Cybersecurity continues to be a growing concern in the healthcare community. Much of the focus has been on mitigating risk and deploying the appropriate technology to prevent cyberattacks. Today, the health care industry faces significant challenges due to federal and state cybersecurity laws and regulations that can be inconsistent and establish conflicting standards of compliance. These laws work in conjunction with laws on data breach notification, data disposal, and data security, often dictating different responses than federal laws.
Additionally, complying with these laws and regulations is resource intensive and creates financial burdens for the health care ecosystem. To address these growing concerns, it is important that the industry work together on advocating for solutions to ensure that the state of healthcare cyber defense continues to improve.
What Is the Difference Between Advocacy and Lobbying?
Advocacy is an activity by an individual or group which aims to influence decisions within political, economic, and social systems and institutions. This process allows stakeholders to make their voices heard on issues that affect their lives and the lives of others at the local, state, and national level.
Lobbying involves activities that are in direct support of or opposition to specific legislation, executive orders, or an agency’s rules or regulations.
Both of these are methods of creating awareness about how a community, industry, or organization is impacted, either positively or negatively, by public policy. However, neither of these could be confused with political action, which is a direct act to influence a specific election.
Why Is Advocacy Important?
Members of Congress respond in an immediate and personal way to their constituents. Advocacy helps legislators understand how healthcare policies affect their constituents. Legislators rely on credible organizations as sources of expertise to inform them about critical cybersecurity policy issues and the ramifications of policy decisions on the communities that these members of Congress represent.
According to The CIO Guide to Advocacy: FEDERAL AGENCIES – CHIME: “A CIO’s job is to plan for the future, and to do that successfully, CIOs must ensure that government officials understand the impact that legislation and policy have on implementing health IT in healthcare organizations.” I believe participating in these activities are critical to the success of the industry.
How I Got Involved in Advocacy
As part of the Cybersecurity Act of 2015, Congress established the Health Care Industry Cybersecurity (HCIC) Task Force to address the challenges the health care industry faces when securing and protecting itself against cybersecurity incidents, whether intentional or unintentional. I was selected to serve as the Co-Chair of the HCIC Task Force. This task force was comprised of industry and government leaders. This was an extreme honor to help lead this important work.
The work of the task force resulted in the development of a detailed report to Congress. As part of this report, six key imperatives were identified to improve cybersecurity posture across the entire healthcare industry. As a member of the Task Force, I found this engagement with other federal and private sector partners beneficial to understand our common cybersecurity challenges and concerns.
Furthermore, this work led to the establishment of an ongoing public-private forum that serves to enhance cybersecurity discussions and protections as a critical component for the health care industry to increase patient safety.
The Healthcare Sector Coordinating Council (HSCC) formed a working group dedicated to finding solutions to the cybersecurity challenges in healthcare. The mission of the Joint Cybersecurity Working Group (JCWG) is to develop and disseminate sector-wide recommendations and guidance to help facilitate sector-wide mitigation, response, and resilience to cybersecurity threats. This includes identifying major cybersecurity threats and vulnerabilities to the security and resiliency of the healthcare sector, and developing cross-sector policy and strategic approaches to mitigating those risks.
How Can You Participate in Cybersecurity Advocacy Efforts?
There are several ways to participate in cybersecurity advocacy efforts. First, one can begin to understand the opportunities to comment on pending legislation that includes cybersecurity implications. Being active in your professional organizations is a great way to learn about these initiatives. Many professional organizations have a function strictly dedicated to this process and ensuring our voices are heard.
Second, you can participate with the JCWG. There are approximately 15 task groups working on solutions for cybersecurity challenges in healthcare. These task groups address issues such as medical device security, cybersecurity workforce development, cyber risk management and governance and regulation and policy.
One excellent example is the release of the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients”. This industry-led effort was in response to a mandate of the Cybersecurity Act of 2015 Section 405(d), to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry. This work provides cybersecurity guidelines based on your organization’s size. Topics includes identity and access management, email protection systems, medical device security and much more. This is a free resource to the entire industry.
It takes each of us contributing to make significant change in healthcare cybersecurity. I hope you will be an advocate for change!