing technology for pharmaceuticals or medical devices. These are run by operational technology.
NIST, as an organization, has done a lot on Internet of Things and software security. So you can take the whole library of NIST publications, and they’re all very valuable. And a lot of the more sophisticated, better resourced companies and our membership are using those. But what we’re trying to do is make these control frameworks relevant specifically for healthcare, because it’s a different language with different priorities than from the electric sector or financial services.
Guerra: NIST doesn’t put out a framework for healthcare?
Garcia: Correct, correct. So nevertheless; they participated in the development of this NIST framework implementation guide for healthcare. And, together with NIST and HHS, we are promoting the use of that reference to the industry.
Guerra: How do you decide what you’re going to do next?
Garcia: So what we have used as our primary reference over the past five years, you mentioned 405(d). Section 405(c) said, “Hey, HHS, healthcare is getting slammed by cyber-attack. You need to establish a task force to answer why. And to tell us what the industry needs to do.” So this task force stood up in 2016. And in 2017, they issued their report, and then it disbanded. The healthcare industry Cyber Task Force said healthcare cybersecurity is in critical condition. Here’s all the reasons why. And here’s what we need to do about it.
And what to do about it was six major imperatives. Underneath that statement were 105 action items, very specific things about medical device security, about hospital cybersecurity, about information sharing about telemedicine, very specific things. And we took those recommendations, we took them seriously, because it was a report to Congress, section 405(c) said do this and report back to us. And the task force did report back to the Congress, and we said, “Okay, well, we here at the industry sector Coordinating Council, it’s our responsibility to see if we can implement this. Let’s put flesh on the bones of those recommendations.” And so that’s what we did.
And that’s how we set up this this task group structure. Or you have one task group on medical device security and another one on information sharing and another one on intellectual property protection for pharma. And that’s how we decided let’s implement the NIST; let’s implement the healthcare industry task force recommendations. So we have mapped ourselves to that as well.
So we have published 18 recommendations, almost all of them were derived directly from those task force recommendations. And so, on column one on the left is, here’s the task force recommendation. The next column over is, here are the Health Sector Council publications that answered the mail on that recommendation. So we were mapping to that.
Now we’re at a point five years later, six years later, we’re really looking at, okay, a lot has changed in the healthcare industry. Over the past five years, a lot has changed. Amazon is a healthcare company. Now that they bought One Medical, how does that change the ecosystem of healthcare? We have all of these new disruptors in technology, we have new business models in healthcare, wearable technology, home health, telemedicine, there’s a lot of changes that are introducing new or continuing cybersecurity challenges. So we are starting now on a five year strategic plan. This is what healthcare is going to look like five years from now. And what is healthcare cybersecurity going to look like five years from now? And how do we need to be prepared?
Five years ago, 2017, they said healthcare cybersecurity is in critical condition. I want to be able to say in 2029, that healthcare cybersecurity is in stable condition. So what does that look like? What does stable condition look like? And I threw out a fun goal. Can we say that 80% of healthcare systems in the United States are implementing the NIST cybersecurity framework? That would be pretty cool to be able to say that. I don’t know if we can get there. And, implementing NIST is not binary, it’s not yes or no, right? It’s continual. It’s a phased approach. It’s a measured approach. It’s a maturity model in a way.
So how you answer that question is important. But can we say that in 2029 that all medical devices manufactured are out of the box are secure by design? Can we get to that? So that’s what we’re looking at now, is looking into the future. What does the future of healthcare look like and related cybersecurity challenges and what should be our goal? And then that’s going to be how we decide what we work on.
And there’s two ways to look at it. One is what are our recommendations for the industry? We can presume to tell the industry what we think they need to be doing across the board in cybersecurity. We don’t control that. We are a coalition of healthcare organizations. We don’t have regulatory authority, the government has regulatory authority, but we can make recommendations like the healthcare task force did, but we can’t force anything. So strategic plan number one is what are our recommendations for what the industry should be doing? Strategic plan number two is, what should we as a sector coordinating council be doing to facilitate the achievement of those objectives?
So for example, the cybersecurity for clinician video training series is coming out tomorrow. It’s not forcing anything. It’s just an educational device to get clinicians to understand they have some responsibility. Why? Because one of the biggest threats in healthcare is the frontline workers. They click on an email that looks legitimate, but it’s got an attachment and they open the attachment. And that releases the malware. Right? So it’s the insight or the inadvertent mistakes of clinicians. And in large companies, a CEO can be duped into clicking something or going to an infected website. So we can help as a sector counsel to educate the community, and we can work with HHS and DHS and CISA on marketing campaigns, if you see something, say something, right? Everyone knows that now.
We want the same brand recognition of if you see something, say something; maybe patient safety requires cyber safety. How’s that? Does that work? I mean, does that resonate with you, or cybersecurity is patient security, but we have to get the point across that we can actually hurt patients if we don’t do good cybersecurity.
Guerra: During the Senate hearing that you were recently involved in, Kate Pierce was speaking about smaller hospitals and rural health systems. And one of the things she was saying was that your organization is putting out a lot of information, and that’s great, but they don’t have the people or the money to implement the recommendations. She was asking for minimum mandates, with funding and other support. So I wonder what your thoughts are there. I know it’s not your role but maybe you do have some ways you can lobby to get those things to happen.
Garcia: She was spot on about that. And it was the same for information sharing – they don’t need more information. They just need the right information. They just need to know what’s relevant to them so that they can actually take action on it. But on your question, yes, we understand that ransomware attacks aren’t going away, and the government is getting impatient. And what can we do to increase security and accountability in the health system? Well, we’ve done that and it’s HICP. We have all of those controls. Now the question is, those are voluntary. Now, the government is going to look at that and say, “Okay, which of these HICP controls – the original HICP is called the top 10 cybersecurity practices – should you be doing.” And they’re going to be reporting today, I think if it’s on your agenda, the 405(d) group is going to be giving an overview of HICP 2023 – so what has changed?
But what we are working on with HHS and with CISA and others is okay, let’s do a scan here across the industry and say, what are those vulnerabilities in the health system that are most frequently exploited for a successful cyber-attack? Whatever those are, and we know things like email security, I mean, it’s just terrible. Without multifactor authentication, all you’ve got is one password. That’s not enough. You need multi-factor, two-factor authentication, things like that. I don’t think it’ll be a surprise to anybody, and we’re still working on a lot of surveys and such. But then, here are the primary vulnerabilities for how we’re getting beat, then what are the most important controls for addressing those vulnerabilities?
And we’ll make those recommendations and it’s going to be up to the government if they want to make those mandatory, then they have to go through a rulemaking process and then it’s public comment. But we don’t lobby as a sector council. Our member trade associations, American Hospital Association, AMA, Advamed, they will do their lobbying. We have to go through that (rulemaking) process just to be sure that any mandated control is going to be effective, and that it’s going to be implementable and then, for the smalls, it’s got to be funded.
These smalls are operating on zero to negative margins. So if you’re going to tell them to do something (they will not do something if they’re not told to) but if they’re told to do it, then they’re going to say, “Well, okay, then I’m going to have to make a choice. Do I hire a nurse? Or do I comply with the cyber controls? Because those are the choices I have to make.” So if we can get the government to say, on top of these new regulations we’re imposing on you, we’re going to provide subsidies, incentives, grants, services … so DHS, CISA, they do a lot of stuff. They can come into your environment, they can kick the tires, they can do a vulnerability scan, they can do penetration testing, they can help, for free, health providers that say, “I need help over here.”
Guerra: You could do a Meaningful Use thing, which was you get money if you do these steps.
Garcia: Yes. Right. So we are working as we speak on what would be our recommendations for the kinds of things that the government can do and what you just mentioned – that’s an example of meaningful use. If you do these things, it’s not a penalty. And in fact, Congress passed a really good provision there. If you remember, in January of 21, Congress passed a law on January 5, 2021, which said, “Hey, HHS, when you are enforcing a HIPAA data breach violation, please look at the extent to which the breached hospital has implemented NIST or HICP over the past year. If they have, they’ve done the right thing. Take it easy on them. Don’t punish the victim. I mean, they might still have done some wrong things. So there’s going to be a fine, there’s going to be an audit, but take it easy on them.
So that’s a positive incentive; that was a good idea. It says to health providers, look here, if you invest in NIST and HICP, or other recognized security practices, OCR might take it easy on you. So they can do similar things to CMS, the payment system. So Kate (Pierce) talks about that the reimbursement process, there are critical access hospitals, they get virtually all of their money from CMS, they get paid by CMS, well, what if CMS said on a OCR data breach or a HIPAA data breach, if you can show that you’re implementing this, or HICP, or other recognized security practices, we’ll give you an extra 10 cents on the dollar or something like that? I don’t know the reimbursement system. But that’s a positive incentive. Because money is everything. Right?
Guerra: Greg, just as a final question. If you were talking to a CISO at a midsized health system, maybe one hospital, 300 beds, a couple of practices. And that person wanted your best advice on, how do I shore up this place? I want to make sure I’m doing my job, right? How do I make sure I avail myself of the best information that’s out there that can help me do my job? What’s on your shortlist?
Garcia: You have got to convince your C-suite that this is another very critical element of risk. Every board of directors, every board of trustees has a risk committee. And they have directors and trustees sitting on those risk committees. And we haven’t yet gotten a culture of cybersecurity in the boardroom. It’s getting there. But when I hear CISOs talk about it’s the most important thing: How do I get my board on board? It’s not just about resources, it’s about ownership. So that’s number one. It’s got to be a matter of enterprise governance, existential governance, because the fallout from not doing that is so extensive, right? It’s reputational damage, financial damage.
Guerra: It’s almost existential.
Garcia: It is existential. So, that’s number one. That’s the top of the list. And the second is training all the way up and down, for as long as I’ve been doing cybersecurity. It has consistently been identified that the insider threat is the biggest risk and that’s both malicious and, mostly, inadvertent, okay, up and down the stack all the way up to the CFO.
And number three is just establishing good governance and policy models that are repeatable, implementable, and scaled appropriately to your organization. I mean, if you just have your basic playbook of the appropriate components of cybersecurity, and you have someone in charge of that component, it’s big. Policy is so important, so it’s those three.
Guerra: Greg, thanks so much for your time today, really appreciate it.
Garcia: Thank you, Anthony. It’s good to be here. Good questions.