The Healthcare and Public Health (HPH) Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) has released the “Health Industry Cybersecurity Strategic Plan” (HIC-SP) at the ViVE 2024 Conference, outlining a comprehensive call to action for all entities within the healthcare ecosystem. This strategic plan spans the next five years and addresses operational, technological, and governance challenges arising from industry trends. The increasing frequency and sophistication of cyber threats against the health sector presents risks to patient safety, data privacy, and care operations, leading to unacceptable financial, legal, regulatory, and reputational consequences. HIC-SP guides C-suite executives, information technology, security leaders, and government agencies in investing and implementing foundational cybersecurity goals to counter these threats.
The Health Sector Coordinating Council (HSCC) is a coalition of private-sector key healthcare infrastructure entities, formed under the National Infrastructure Protection Plan. Its purpose is to collaborate with and advise the government in identifying and addressing strategic threats and vulnerabilities that could impact the sector’s ability to deliver services. As of February 2024, the HSCC Cybersecurity Working Group (CWG) comprises over 400 healthcare providers, pharmaceutical and medtech companies, payers, and health IT entities. This group works in partnership with the government to identify and mitigate cyber threats in areas such as health data, research, systems, manufacturing, and patient care. The CWG actively develops and shares healthcare cybersecurity best practices, policy recommendations, and conducts outreach programs emphasizing the link between cyber safety and patient safety.
In a statement regarding the plan’s publishing, HSCC Cybersecurity Working Group Chairman Erik Decker, CISO for Intermountain Health, said “The Health Industry Cybersecurity Strategic Plan recognizes that cybersecurity for the health sector is a shared responsibility among all HPH stakeholders, including medical device manufacturers, pharmaceuticals, healthcare delivery organizations, health plans and payors, and government policymakers.” Decker added that the plan also includes third-party technology and service providers, identified as significant risks to the health system. The HIC-SP, developed over eighteen months in collaboration with a diverse cross-section of the Cybersecurity Working Group and government partners, aims to address broad industry trends by establishing high-level cybersecurity goals achievable through specific, measurable objectives. This plan aims to improve healthcare cybersecurity, moving it from a “critical” state to a “stable condition” by 2029.
Outlined within the HIC-SP are strategic goals emphasizing reflexive and evolving cybersecurity practices, shared responsibility for secure technology design and implementation, accountability for cybersecurity in the C-Suite, the establishment of a cyber safety net promoting equity, continuous workforce cybersecurity learning, and the implementation of a “911 Cyber Civil Defense” capability for early warning, incident response, and recovery. Chris Tyberg, HSCC CWG Vice Chair and CISO for Abbott, stresses that the primary goal is to “improve and protect patient safety”, urging all health industry stakeholders to unite for the benefit of patients and the overall health of the sector.
Entering the next phase of its plan, the HSCC aims to set clear goals and measures for success, calling on the healthcare industry to actively participate. The HSCC CWG aims to share these measures by the end of 2024, working together to strengthen healthcare against the increasing threat of cyber incidents. Considering the growth of digital health tech, the HIC-SP becomes key to safeguard the entire healthcare system. It understands the changing healthcare industry, with more tech and new ways of care due to COVID-19. The plan says we need to secure all parts of healthcare, not just some. Acting as a helpful guide for healthcare pros and organizations, HIC-SP asks them to invest in people, processes, tech, and partnerships to protect against cyber threats. Following the plan’s ideas can really lower risks to patient safety, data privacy, and how healthcare works, ensuring it stays strong and secure.
