healthsystemCIO Founder and Editor-in-Chief Anthony Guerra talks with Health Sector Coordinating Council Director Greg Garcia at the Vive Conference about the structure and relationships among entitles like HHS, FDA, HSCC, the Health ISAC, and 405(d); the importance of the NIST framework and how HICP, JCP and other materials released by the HSCC can help healthcare organizations map to NIST; the chances of minimum cyber requirements becoming a reality; and the importance of getting cyber risk into the overall organizational risk discussion.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

Bold Statements

Five years ago, 2017, they said healthcare cybersecurity is in critical condition. I want to be able to say in 2029 that healthcare cybersecurity is in stable condition.

 … implementing NIST is not binary, it’s not yes or no, right? It’s continual. It’s a phased approach. It’s a measured approach. It’s a maturity model in a way.

 … cybersecurity is patient security … we have to get the point across that we can actually hurt patients if we don’t do good cybersecurity.

Guerra: Greg, thanks for joining me.

Garcia:  Good to be with you this morning.

Guerra:  All right, let’s start off, tell me a little bit about your organization and role. As much as I’ve tried to dig into the relationships and the different government associated entities, it can get a little daunting, unless you have a giant whiteboard.

Garcia: The Health Sector Coordinating Council is one of 16 sector coordinating councils, each associated with a critical infrastructure industry sector. So healthcare is a critical infrastructure, just like telecommunications and electricity, oil and gas, financial services and more. And we are actually designated by the government as critical infrastructure. And the government needs to work with these critical industries to collectively and collaboratively identify and mitigate systemic threats to the sectors, whether they are natural threats, like pandemics or hurricanes, or whether they are manmade threats, like terrorism or cyber-attack.

So what we have here is a public private partnership. So we are an official partner to the government. We are totally industry organized and managed. We now have about 380 healthcare organizations from across the spectrum: health providers, medical device companies, pharmaceuticals, plans, payers, health IT. And we are all working together to think about how we get ahead of the cybersecurity threats, and we do it across the sector, and we do it with the government, understanding that market forces alone aren’t going to solve our cybersecurity problems, and regulation alone isn’t going to solve our cybersecurity problems. So we need to be working with industry and government creatively and resourcefully at trying to get ahead of the threats.

So that is primarily what we do. And we are a counterpart organization to the health ISAC (Information Sharing and Analysis Center), they do the same thing only at a tactical, operational way. They are the firefighters, they do the blocking and tackling. The Sector Coordinating Council looks over the horizon at the strategy, the policy for how we can do this better, how we can be more secure.

Guerra: Do you have a lot of interaction with the health ISAC?

Garcia: Yes, we do. We are a sister organization. Absolutely. They are a member of the Sector Coordinating Council. What we have in the council is this privileged relationship.