Healthcare Cybersecurity is in Critical Condition. What’s the Prescription for Health Systems?
Episode

Erik Decker from Intermountain Healthcare & Julie Chua from the U.S. Department of Health and Human Services

Healthcare Cybersecurity is in Critical Condition. What’s the Prescription for Health Systems?

 

In recognition of the 19 annual National Cyber Security Awareness Month, The Outcomes Rocket Network has launched a 10-part podcast series to elevate Cyber Security Awareness in Healthcare on our main channel, the Outcomes Rocket Podcast. Partnering with leaders in healthcare cybersecurity in their capacity as members of the Health Sector Coordinating Council, the podcast aims to illuminate advances made in protecting critical healthcare infrastructure and patient safety, and areas that need further focus to put a stop to Cyber Crime.

What are some basic things that we should be doing to combat prevalent threats that healthcare systems are facing?

In this episode, Saul Marquez had a conversation full of valuable information with Erick Decker, Vice President and Chief Information Security Officer for Intermountain Healthcare, and Julie Chua, Director of the Governance, Risk Management, and Compliance division within the HHS Office of Information Security. Healthcare cybersecurity is in critical condition and so members of the healthcare industry and the Health and Human Services (HSS) have joined forces to improve it. After different task force research efforts were made, the Health Industry Cybersecurity Practices (HICP) document was published. Erick and Julie break down what this publication is all about, the process that took place to write it, and its importance as a manual to protect patient safety with cybersecurity. In the end, cyber safety is patient safety, let us not forget that.

Tune in to this episode to learn about the Health Industry Cybersecurity Practices document that will help healthcare organizations and professionals keep their cybersecurity on point!

Healthcare Cybersecurity is in Critical Condition. What’s the Prescription for Health Systems?

About Erick Decker:

Erik Decker is the Vice President and Chief Information Security Officer for Intermountain Healthcare, a multi-state integrated delivery network based in Salt Lake City, Utah. Erik has 22 years of experience in Information Technology, with 15 years focused on Information Security.  

 

He serves as the Chairman of the Healthcare Sector Coordinating Council’s Joint Cybersecurity Working Group, which is a critical infrastructure public-private partnership organization covering more than 300 organizations and over 600 members. He also co-leads the Department of Health and Human Services (HHS) 405(d) task group focused on implementing the Cybersecurity Act of 2015, 405D legislation within the Healthcare sector. The publication was released in December 2018, titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP). 

 

Erik has been awarded the ISE® North America Executive: Academic/Public Sector, and the Chicago CISO of the Year. In 2018 he served as an expert witness to the House Committee on Energy and Commerce, Subcommittee on Health. Erik has a Master of Science in Information Technology from Loyola University in Chicago and a Bachelor’s degree from the University of Illinois in Champaign/Urbana in Cell and Structural Biology.

About Julie Chua:

Julie Chua is the Director of the Governance, Risk Management, and Compliance (GRC) Division within the HHS Office of Information Security (OIS), Office of the Chief Information Officer. Julie established a Department-wide cybersecurity risk management program and spearheaded the integration of cybersecurity into HHS’ Enterprise Risk Management framework. She is responsible for high-priority, high-visibility initiatives including the implementation of Executive Order 14028, Improving the Nation’s Cybersecurity, establishment of the HHS High-Value Asset (HVA) Program for the identification, protection, and prioritization of HHS’ most critical high-value assets, and oversees the HHS FedRAMP and Cloud Security Program. Julie is also the Federal Lead for the implementation of the Cybersecurity Act (CSA) of 2015, Section 405(d): Aligning Health Care Security Approaches. This public-private partnership effort has received awards for excellence and contributions to the Health IT and healthcare industry communities. This is one of many HHS cybersecurity initiatives to help push forward the cybersecurity and resiliency of the Healthcare and Public Health (HPH) Sector.

 

 

 

Things You’ll Learn:

  • Within the Cybersecurity Act of 2015, there is a provision in there called Section 405 that is all about improving cybersecurity outcomes across the industry.
  • The sub-provision 405(c) was the Health Care Industry Cybersecurity (HCIC) Task Force, which produced a report that diagnosed healthcare to be in a critical condition in terms of cybersecurity.
  • Sub-provision 405(d) was the Health Industry Cybersecurity Practices (HICP) Task Force, which created a guide with the practices that organizations can take to improve cybersecurity.
  • The HICP document consists of three parts, the main document that acts as a call to action and two technical volumes, one for small and one for medium and large organizations. 
  • In addition to HICP, there is a toolkit called the Threat Mitigation Matrix to make a risk assessment and to train, educate, and become aware of what you can do to mitigate and fight the identified cyber threats.
  • The Office for Civil Rights is to consider any adoption of a recognized cybersecurity practice, like HICP, over the last 12 months during any kind of enforcement action that it might take.

Resources:

Visit US HERE