How the HSCC is Bridging the Gap Between Cyber Haves and Have-Nots

Recognizing that patient safety and cybersecurity are inextricably linked is a crucial step in strengthening the security posture of the healthcare sector, HSCC leader Greg Garcia suggested at the HealthITSecurity Virtual Summit.

Cybersecurity remains a key challenge for the healthcare sector, an industry inundated with ransomware, phishing attacks, third-party risk management struggles, and security staffing shortages. These obstacles are consistent across the sector, but can be even more challenging for small, under-resourced organizations and rural hospitals.

Greg Garcia, executive director of the Health Sector Coordinating Council (HSCC) and keynote speaker at the 3rd Annual HealthITSecurity Virtual Summit, discussed the importance of bridging the gap between organizations that have the resources and budgets to improve security and those that do not.

“There's a very broad differential between the haves and the have-nots in terms of resources and expertise from the large hospital systems to the small and large medical device and pharma companies,” Garcia suggested.

“How do we, as an entire sector, raise the bar of security across the sector? It takes not just regulation, but resources, assistance, and a common level of best practices that all of us can be implementing.”

Advanced security solutions require financial and operational resources that many healthcare organizations simply do not have. Thankfully, there are groups working to provide resources and guidance to healthcare organizations free of charge.

During his keynote presentation, Garcia shed light on what the HSCC, as a designated Critical Infrastructure Partnership Advisory Council, is doing to help narrow the gap between the haves and have-nots.

Importance of Public-Private Partnerships

Healthcare is one of 16 designated critical infrastructure sectors, alongside industries like financial services ,water, transportation, oil and gas, and electricity. As a result of this designation, public-private partnerships like the HSCC and complementary organizations within other sectors were formed to liaise between industry and government.

HSCC’s primary mission is “to identify cyber and physical risks to the security and resiliency of the sector, develop guidance for mitigating those risks, and work with government to facilitate threat preparedness and incident response.”

The HSCC Cybersecurity Working Group (CWG), which is made up of 409 organizational industry members, works toward this mission by identifying strategic solutions to today’s top cybersecurity threats and vulnerabilities impacting the sector, Garcia explained during his presentation.

The HSCC CWG also works closely with the US Food and Drug Administration (FDA), the HHS Office of the Chief Information Officer (OCIO), and the HHS Administration for Strategic Preparedness and Response.

“There is energy and motivation behind this shared challenge that we have, called cybersecurity,” Garcia noted. “That shared challenge is based on the organizational principle that patient safety requires cyber safety. We're all in this for the patient—that's what healthcare is about.”

This sentiment is shared by industry experts and lawmakers alike. For example, Senator Mark R. Warner (D-VA) issued a policy options paper in November 2022 entitled “Cybersecurity is Patient Safety.” The paper discussed the multitude of challenges that the sector faces on a daily basis, such as ransomware, the prevalence of legacy medical devices, and healthcare cybersecurity leadership gaps within the federal government.

“Our healthcare sector really is an interconnected ecosystem. We really cannot address cybersecurity issues in one sub sector like direct patient care or medical technology—we have to address it as a coherent whole because we are interconnected and therefore we are interdependent,” Garcia continued.

“The Health Sector Coordinating Council needs to be representing all of these sub-sectors and taking from them their key challenges, risks, and threats, and trying to make sense of it.”

Bridging the Gap With Free Resources

In 2015, Congress directed HHS to establish the Health Care Industry Cybersecurity Task Force to investigate why the healthcare industry was getting hit hard with data breaches and cyberattacks. In 2017, the task group released a report that put the state of the industry into healthcare terms: “healthcare cybersecurity is in critical condition,” the report stated.

The report cited a lack of security talent, the prevalence of legacy equipment, a known vulnerabilities epidemic, and over-connectivity as key challenges that must be addressed across the sector.

The Task Force has since disbanded, but Garcia cited the report as HSCC’s “compass” for improving security in those key focus areas.

“We want to say that we are in stable condition by 2029. All of these free resources are part of that strategy,” Garcia stated, pointing to a list of resources ranging from model contract language for the medical technology space to supply chain risk management best practice documents and a NIST Cyber Framework Implementation Guide.

These guidance documents and other free resources can help organizations of all sizes improve their security postures with little buy-in.

“But a document is a document, and a document can become shelfware,” Garcia acknowledged. “And sometimes our biggest challenge is in getting the awareness having a good outreach strategy.”

To improve awareness across the sector, the HSCC released a free eight-part video series entitled “Cybersecurity for the Clinician,” which summit audience members got a sneak peek into at the event.  The video series provides organizations with quick, digestible, and accessible training and awareness information that can be built into any organization’s security training programs.

“We know that healthcare institutions, particularly the small hospitals and rural critical access hospitals, have other things to worry about than cybersecurity,” said during his presentation.  

“And we recognize that there are some very difficult decisions to be made when you’re running these organizations. But we just don’t want our healthcare stakeholders to lose sight of the fact that patient safety requires cyber safety.”

As cyber threats continue to negatively impact healthcare organizations across the world, it is crucial that the sector works together to raise awareness and implement security best practices.

To learn more about Xtelligent Healthcare Media virtual summits, visit our event page.

Next Steps

Dig Deeper on Cybersecurity strategies