This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

Welcome to This Week Health. I'm Drex DeFord, a recovering CIO veteran of several large health systems and a longtime advisor and strategist for some of the world's largest cybersecurity companies. I'm now president of the 229 Security and Risk Community at This Week Health, and this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity and risk and the people, process, and technologies Making healthcare more secure.

On today's Unhack the Podcast, we're joined by Greg Garcia, Executive Director of the Health Sector Coordinating Council. We'll refer to it lovingly as HSCC over the course of the conversation here. He's got some breaking news coming out of Health Sector Coordinating Council, HSCC, CWG, the Cybersecurity Working Group.

And we'll talk about that in just a minute. Hey Greg, how's it going?

It's going great.

Drex, how are you? I'm good. You're on a golf course somewhere right now, right? You said you

were I'm on a golf course in North Carolina. Yes, indeed. toiling in front of the laptop instead of on the putting green.

I get it. It's the work from anywhere advantage that maybe a lot of us have today. So, there's going to be a lot more to this. I'm going to talk with you again, and we're going to talk later and much more deeply around a bunch of this stuff. Bye. Let me start by saying, or just asking, tell me a little bit about yourself and tell me a little bit about HSCC CWG.

And again, we're going to get into more of this later, but I think it's a good setup for what we're going to

talk about. Certainly so I am the Executive Director of the Health Sector Coordinating Council, the HSCC, and its Cybersecurity Working Group. been at it since 2017. I've actually my career has a long relationship with sector coordinating councils.

There are 16, 17 sector coordinating councils related to each of our critical industry sectors. So I actually served as the Executive Director of the Financial Services Council a few years ago and helped stand up the IT Sector Coordinating Council. And all along the way, I served in the U. S.

Congress on staff there and in the Department of Homeland Security as the Assistant Secretary for Cybersecurity. under President Bush and had a number of senior executive roles in the private sector in the high tech industry financial services, and now healthcare.

Amazing. Tell me a little bit about HSCC.

Yeah, well, as I started to say it is one of 16 critical industry sector coordinating councils. And so there are the term sector coordinating council is kind of generic. It refers to any of those critical sectors and that we have a an official relationship with the government. It is a public private partnership dedicated to critical infrastructure protection and specifically for us cyber security.

And the Cybersecurity Working Group consists of now about 425 organizations across the spectrum of healthcare, the providers, the medical technology companies, pharmaceuticals, plans and payers, health IT, public health, and government. And so we get together with the government. We are the joint Cybersecurity Working Group.

And we are organized into a number of task groups that are focused on developing best practices, guidance documents on specific aspects of healthcare cybersecurity, whether it's medical device security, hospital cyber best practices, workforce development, information sharing and incident response, supply chain, third party risk management.

So a number of different things, all of those. resources they are developed by our members, by the sector, for the sector, and they're all available free on our website at healthsectorcouncil. org.

Yeah, it's, there's a bookshelf full of great documents and video, and I mean, again, it's free from HSCC and again, this won't be the last time you hear about this, I'm going to talk about a lot of those documents, what they are, talk with members of the Health Sector Coordinating Council, CWG, those task forces, those folks who develop those documents and that material, so we're going to talk about that in the future, but today, I'm I guess, big news.

We're recording this a little bit earlier, but we'll play this actually next week when this happens. CWG's produced \ the Health Industry Cybersecurity Strategic Plan. When do we get to see it? Why now all of that

stuff?

Yeah good questions. We're going to see it on February 27.

It will be launched officially at the VIVE 2024 conference in Los Angeles, February 27, to kick off the day. Why now? For the past five or six years, we have been focused on addressing recommendations that came out of a 2017 HHS. Task force, the healthcare industry cybersecurity task force. it had 6 major imperatives and 105 action items.

A to do list if you will for what the healthcare industry needs to do to, Get ourselves out of critical condition, our healthcare, cybersecurity, and into something resembling stable condition. And so all of those publications, those best practices that I just told you about are really in direct response to that task force.

But that was 2017. The findings in that task force report were a snapshot in time in 2016 and 17. And we know the healthcare industry has changed a lot in those five years up to today. And we know that it is going to change still more over the next five years. And so rather than doing a snapshot in time, let's look ahead over the next five years and, identify those major industry trends.

And what are the cyber security challenges that those trends present to us? And how are we going to be prepared five years from now? You know, Things, trends like, hospital at home healthcare on demand, wearable and implantable devices. Now we hear everything about artificial intelligence and quantum computing and blockchain.

All of these, you know, and then just the basic business of healthcare, we're seeing a lot of mergers and acquisitions and consolidation, and that changes, that has an impact on on the attack surface, on our cybersecurity Vulnerabilities, cyber security threats. So that's what we need to be prepared for.

So the strategic plan, the healthcare industry Cybersecurity strategic plan is intended to give us a roadmap for meeting those industry trends over the next 5 years with cybersecurity risk management nothing really surprising but it, we need to keep the drumbeat going and this is a way of sort of refreshing our perspective on what needs to be done to, get us to stable condition.

Yeah, well, like, I think, all good strategic plans, there's goals and objectives in this you want to highlight any of those? Talk about future state? Because I know we talked about future state in the plan too.

Absolutely. So, The way we've structured it is, as, as mentioned, we have the five year health industry trends.

There are seven of those I mentioned. Some of them. And then from there we go on to the goals. Major sort of end state goals that should be in place to. address those industry trends. And from the goals, then we get the objectives and the objectives are simply a little bit more detail about how we operationalize those goals.

How do we implement and achieve those goals? And those, are the objectives. And, it's, there are 10 major goals, there are 12 objectives, and some of the objectives will address multiple goals but, things like, goal number, let's go to goal number nine in fact, At the VIVE conference, I will be interviewing Denise Anderson, the president of the Health Information Sharing and Analysis Center, the Health ISAC, to talk to her about how is the Health planning to implement goal number nine.

And goal number nine says, the health and public health sector has established and implemented Preparedness, response, and resilience strategies to enable uninterrupted access to healthcare technology and services. Basically, information sharing and incident response. And then we say what do you have to do to get that done?

How do you improve your information sharing? Increase the membership of the Health ISAC to have , as broad and deep a community. As possible, so that, the community is, if they are forewarned, they are forearmed. How do we improve information sharing and incident response with the government?

So what does the government need to do, whether it's the Department of Homeland Security, CISA, whether it's HHS? How does that early warning system evolve over the coming years? We have something called the 2029 Target Future State.

Yeah. I like to say if an alien were from another planet, landed in the United States and was told to report back, what does healthcare cybersecurity look like? And, just someone sort of dipping into the future. One of the things we say for the future state, we have six future state goals.

Right. And one of them is called the 9 1 1. Cyber civil defense which would ensure that we have early warning, instant response, and recovery. They are all reflexive, collaborative, and always on. That is, that's the future state of goal number nine, which is that we will ultimately have, whether it's a formal or not, a 911 cyber civil defense.

So we think of FEMA, you know, FEMA is, Often effective at responding to states of emergency major hurricanes, earthquakes, and that kind of thing. We don't really have that in the cyber world. It's fragmented. So the Health ISAC is certainly the primary information sharing and incident response function for the United States healthcare industry.

But it requires a much more structured You have to build

a web of these relationships, right? You ultimately have to put community together. I mean, it's part of what I'm trying to do here too, you're trying to put community together so that Chris Inglis you know, if you're going to beat, if you're going to beat one of us, you have to beat all of us, ultimately becomes the output of this, right?

Exactly. That's like Chris Inglis's comment, we said, I like to say none of us. Individually is as smart as all of us collectively and it is a shared responsibility take goal number six, for example, I'll riff on that one for a second.

I'm just reading it. Healthcare technology used inside and outside of organizational boundaries. is secure by design and secure by default while reducing the cybersecurity burden and cost on technology users. So that gets to, that gets to third party risk, whether it's a medical device, medical devices that need to be designed and developed, manufactured, tested for cybersecurity from the ground up before it goes to the customer.

The hospital system but at the same time, it does recognize that security is a shared responsibility and that the users, the technology users do have some responsibility for ensuring that something that is installed in their network, in their environment finds that balance between security and functionality.

Availability. So, that is one of the goals and there are goals that are similar to that, that there's, understood that there is truly a goal number seven, that there's an active partnership. Between the technology users and the manufacturers.

It's an ongoing conversation. So, those are a couple of the end state goals that we are going after.

some of the blame game out of this, right? We're all in this together. That's, yeah, what it boils down to. I've been lucky enough to kind of have some inside baseball on this.

The whole way. I've been part of the huge number of people who were part of putting this plan together, and it's been amazing to see. I love also how ultimately all of this. ties into the material that's already been produced and the material that's going to be produced.

Again, it's free to folks. And so, it's just, it's great insight into thinking about where we are today, giving us a target to where we need to be tomorrow and helping pave the road between here and there with the strategic plan. I appreciate it. In the end, there's a call to action. Do you want to talk about the call to

action?

The call to action is multifaceted. First we ask every organization in our membership and anyone out in the community to sign the statement of support. So the statement of support is is fairly general, but it needs to be said that. We support the evolution of healthcare cybersecurity.

So it basically says, it has four major points about the state of healthcare cybersecurity. We've made progress but we need to make more progress. And the pledge, as it were, says the undersigned embrace the principles of the health industry cybersecurity. Strategic plan to enhance our shared preparedness and resiliency on the imperative that cyber safety is patient safety.

So that is the organizing principle. That's the organizing imperative for healthcare cybersecurity is that ultimately. The patient can be harmed. Care delivery can be disrupted and has been disrupted by cyber attacks. So if you are in the healthcare industry and if you are all about the patient, then you need to sign this statement of support because cyber security Cyber safety is patient safety.

So that's, that's call to action number one, and call to action number two is then don't just sign the pledge, but implement it. Implement it. We ask all of the organizations that we are presenting this to, which of these goals do you see yourself in? Do you see your organization in? Pick one goal.

So I mentioned goal number nine Health ISAC. We'll look at that goal, and maybe others as well, but that one is about incident response information sharing. How does Health ISAC see themselves in goal number nine? And then implement it. What strategies and tactics, operational policy are you going to make over the next five years to help make that goal a reality?

So every organization has a responsibility to Consider at least one of those goals and the corresponding objectives. And if everybody does that collectively, then, that's the proverbial rising tide lifts all boats, right? So that's, that is the call to action to implement it.

And if you are a thought leader, if you are a market influencer in the healthcare industry, Promote it. Promote the strategic plan publicly. Put it into your, put it on your website. That, we place a high priority on cyber security to protect our patients, to protect our data, to protect our intellectual property, to protect our manufacturing operations.

Advertise it. Be a thought leader, be an ambassador to healthcare cybersecurity so that we have a culture of cybersecurity up and down small, medium, large organizations. Yeah. Okay.

So you'll be able to find the plan obviously on the ThisWeekHealth. com site, ThisWeekHealth. com slash security. But for everybody else, it's obviously going to be on your site.

How do they get their hands on it? through the not this week Healthway if they want to go another route.

the health sector, you go to the website healthsectorcouncil. org. It's not up on the website yet. It will be on the 27th. But and supplementing The strategic plan those now, I think, 27 publications, best practices documents that are already on the website under the publications tab, and it's all freely available.

So many of those publications actually supplement or begin to implement the strategic plan, and we obviously anticipate many more publications to come as we start. looking at, some of those goals and what are the gaps we have in terms guidance. But it will be on the website. We will be posting it on LinkedIn.

Other social media. So, hopefully it will be um, I'll stop just short of standing out on a street corner and handing it out like leaflets.

I don't know what to say. I love your passion. I mean, one of the things I love about being around is that you're really, really, passionate about this topic.

I think everybody in that group is. It's great when you do all hands and you see everyone there. It's clear everyone's leaning into this. So, thanks for doing that. I really appreciate it. Thank you. I appreciate you being on the show. Greg Garcia, Executive Director of the Health Sector Coordinating Council.

That's this episode of Unhack the Podcast. Thanks.

That's a wrap for this episode of Unhack the Podcast. I'm your host, Drex DeFord. You can learn more about the security and risk community by visiting ThisWeekHealth. com slash security. Thanks for listening. And as always, be sure to stay a little paranoid. I'll see you again soon.