Using risk mapping to improve healthcare cybersecurity

Transcript - Using risk mapping to improve healthcare cybersecurity

Kelsey Waddill: Hello, you're listening to Healthcare Strategies: Industry Perspectives coming to you from HIMSS 2025 in Las Vegas. I'm Kelsey Waddill, a podcast producer at Informa TechTarget, and today I have the pleasure of chatting with Greg Garcia, executive director from the Health Sector Coordinating Council Cybersecurity Working Group. We'll be discussing the HSCC's work in making risk management more accessible to healthcare stakeholders through risk mapping.

Without further ado, here we go. Greg, just to start us off here, risk mapping is something that a lot of organizations might be familiar with. It's a smart way to get a lay of the land on the challenges that a company might come up against and visualizing it in a two-dimensional matrix that can provide a lot of clarity in risk management conversations. As a result, many types of industries and companies rely on risk mapping. But the U.S. healthcare system is its own beast and it has all of its own complexities. And so, to kick us off, I just was wondering if you could share a bit about the benefits of risk mapping in the healthcare sector specifically, as well as just the unique challenges that this industry faces in such efforts.

Greg Garcia: First off, Kelsey, congratulations on getting through that long name of my organization without a hitch. It was perfect. Nobody can do that. No one has done it before.

Waddill: Wow, I feel very accomplished.

Garcia: Just kidding. But yes, the Health Sector Coordinating Council Cybersecurity Working Group. So, the risk mapping, I think you teed it up well, Kelsey. It's really about systemic risk management. Anybody needs to know -- What are they buying? Does it work, and does it work well? Is it secure? Are there other sources of supply for this? What really instigated this whole thing was the, of course, Change Healthcare attack, which had a cascading impact across the healthcare system, affecting one-third of the nation's patients. It put an exclamation point for us on the level of dependency we have on critical functions and utilities, critical services that make the healthcare system work. In this case, Change Healthcare is essential for providing prior authorization, for transmitting prescriptions to pharmacies, and to reimbursing the providers for that service. That was cut off, and so it really motivated us to try to understand what are the other Change Healthcare-like critical services and utilities that we take for granted.

Nobody even really knew what Change Healthcare was until it went dark. When you think about the healthcare system as widely distributed and fragmented as it is, when you think of all the interdependencies of the healthcare system, you have the health providers and then you have the payers. You have the health IT companies that are transmitting our personal health data. You have the pharmaceutical companies and you have the medical technology companies, and not to mention public health and government. And all of these are interacting and they're all interconnected and interdependent. Stitching all of those healthcare functions and healthcare subsectors together are thousands of IT and communications and software services and technology and functions that, because they are connected, are vulnerable.

Just by default, if you're connected, you are, in almost all cases, vulnerable to some kind of cyber exploitation. The benefits of risk mapping are for us to just depict it. Put it down on paper. It's almost like Tinkertoys if you remember the wooden sticks going into puck-shaped wooden shapes and blocks to try to put together a structure of connections. That's what it's like mapping the healthcare sector, that you have all kinds of IT services, you have entities like payers and providers, and they all depend on some function to get their work done. For good supply chain risk management, third-party risk management, we need to know -- Who are those players and what are their vulnerabilities? What are the risks that they could go dark on us?

Waddill: Thank you. Yeah, I love that Tinkertoy analogy. That gave me a throwback. I loved playing with those when I was a kid, so that's a very helpful visual. And so, I understand that the Health Sector Coordinating Council is conducting a sector risk mapping initiative. Can you tell us about what is the scope of that initiative and what are its goals?

Garcia: Yes. The Health Sector Coordinating Council, the Cyber Working Group, is organized into a whole range of task groups that focus on specific cybersecurity functions, whether it's medical device security or hospital best practices or incident response. A number of things, a number of ways that we're helping the stakeholders, the owners and operators to improve their cybersecurity posture.

The task group that we set up for this is called SMART -- the sector mapping and risk template. It's going to do exactly what the title says. First, phase one is to develop a series of maps that will depict, as I said, the workflow from beginning to end starting with me, the patient. I go into the doctor and the doctor gives me a prescription, and then that prescription has to go through a prior authorization to make sure that prescription isn't being abused and it's appropriate for my needs. And then prior authorization goes to the payer. The payer has to go through some analysis. All of these steps along the way we need to map, and that's what the sector mapping, the SMART process, is about. So, what we can do at the end of the day is to be able to provide these maps, mostly to the hospital systems and to the labs and to the payers for them to match up those maps with how they are doing business.

You think of blood supply and distribution, you think of claims and payments. We're going to have a map on diagnostic radiology, on home health. What about laboratories? My blood work goes into a laboratory. What has to happen for the results to come back in a way that's accurate and it's paid for? Pharmaceutical supply and medical devices, manufacturing and distribution, retail pharmacy. There's a number of these maps, and we picked out some of the major healthcare functions that involve the patient, that involve the technology, and that involves payment. That's really the effort in phase one is to provide the maps.

For each one of those connecting lines and arrows that go between a payer or a technology or a provider, we're not naming what those companies are, who's providing those services. That's up to the individual. That's up to the hospital that's looking at this map. That's up to the pharmaceutical company that's looking at this map. They have to fill in the blanks. That's why it's called the template.

And from that, then we get to phase two, and then we will develop a risk measurement methodology and strategy. How do we assign risk to a given function, a given service? Based on what? Redundancy? Does the provider of this service have an 80% market share? Okay, that's concentration risk. There's low redundancy there. What about if a particular service or technology is located, headquartered in a foreign country? And perhaps a foreign country that maybe is not friendly to the United States or might be politically unstable, any number of things. That's not a good risk, either. We're going to give them the template. We're going to develop a risk measurement methodology.

And then phase three would be how do we then manage that? How do we manage that risk? Not necessarily to prevent things from happening, because there's so much that's out of our control, but how do we manage for resilience? It's not if but when something is going to happen, so what do we do when the lights go out? What kinds of backups do we have? What kind of cash is on hand? What kinds of redundancies have we in place? That is the project described to you in all three phases, which probably would not include until sometime perhaps the middle of next year.

Waddill: Wow. Okay. Man, that sounds an ambitious timeline. That's a lot. That's a lot.

Garcia: We have a lot of people working on it. There are 450 organizations in this Cyber Working Group, and 1,000 people. There is a sense of urgency and a lot of energy and resources being put into it.

Waddill: Yeah, definitely. I think after the Change Healthcare cyberattack, it is the urgency that we all should have really had all along, but it really escalated for a lot of organizations.

Garcia: That's right. Yeah, you got that right.

Waddill: I was just curious, when you come to a conference like HIMSS '25, as we are right now, how do healthcare organizations typically respond to the idea of risk mapping? Are a lot of them already doing this? Are there any challenges that they express to you that might be holding them back from leveraging this tool? Or are they less interested? Just curious what the overall response has been.

Garcia: It's a multifaceted answer. One is, certainly, it strikes fear in the hearts of everybody, and they know that it has to be done. When I say fear, it means that, in many cases, you're not going to like what you find. You're not going to like it because you will see that you have dependencies for which there is little backup. And whatever backup or compensating controls, mitigating factors you design in will be very expensive.

I gave the presentation yesterday at the cybersecurity forum at HIMSS on this very topic. There were 400 people in the room, and I didn't see many people looking down at their phones while I was talking, which means that they were focused on this imperative. I say imperative because people recognize that. What is the strategy? How do we do this most effectively, most cost-effectively? How do we prepare for when the worst happens?

Other reactions are, "We're already doing this." Any organization doing their due diligence has to do some level of supply chain, third-party risk management. Let me emphasize it's not just third-party. There are all kinds of critical functions and services that happen on premises within your enterprise. But those can go dark on you, too. There is an understanding that we all have to do this to some extent. In fact, by regulation in very high-level companies, hospitals are expected to be aware of their third parties and third-party risk.

What we're trying to do and what some reactions are is, this is going to be good because it's not every organization for themselves now. We are doing this as a way to find the best way to do it. We're going to try to... standardize is the wrong word, but make it more uniform and coherent, so a common reference for organizations to be able to match these map templates to their specific enterprise sourcing and supply chain business operations. That's really, I think, the value here for the sector is that even as widely distributed and fragmented as we are, we can still have common ways that we can identify risk, measure the risk, and then manage it.

Waddill: Yeah, that makes a lot of sense. I feel like there's a lot more power behind a uniform approach if everybody's doing similar things to try to approach this problem. Even if they have different weak points, they can support each other better, too. There's more of a sense of maybe camaraderie in it even, I would imagine.

Garcia: Yeah, no, that's good insight. That's correct.

Waddill: Do you have any concrete examples, or can you share how risk mapping has helped avert or reduce a cybersecurity threat? Or alternatively, can you walk us through how the HSCC sector risk mapping initiative might have helped avert a situation like the Change Healthcare cyberattack? Understanding that, of course, that's already happened and we don't have a crystal ball into what could have been, but...

Garcia: Yeah, I can give you one concrete example, and it was really after the fact. One of our hospital systems, after Change Healthcare, they didn't use Change Healthcare in the provision of service. Oh, good, they're off the hook. No, because the service that they did use, in turn, used Change Healthcare. It was a one-hop degradation of service, so the mapping process probably should not stop at the first level of service. Then, you want to know who is providing service to your service provider, right? That gets down to fourth-party, right? Fourth-party risk. Third-party is the person, the organization supplying you the service. The fourth party is the service providing service to your service provider. The mapping process enables the stakeholder, the owner and operator to dig that deep if they can. In some cases, smaller organizations, smaller health providers, they're not going to have the capability to do that. But nevertheless, the template is there.

That's just one example, and I think what it will give us is just insight that resiliency against cyberattacks is going to require some operational redundancies. Secondly, we can't have full visibility across all of the service providers, but we can get better. We can get better at it. Another insight from this is going to be that while we are seeing more movement to the cloud, the cloud is good in the sense that you're providing centralized strength and security from the cloud provider. But that's also creating a level of concentration risk, a single point of failure. By mapping it all out, you get insight into these dynamics, into the vulnerabilities, and it just enables us to prioritize. Based on cost and risk, what are those critical services first, the highest priority critical services that actually touch the patient that are critical for patient care? Then you're concerned about liquidity. What are those critical services which, if disrupted, you're not going to get paid? Then you have a liquidity problem and hospitals go out of business.

Those are concrete theoretical examples that we have that we have to solve for. But since the maps aren't done yet and we haven't distributed them out to the stakeholders, we don't yet have feedback on how it works. But that's going to be built into the process is, how did this map work and how can we improve it?

Waddill: That's excellent. I mean, I can imagine, from a hospital standpoint, that is an overwhelming task to think not only about third parties but also about all of the service providers to the third parties potentially. It's a great resource to have something like this, I'd imagine, that helps prevent overwhelm from becoming paralyzed and allow organizations to prioritize quickly and well as they try to navigate this sometimes very scary landscape. You said 2026 is when we should be on the lookout for this?

Garcia: Phase one should be done fairly soon. I'm hoping late spring or earlier, I'm not sure. But how much the general public will see of this remains to be seen. These maps, I'm sure you can use your imagination, can be a perfect roadmap for disruption by the adversaries. This is not something that you want in the public domain. There needs to be a controlled release to those who have need-to-know, need-to-use, as they are critical infrastructure entities. We need to protect that for the sake of the security of the healthcare infrastructure. But those maps will be made available sometime soon in a controlled way.

And then phase two, I would hope by the end of the year, would then address the risk measurement, risk assessment. Okay, here's the map. There's all those lines and boxes and they're all connected. Which one of these lines or boxes is the most important or if disrupted would cause more harm than any of the other functions? That's a harder thing to do to develop a risk measurement methodology, but we're going to take a stab at it.

And then once you get that risk measurement methodology down, now you've got a pretty good picture here. You've got the workflow process, you have priority risk assignment to all the steps in that workflow, and now you can decide where you put your investments. What risk are you going to accept, and what risk is unacceptable? And then how do you put funding on that? How do you put people on that? Where do you outsource support?

Where does the government come in on this? This is one of the key takeaways too that we need to understand is that the government... We are the owners and operators in industry, but the government has a role as well. And so this will have policy implications. We are working with the government on this, and so it raises the question as to what are systemically important entities? Okay, there's a provision of law from an executive order that directs federal agencies responsible for any given critical infrastructure, whether it's financial services or electricity or, in our case, healthcare. What are those key companies, services and utilities that are systemically so important that if they were disrupted, could cause cascading impacts on public health and safety, economic security or national security? And then given that, what responsibility does the government have for trying to establish a floor of accountability and responsibility for maintaining those systemically important services?

That then will fall to the government. I assume some of this they will make classified, but we will help inform that process. Not for regulatory purposes so much, but just for each entity to get a better handle on where their risk is and know how to... In many cases, you're not going to be able to manage that risk. You're not going to be able to manage your third party. You're not going to be able to manage your fourth party. But what you can do is try to set yourself up for better resiliency and operational continuity and break it down to the most essential functions that have to be performed in order to get back online.

That's where the phase three risk management methodology comes into play. That might be a misnomer. It's not so much about risk management but business continuity.

Waddill: Makes sense because I'm glad that you addressed the policy regulation piece because I was curious how that fit into all of this, so thank you for addressing that.

I think that's all the time that we have for today. But this was a great way to whet people's appetite for, as you said, a controlled way, seeing this information later perhaps. Thank you so much, Greg, for coming onto to Healthcare Strategies and for sharing your insights. Hope to have you on again sometime. Have a great rest of your HIMSS.

Garcia: Yes, and you too. I appreciate the time.

Waddill: Listeners, thank you for joining us on Healthcare Strategies: Industry Perspectives. When you get a chance, subscribe to our channels on Spotify and Apple and leave us a review to let us know what you think of this series. More industry perspectives are on the way, so stay tuned.

This is an Informa Tech Target production.