Live @ Vive Q&A with Greg Garcia, Executive Director, Cyber Security, Health Sector Coordinating Council: Guidance Moving Towards Simplicity, Clarity

Healthcare is complicated. So it’s not surprising that healthcare cybersecurity is just as complex. But what shouldn’t be complicated is the guidance health systems are given to deal with threats. In the past, a number of well-meaning entitles – from government to private to hybrids of the two – have put out roadmaps, frameworks and other tip sheets that left all but the most sophisticated shops shaking their heads, wondering where true north lay. But things are changing, according to Greg Garcia, Executive Director, Cyber Security, Health Sector Coordinating Council, who says that his organization (which just released its Health Industry Cybersecurity Strategic Plan – 2024-29) is focused on helping to bring a signal through the noise, starting with deep coordination between HCIP, the nascent HPH-CPG’s and foundational cyber framework’s like those from NIST. In this Live @ Vive interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Garcia covers these issues and much more.

Bold Statements

Cybersecurity has to be a habit. It has to be a habit among the users, the clinicians, the people who are sitting in front of their computer and their IT systems, and has to be a habit for the product security people, for the manufacturers of medical technology who know that we need to simplify this, because security by obscurity doesn’t work.

We all have the same objective, but if we have competing ways to reach that objective, we’re not moving the ball forward. This is going to be a challenge long after I leave the workforce.

 … this is one of the major goals in the cybersecurity strategic plan, that basically technology being used in the clinical environment must be secure by design and secure by default, and that must be demanded by the customers, and it must be provided by the manufacturers and third-party service providers

Anthony: Welcome to healthsystemCIO’s Live at ViVE Interview with Greg Garcia, Executive Director for Cybersecurity with the Health Sector Coordinating Council. Greg thanks for joining me.

Greg: Thanks, Anthony. Glad to be with you.

Anthony: Very good. Big news for you guys at that the show. You’re releasing your strategic plan. Why don’t you just tell me briefly about the Health Sector Coordinating Council.

Greg: You bet. So the Sector Coordinating Council, the Cybersecurity Working Group, is an advisory council to the government and to ourselves in the industry, working together to identify and mitigate cybersecurity threats to the healthcare system. We’ve got about 425 organizational members, including government from across the spectrum. We’ve got the health providers, the medical tech companies, pharmaceuticals, plans and payers, health IT. So we’re looking at all of those crosscutting cybersecurity issues that affect the sector and, in particular, patient safety.

The Health Industry Cybersecurity Strategic Plan that we released on February 27 is intended to first look over the next 5 years and see what are the major healthcare industry trends, not cybersecurity, just what are the industry trends in technology and operations and regulation, business developments, and then what are the cybersecurity challenges that those trends present and then what do we need to do as an industry to get better, to get well.

It is a wellness plan for cybersecurity and, back in 2017, there was an HHS task force that diagnosed healthcare cybersecurity to be in critical condition because of all the connectivity and all of the evolving threats. We want to use this Health Industry Cybersecurity Strategic Plan to get us to upgrade to stable condition by 2029. It is a 5-year strategic plan. That is what this is about. It is a scalable, up and down, regarding the size and financial capabilities in the health sector and it applies to any and all of the major sub sectors.

Anthony: Very good.