HSCC Issues Five-Year Health Industry Cybersecurity Strategic Plan

February 27, 2024 - The Healthcare and Public Health (HPH) Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) announced the publication of its “Health Industry Cybersecurity Strategic Plan” (HIC-SCP) at the ViVE 2024 conference.

HSCC described the five-year plan as a call to action for health sector entities to prioritize the implementation of foundational cybersecurity practices that will mitigate the existing and emerging cyber risks in the sector.

 “The Health Industry Cybersecurity Strategic Plan recognizes that cybersecurity for the health sector is a shared responsibility among all HPH stakeholders, including medical device manufacturers, pharmaceuticals, healthcare delivery organizations, health plans and payors, and government policymakers,” Erik Decker, HSCC CWG chairman and CISO for Intermountain Health, stated in the announcement.

The HIC-SCP aims to improve the diagnosis of healthcare cybersecurity from “critical” to “stable” condition by 2029. The “critical” diagnosis was given to healthcare in 2017, when a joint HHS-health sector task force released a detailed report on the precarious status of healthcare cybersecurity at the time.

Building off of that report and its recommendations for improving the sector’s security posture, the HIC-SCP aims to provide C-suite executives and security leaders with actionable and measurable risk reduction activities based on current and projected industry trends.

“The HSCC CWG, our government, and health sector partners are united in our call to action to coalesce around the principle that cyber safety is patient safety and make the appropriate investments in the people, processes, technology, and partnerships to strengthen the sector against – and weaken the effectiveness of – cyber threats,” the HIC-SCP states.

“In 2017, cyber threats and attacks reached a critical point in their impact on the health sector, and five years later the impact is greater than ever.”

The HSCC CWG began its work on this strategy by identifying industry trends that will likely continue to be focus areas in the next five years. These trends included the adoption of emerging technologies, ongoing workforce and talent management challenges, and global instability and climate change impacting the healthcare supply chain. All of these trends are likely to have long-lasting impacts on healthcare cybersecurity, and addressing them proactively can help the sector build resilience.

The HIC-SCP document breaks down each industry trend, its target future state, and how each trend maps to a specific, sector-wide cybersecurity goal.

For the industry as a whole, the working group foresees a future state in which secure design and implementation is a shared responsibility, leaders embrace accountability for cybersecurity as an enterprise risk, and a “cyber safety net” exists to support under-resourced organizations across the sector.

Healthcare security leaders can use this publication to make informed decisions about investments and the implementation of strategic cybersecurity actions. HSCC and its government partners plan to facilitate sector-wide achievement of this plan via workshops, exercises, webinars, and conferences, as well as policy incentives.

The HSCC CWG said it plans to develop and release a set of measurable outcomes and metrics for success by the end of 2024.

“Our number one goal in publishing the HIC-SP today is to improve and protect patient safety,” said Chris Tyberg, HSCC CWG vice chair and CISO for Abbott. “We are calling on all health industry stakeholders to join us in this imperative for the benefit of patients and the overall health of the sector.”