BOSTON – Greg Garcia, executive director of the Healthcare and Public Health Sector Coordinating Council cybersecurity working group, asked the audience at the HIMSS Healthcare Security Forum a facetious question: "What is your problem?"

During his discussion here on Monday, Garcia made the point that information security is actually "our problem."

He explored the ways the health sector is collaborating – and falling short on collaboration – on managing cybersecurity risks.

There's been more than 4,500 data breaches affecting 315 million patient records, he pointed out, and the healthcare industry should know by now what its problems are:

• Data breaches from cyberattack have increased 350% over the past five years, according to the HHS Office of Civil Rights
• Ransomware has caused disruption in clinical operations and patient harm
• Aging medical devices are no longer supported or supportable
• Third-party service providers and vendors are vectors to healthcare attack. 
• The clinical workforce must acknowledge and become part of the cybersecurity solution

Garcia said that while many solutions will be discussed at the two-day cybersecurity conference that will focus on the tactical and operational, he wanted to talk about one larger strategic solution – collaboration. 

"Part of the solution to the problem is to understand that we have a collective responsibility," said Garcia.

Healthcare is a public service 

The government, by executive order, depends on the healthcare industry as the primary owner and operator of critical infrastructure to collectively identify and mitigate systemic threats that affect the ability to deliver critical assets and services that the public depends on.

In 2017, the U.S. Health and Human Services convened a one-year healthcare industry cybersecurity task force that produced six major imperatives, 24 recommendations and 105 action items to address the lack of security resources and vulnerabilities, according to Garcia's presentation. 

What grew out of that effort is the Health Sector Coordinating Council (HSCC), one of 16 special advisory groups identified by the government to serve critical sectors, to address problems like cyberattacks, he said.

HSCC works closely with the HHS Administration for Strategic Preparedness and Response, HHS Office of the Chief Information Officer and the Food and Drug Administration.

In the healthcare ecosystem, "every node is vulnerable to attack," Garcia said.

"Critical infrastructure is a public service. So, you're all public servants – whether you are for-profit or not-for-profit, that's what you are."

The 732-member-strong council has created a number of resources that Garcia said were freely available to the industry – and imperative.

"These need to be implemented. They are not shelfware."

Garcia said that part of collective responsibility is using the HSCC toolkits and resources to focus on recommendations and actions and to join the effort. 

"None of us individually is as smart as all of us collectively," said Garcia.

Keeping sight on the horizon

Garcia shared that a White Paper on Artificial Intelligence Applications and Cyber Risks in Healthcare will soon be released along with the Health Industry NIST Cybersecurity Framework Implementation Guide, which is a joint project with HHS.

"Now we've got a guidebook that's saying how the healthcare industry should specifically implement the NIST cyber framework," he said.

The HSCC will also release the Legacy Medical Device Cybersecurity Management Guide next month, which Garcia explained was an achievement in consensus building.

The Medical Device and Health IT Joint Security Plan, released in 2019, followed from the recommendation from the Health Care Industry Cybersecurity Task Force issued in June 2017 and called for a cross-sector strategy to strengthen cybersecurity in medical devices.

"This is well over 100 pages hammered out twice a week, an hour every meeting, for the past year and a half – discussions and negotiations between device manufacturers and [healthcare organizations] about the shared responsibility of cybersecurity for legacy medical devices," Garcia said 

He said that over his years with the Department of Homeland Security and CISA and other policy and industry organizing roles, he has seen how many sectors have organized, or not organized, themselves appropriately for this mission. 

"I have seen a surge in momentum and energy from the health sector over the past five years," Garcia said. "The first step to a solution is: recognize you have a problem. We do recognize we have this problem. It's now starting to manifest as all hands on deck. I'm seeing it, and I'm energized by it." 

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS publication.