Healthcare is complicated. So it’s not surprising that healthcare cybersecurity is just as complex. But what shouldn’t be complicated is the guidance health systems are given to deal with threats. In the past, a number of well-meaning entitles – from government to private to hybrids of the two – have put out roadmaps, frameworks and other tip sheets that left all but the most sophisticated shops shaking their heads, wondering where true north lay. But things are changing, according to Greg Garcia, Executive Director, Cyber Security, Health Sector Coordinating Council, who says that his organization (which just released its Health Industry Cybersecurity Strategic Plan – 2024-29) is focused on helping to bring a signal through the noise, starting with deep coordination between HCIP, the nascent HPH-CPG’s and foundational cyber framework’s like those from NIST. In this Live @ Vive interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Garcia covers these issues and much more.
Podcast: Play in new window | Download (Duration: 27:26 — 18.8MB)
Subscribe: Apple Podcasts | Spotify | Android | Pandora | iHeartRadio | Podchaser | Podcast Index | Email | TuneIn | RSS
Bold Statements
Cybersecurity has to be a habit. It has to be a habit among the users, the clinicians, the people who are sitting in front of their computer and their IT systems, and has to be a habit for the product security people, for the manufacturers of medical technology who know that we need to simplify this, because security by obscurity doesn’t work.
We all have the same objective, but if we have competing ways to reach that objective, we’re not moving the ball forward. This is going to be a challenge long after I leave the workforce.
… this is one of the major goals in the cybersecurity strategic plan, that basically technology being used in the clinical environment must be secure by design and secure by default, and that must be demanded by the customers, and it must be provided by the manufacturers and third-party service providers
Anthony: Welcome to healthsystemCIO’s Live at ViVE Interview with Greg Garcia, Executive Director for Cybersecurity with the Health Sector Coordinating Council. Greg thanks for joining me.
Greg: Thanks, Anthony. Glad to be with you.
Anthony: Very good. Big news for you guys at that the show. You’re releasing your strategic plan. Why don’t you just tell me briefly about the Health Sector Coordinating Council.
Greg: You bet. So the Sector Coordinating Council, the Cybersecurity Working Group, is an advisory council to the government and to ourselves in the industry, working together to identify and mitigate cybersecurity threats to the healthcare system. We’ve got about 425 organizational members, including government from across the spectrum. We’ve got the health providers, the medical tech companies, pharmaceuticals, plans and payers, health IT. So we’re looking at all of those crosscutting cybersecurity issues that affect the sector and, in particular, patient safety.
The Health Industry Cybersecurity Strategic Plan that we released on February 27 is intended to first look over the next 5 years and see what are the major healthcare industry trends, not cybersecurity, just what are the industry trends in technology and operations and regulation, business developments, and then what are the cybersecurity challenges that those trends present and then what do we need to do as an industry to get better, to get well.
It is a wellness plan for cybersecurity and, back in 2017, there was an HHS task force that diagnosed healthcare cybersecurity to be in critical condition because of all the connectivity and all of the evolving threats. We want to use this Health Industry Cybersecurity Strategic Plan to get us to upgrade to stable condition by 2029. It is a 5-year strategic plan. That is what this is about. It is a scalable, up and down, regarding the size and financial capabilities in the health sector and it applies to any and all of the major sub sectors.
Anthony: Very good. I was just in a session and one of the things that was discussed was this idea of complexity around cybersecurity, the information available, the messaging, the HPH-CPGs have come out, some of the voluntary ones. This is an effort to simplify things and harmonize requirements. There’s a huge need for clarity, right?
One is we want to bring everybody to a minimum level. That’s one of the goals here. The other major goal is clarity. Those two work together. What are your thoughts around that?
Greg: Very good question. This really applies a lot to the small, rural, underserved health systems who know they have a problem, they just need a place to start. There are, as you said, many different cybersecurity regulations and framework and toolkits, where do we start, and particularly for the smalls, it’s got to be digestible. It can’t be complex.
One of our flagship products, our toolkits available to the sector, is a joint effort by HHS and the Sector Coordinating Council. It’s called a HICP, the Health Industry Cyber Practices, and Volume 1 is for the small organizations, the small providers. Volume 2 is for the medium to large. In that way, we can take the same set of the top 10 major controls that you need to have for a good cybersecurity program and scale it. It’s easier for the smalls to keep it simple and then, the higher you get in terms of maturity and sophistication, we can drill down a little bit more and talk about how.
That is just one example of the cybersecurity framework that’s available free – actually, as CISA’s Deputy Director Nitin Natarajan just said, ‘it’s not free, it’s prepaid because we’ve all paid our dues into the system,’ – it’s available to the sector and it’s written by the sector. That’s the important part. It’s by the sector and for the sector by those chief information security officers and others in our membership who feel the pain, and they know where the landmines are and how to navigate those landmines for those who are just getting started.
Anthony: We talked about simplicity, finding simplicity from complexity, and I spoke to Erik Decker, he was involved with the HICP, the production. I think he got very deeply involved in that with you. He’s been very deeply involved with you with the formulation of the HPH-CPGs, right?
So when we talk about simplicity, you referred to HICP. We know this HPH-CPG thing is coming out, has comes out. Those two work together, that’s what Erik said and it’s no surprise, these should all flow together. NIST is fundamentally incorporated into these concepts. HICP is advisory, the HPH-CPGs are voluntary, but eventually will be mandatory. Do you see HICP fusing with the HPH-CPGs? Again, we’re looking for this simplicity where it’s one document to go to. What are your thoughts?
Greg: Absolutely. They are perfectly aligned. NIST applies to all critical infrastructures, as a general matter. HHS took that and they took CISA’s cyber performance goals and then said, ‘okay, what are the most important cyber performance goals that health systems need to implement? Let’s drill down to the most important.’ They call it the top tier, essential, and the next tier, enhanced.
If you put them side by side with HICP, they match up. But here’s the difference, the CPGs, the cyber performance goals, will say ‘what,’ HICP says ‘how.’ That’s the main thing. If I’m an IT person in a small rural hospital in southern Kentucky, what do I have to do.
CPGs, ‘oh okay, I’ll do that.’
‘Well, how do I do that?’
‘HICP, I’ll use the HICP.’
That’s the continuum. You start big and then you drill down to the how. Hopefully, from that you will have a vision of what constitutes success.
Anthony: Do you feel like we’re moving in a good direction in terms of that simplicity and that one-stop shop? Do you feel like they’re trying to go in the right direction?
Greg: Yes, I think it is and indeed, one of the major goals, goal number 1, I believe, in the cybersecurity strategic plan says we need to do more around simplicity. Cybersecurity has to be a habit. It has to be a habit among the users, the clinicians, the people who are sitting in front of their computer and their IT systems, and has to be a habit for the product security people, for the manufacturers of medical technology who know that we need to simplify this, because security by obscurity doesn’t work.
Greg: And let’s not forget the H-ISAC. It’s a lot.
Greg: It is a major patchwork quilt. If you can sort pan back and look at that patchwork quilt, I hope one day it’s going to show a healthcare system that is healthy and not constantly under cyber attack, but the office of the national cyber director within the White House actually last year put out a request for comments to the industry with a whole set of questions based on really one driving principal of how can we eliminate complexity in our regulatory environment. It’s an open question to health providers, medtech and pharma companies. ‘What is getting in the way of your being more cybersecure? Are there regulations between state and federal that are actually working a cross purpose? Or is there overlap? Is there conflict? Are you put in a position of having to decide which law you’re going to break, if you’re going to break one of them at the state level or the federal level?’
I think probably, at this point, they are still digesting all of the comments that came in. The national cyber director doesn’t have any declarative authority over state government regulations, but if we can just keep the drum beat going about we need to coordinate better, that will be good. We all have the same objective, but if we have competing ways to reach that objective, we’re not moving the ball forward. This is going to be a challenge long after I leave the workforce.
Anthony: Listen, it’s funny, it’s this pesky federal system (laughing). I just happened to listen to the audio version of The Federalist Papers, Alexander Hamilton and whatnot. That’s what he’s talking about, 1783 – he was trying to convince everybody, ‘hey, we need a federal government that’s strong enough to hold this thing together,’ and the concern was the state governments didn’t want to give up any of their power and authority so it was that compromise, and we’re talking about some of the effects of that.
Greg: I keep The Federalist Papers on my bedside table.
Anthony: What?
Greg: I think it is really one of the most beautifully written…
Anthony: Oh my god.
Greg: …understandings of the inspiration behind the Constitution of the United States and, in this day and age, when we are looking at threats to the Constitution, I keep that nearby…
Anthony: Wow.
Greg: …as my security blanket.
Anthony: That’s amazing. My takeaway from that was – I mean, these people are beyond brilliant, their minds, multifaceted. These people actually served, were leaders in the army, and then wrote this stuff. Amazing, right?
But what you have there are 80-something articles that are there to explain and promote a proposal. This was to convince New York mostly to vote in favor of the Constitution. What an interesting approach that we don’t do today, right? Things are proposed, my god, we’re getting into a weird discussion, but people complain in Congress about getting a 3,000 page bill the night before they have to vote on it.
In the case of the Federalist Papers, you have Hamilton and Madison and Jay writing 85 complex articles to convince the public before a vote. What a change, right? What a better approach that was.
Greg: Yes. All right. Then, I’m going to say our 5-year cybersecurity strategic plan is our Federalist Papers, in healthcare cybersecurity. How is that? This is our Constitution. Let’s pursue that grand experiment for the next 5 years and see how we can get, as you are calling for, Anthony, a level of simplicity instead of complexity.
Anthony: Well, I think that’s one of the biggest things that we’re hearing about the cybersecurity issues. Speaking of complexity – let’s talk about the complexity of managing hundreds of third-party relationships. Again, what’s been pointed out to me in different interviews is, let’s say you do some questionnaires and investigation, you can go beyond the questionnaire and do a real investigation. That’s a point in time you’ve measured. Six months later, that point in time may no longer be a valid data point. It’s extremely complicated, and something folks are really having a hard time getting their arms around as we speak. Any thoughts around that?
Greg: Yes, as we speak, everyone is dealing with a major third-party breach, attack, on Change Healthcare, which holds about I think a third of the market for claims management, for prescription management, and all of that has been or a lot of it has been disrupted. That is an existential threat to the healthcare system, and it’s very difficult for any of us, or any of the users of that third party, to be able to control, and it’s similar to the Solar Winds software patch release that with one click of a mouse, a corrupted software update went to thousands of customers, and therefore, infected those thousands of customers.
And so, this is one of the major goals in the cybersecurity strategic plan, that basically technology being used in the clinical environment must be secure by design and secure by default, and that must be demanded by the customers, and it must be provided by the manufacturers and third-party service providers. It’s a hard thing because it is a complex ecosystem and no manufacturer can create a one-size-fits-all security solution or a medical device that is secure in every clinical environment because clinical environments are all architected a little bit differently.
So that leads us to another goal in the strategic plan which is that we have to have a continuous dialogue, a partnership between the technology providers and the users about evolving requirements, evolving threats, and how we navigate this.
Again, Anthony, the theme here that you have raised is simplicity. How do we make this more simple so that the onus is less laid on the shoulders of the technology users? Technology users are going to have to do their basic cybersecurity protections, but the more they can concentrate on patient safety and patient care, and less on security, we’re going to have a better healthcare system.
Anthony: As a final question, regarding the CPG’s, I got into this with Erik a little bit about the chicken or the egg thing, for example, ‘if I lay out some money to work towards this stuff, am I going to get it back, are they going to reimburse or do I need to wait?’ I don’t know how that’s going to work.
Greg: I hope what the government will provide a library of funding sources. We know that the Federal Communications Commission supports, for small hospital, communications and IT technology grants. HRSA which is an office within HHS, they provide grants. We need to give them everything that is available to them, to the health providers, and enable them to pick and choose as to how they’re going to fund their cybersecurity programs with those funds.
When the government does decide to make CPGs, if they decide to make the CPGs required, part of a regulatory process requires that the government do an impact analysis and figure out how much this is actually going to cost. With that, they will know how much money the government can actually raise to provide help to the industry.
Anthony: I want to thank you so much for your time today, Greg. I really appreciate it.
Greg: Good talking to you, Anthony.
Share Your Thoughts
You must be logged in to post a comment.