Beyond Change Healthcare: How Health-ISAC Serves the Healthcare Sector

Our response during the Change Healthcare incident is an excellent case study in how Health-ISAC serves the global healthcare sector, but it does not capture the totality of the services we offer or the lengths we go to be as accessible as possible.

Making Membership Accessible

Health-ISAC understands that much of the value it provides to the healthcare community is contingent on the ability of healthcare entities to become members. As such, Health-ISAC has developed an approachable membership fee structure with annual fees starting as low as $1,200 per year – under $4 a day – to provide services to the widest possible audience while also providing value to the entire global sector.? The fee structure enables organizations with more resources to subsidize those with less, a reality with which they are keenly aware and supportive of.

Such organizations get tremendous value from the services Health-ISAC provides while also helping to shore up the security and resilience of the entire ecosystem.? With the healthcare sector so interconnected and dependent upon myriad Small and Medium-sized Business suppliers and third parties, encouraging those small companies to join and participate with Health-ISAC is good for everyone by lowering risks, improving security and increasing the resilience of the entire sector.

Tailored Services for Small and Medium-sized Businesses

Recognizing that a one-size-fits all approach isn’t effective, Health-ISAC strives to create resources specifically tailored to subgroups of members. As an example, Health-ISAC recently created a new Trailblazer Special Interest Group (T-SIG) program exclusively for Members of Small and Medium-sized Businesses in the health sector. The program has three key components:

• a moderated secure-chat forum that has over 400 members collaborating daily, with mentoring by volunteers from larger healthcare organizations
• a Member portal group, and
• a monthly T-SIG webinar series -- some recent examples include:

1) How to use the newly released OCR SRA 4.0 FREE assessment tool

2) HHS Cybersecurity Performance Goals (CPGs) can enhance YOUR cybersecurity

3) HICP Cybersecurity Practice #1: Email Protection Systems

4) Free email Protection Tools & Resources at the Global Cyber Alliance (GCA) Cybersecurity Toolkit for Small Business

Working Groups

Health-ISAC's Member community comes together through committees, working groups, and councils to lead discussions and drive solutions for the industry. Work product items include: white papers, creating resource libraries and templates, presenting at events[DA1]?, and networking to share best practices.

Health-ISAC Committees and Working Groups published six whitepapers in 2023 to connect Members and other Health organizations to actionable best security practices.? The whitepapers are made available to anyone via our public website and include the following topics:

• Remote Identity Proofing – A Health-ISAC Guide for CISOs
• Improving Medical Device Security by Moving from Shared to Defined Responsibility
• Risk Based Approach to Vulnerability Prioritization
• Biometrics & Healthcare, A Cure-all for Identity Woes?
• Information Sharing Best Practices
• Coordinated Healthcare Incident Response Plan

Some examples of Health-ISAC working groups and committees include:

• Business Resilience Committee
• Cyber Threat Intelligence Program Development Working Group
• Cybersecurity Analytics Working Group
• Cybersecurity Awareness and Training Working Group
• Diversity and Inclusion Working Group
• European Council
• Identity and Access Management Working Group
• Identity Committee
• Incident Response Working Group
• Information Protection Working Group
• Information Security Risk Management Working Group
• IT Mergers, Acquisitions, Integration, and Divestitures Working Group
• Medical Device Security Council
• Pharma and Healthcare Insider Threat Working Group
• Provider Working Group
• Purple Team Working Group
• Regional Tensions Working Group
• Security Architecture Working Group
• Security Engineering Working Group
• Social and Political Risks to Healthcare Working Group
• Software Security Working Group
• Third Party Risk Governance Working Group
• Threat Intelligence Committee

Highlight on Medical Device Security

Health-ISAC is the only organization that brings together Medical Device Manufacturers and Health Delivery Organizations to support the security of Medical Devices within Healthcare. The collaboration is done through the Medical Device Security Council (MDSC) with over 400 individual participants from 150+ organizations.

Key Medical Device Security Council Accomplishments in 2023:

• Established the Health-ISAC Software Bill of Materials (SBOM) Repository to improve software component transparency and reduce time to patch vulnerabilities.
• Shared over a dozen medical device public advisories.
• Moderated two FDA Town Halls at Health-ISAC Summits
• Published Shared Responsibility whitepaper.
• Published Medical Device Customer Vulnerability Scanning whitepaper.
• Demonstrated an overview of Daggerboard at the 2023 Spring Summit, an open-source vulnerability scanning tool developed by the New York Presbyterian infosec team that ingests SBOM files and outputs results in a human-readable format.
• Hosted four medical device roundtables at two Health-ISAC Summits.
• Performed community outreach through speaking engagements and podcasts.
• Signed a Memorandum of Understanding (MOU) with the Food and Drug Administration (FDA)’s Center for Devices and Radiological Health (CDRH)
• Participate extensively on various Health Sector Coordinating Council working groups to influence strategy and best practice papers concerning medical device security.
• Expanded the membership of the MDSC globally with a new chapter established in the EU to accommodate European members.? In 2024, Health-ISAC will also add a chapter for members based in Australia.

Events

Health-ISAC Global Summits - Health security subject matter experts gathered to share and learn from each other across the globe to strengthen the health sector. 2023 welcomed the inaugural APAC Summit in Singapore. Health-ISAC Summits are ‘must attend’ events full of informative sessions often led by Members and provide numerous networking opportunities.? Health-ISAC hosts four summits every year – two in the Americas, one in Europe and one in APAC.? Some of the highlights from 2023 include:

• APAC Summit: Singapore, Representing 4 continents, 75 attendees from 8 countries engaged in person at Health-ISAC’s inaugural Asian Pacific Summit.
• Spring Americas: Strike Back! Tampa, FL - A total of 613 attendees representing 9 countries, 37 states, and 210 companies connected in the Spring. 80 people attended virtually.
• European Summit: Gateway to Security, Dubrovnik, Croatia - Health-ISAC’s third European Summit commenced in Dubrovnik, Croatia. 102 people attended in person, representing 18 countries.
• Fall Americas: S’More Sharing with Health-ISAC, San Antonio, TX - 622 attendees represented 137 organizations from across the globe. Of those, 49 were virtual attendees, and 295 were first-time attendees.

Workshops -- Health-ISAC facilitated 21 regional workshops around the world.? Many of the workshops take place in urban and rural regions to make them accessible to as many organizations as possible. These exercises give members an opportunity to collaborate with their peers and a wide array of experts who contribute their insights on how to respond to incidents quickly, effectively, and with a focus on resilience, while building long-lasting relationships with key partners and public sector cyber incident responders.? Some examples of the workshop topics include:

• Life Sciences, Biotechnology, Biopharma
• Cyber Threat Landscape
• Incident Response and Information Sharing
• Legal & Regulatory Cybersecurity Issues
• Third-Party Risk Management
• Supply Chain, IT, and OT Security
• Artificial Intelligence/Machine Learning

Exercises – Health-ISAC members participated in seven preparedness and resiliency exercises with scenarios that focused on the world’s geopolitical and economic climate and resulted in threat actors targeting the Health Sector.? Just some of the Health-ISAC Exercise highlights include:

• Health-ISAC conducted its fourth annual Americas Hobby Exercise in Washington, DC.
• The first annual Health-ISAC European Hobby Exercise was held in Dublin, Ireland.
• Custom Table Top Exercises created for the benefit of Health-ISAC Members to test their internal incident response processes.
• Four internal drills to test and improve staff preparedness and resiliency using scenarios designed to impact daily operations.

Training

• Two-day Leadership Development course presented and sponsored by Cisco Secure at both the Spring and Fall Americas Summits, where a total of 16 rising CISOs learned valuable skills.? The training was made possible by a sponsorship from Cisco.
• CTI Analyst Training at the Fall Americas Summit, where Analysts from ten Member organizations increased their knowledge, skills, and abilities. ?Over 45 Members applied for the training. Thanks to a sponsorship from Cyware, 10 Members were selected from a pool of 45 applicants to receive a complimentary, all-expenses-paid professional development opportunity.

?

For more information about Health-ISAC, including to find out how to join as a member, please visit www.h-isac.org

?