Sharing the Health Sector Coordinating Council News

By: Zach Donisch, Director, AEHIS, AEHIT, AEHIA Membership

Kevin McDonald, director of clinical information security at the Mayo Clinic and co-chair of the Health Sector Coordinating Council (HSCC) subcommittee that recently produced a thorough information security framework for medical device suppliers, understates the importance of the work they accomplished. “None of the work we did is new stuff – it’s repackaging a lot of things in much more sequential, handbook kind of manner…  It’s based on current standards which are industry accepted and known. It’s how you provide them together, throwing in a dash of process to put them into place, in order to make significant differences.”

This handbook is one of the most impactful documents the council has released in 2019. Called the Medical Device and Health IT Joint Security Plan, or JSP for short, it is an industry led, healthcare delivery organization (HDO) advised report “written to address a major recommendation of the Health Care Industry Cybersecurity Task Force report … calling for a cross-sector strategy to strength cybersecurity in medical devices.”

This type of collaboration, between HDOs, government agencies and medical device manufacturers, is rare. Beyond ensuring patient safety, which ultimately helped drive each of these stakeholders to the table, incentives for each group to collaborate with the others are few and far between. McDonald spoke to the value of healthcare delivery organization leaders engaging in this supplier- and manufacturer-focused project: “The reason we decided to get involved in the Joint Security Plan … was to provide the voice of the customer in the discussion. We could offer up the things we see lacking quite often – for example, a vendor would go through all of their development, create a whole subset of their security processes and they never think about their end customer.”

McDonald and the committee see the JSP as a way to course correct for the challenges that have permeated the marketplace. As the JSP outlines in the executive summary, “[the JSP] is intended to be globally applicable to inspire organizations to raise the bar for product cybersecurity and is expected to evolve as product cybersecurity evolves.”

With over 50 members who participated in the research, drafting and writing of the Joint Security Plan, the committee was a diverse group of participants from healthcare organizations across healthcare information security. McDonald said, “[The committee] had a fair amount of input from places like the FDA, MITRE, and the work group was diverse as well… The group was full of anyone we needed for the right kinds of feedback.”

The framework recommended by the JSP is “built upon traditional quality system concepts.” Different aspects of the JSP framework can be aligned with software development concepts for integration with an organization’s preferred workflow, all in the service of enhancing patient safety and trust in the end user and customer, the healthcare delivery organization.

As the JSP outlines, the document is meant as a living, adaptive framework to assist in “raising the bar for product cybersecurity.” It is centered around continuous improvement, not only within organizations adopting it but for the document itself. “The end state,” McDonald said, “is not really a cybersecurity state as much as it is a cultural and process state – that we can continue to adapt.”

The Health Sector Coordinating Council, of which the JSP is one of many on-going projects, is a vast group of over 200 information security leaders from healthcare delivery organization, government organizations, and industry. Dan Bowden, vice president and CISO at Sentara Healthcare, serves as a member of several subcommittees and has seen the breadth of the work the council tackles from meeting to meeting. Despite enormous scope and organizational challenge, Bowden identified a major constant in all of it. “The center of the Health Sector Coordinating Council universe is Greg Garcia, and he’s done an exceptional job. Similar efforts were over-decentralized before his involvement, and he’s done a wonderful job bringing all those stakeholders together. Greg and his support team, they are on practically every call.”

The organization of a few hundred passionate information security leaders and industry executives is certainly a challenge, but Bowden and McDonald both identified a greater challenge now that work has been produced and shared by the council – distributing the work among the greater health information security community. Whether it’s a cultural norm of security leaders to be overly cautious, play their cards close to their vest and not offer up too much information, or just simply not staying engaged with a community of other CISOs who are aware of and recommend the HSCC’s resources, the council has run into challenges sharing information and communicating between CISOs.

An obvious cause of this stems from the fact that there is no “emergency alert” system for chief information security officers and leaders at healthcare organizations. There are no licensing bodies or neutral parties that tie each person back to important announcements or information distribution. Each security leader, unless they reach out to a network of their peers, is an island. Of the communications challenges, Bowden said, “I’m asking myself how best to get others involved and engaged in this. Is there some common communication, whether it’s from HHS, CMS, or someone else in a health system, that we can close the loop?”

Additionally, many organizations lack the resources to have dedicated information security staff, making it hard to find the right “security leader” in an organization. “In many smaller organizations, you’re looking for an audience and how to reach them, but there’s no audience – there’s no one who wakes up every morning and worries about cybersecurity,” McDonald said. While it may be difficult to permeate smaller healthcare delivery organizations with no one tasked to basic information security work, existing organizations can still make a difference. The responsibility for the distribution of this information falls to groups like the Joint Commission, the FDA and non-government organizations like AEHIS, as well as other associations and “connective tissue” that healthcare information security leaders gravitate toward when looking for solutions to common problems, to help distribute and promote the important work the council is doing.

As healthcare delivery organizations awaken to a world better-framed and supported by the work of the Joint Cybersecurity Working Group and the Health Sector Coordinating Council, their best practices and guidance will likely be adopted in earnest. Until then, Bowden posited his vision of the future of the Health Sector Coordinating Council’s work. “What I’d like to see is something like the Health Industry Cybersecurity Practices guidance become a ubiquitous reference and conversation among all HDOs. [In the future] when you mention it, people will understand and can reference it and understand that those among them are developing and deploying it in their organization as a ‘best practice’ to start improving their cybersecurity practice.”

Author’s Note: As part of its mission to improve healthcare information security and provide resources and tools, AEHIS is launching a publicly available “CISO Resources Page,” compiling documentation and resources for healthcare information security leaders. You can review our CISO Resources Page here. We are committed to being vendor neutral and hope that you’ll submit resource links and documents to help us create a space that all healthcare information security leaders to benefit from.

More AEHIS News