Transcript
Greg Garcia, the Executive Director of the Health Sector Coordinating Council Cybersecurity Working Group is back for another visit on the podcast. We're going to talk about the recent publication of the Working Group's Sector Mapping and Risk Toolkit. The SMART Toolkit, as it's known, is a methodology that helps healthcare providers visualize key services that support workflows in the industry. And it's also used to measure risk appropriately for each of those services. It's a really invaluable tool and a unique and important initiative in a sector that's absolutely feeling a lot of pressure and uncertainty on several fronts. So I'm very happy that Greg is here to walk us through the toolkit and what he's seeing in the healthcare industry at the moment. So before we bring in Greg, just my usual reminder to subscribe to the podcast. If you haven't already, we're on Apple, Spotify, Amazon, Audible, everywhere you can find podcasts, we are there. It's really the best way to keep up with the show and the guests that I've got coming up. And I've got a few more lined up before the end of the year. So if you're listening, appreciate it and take a second to subscribe if you're not already doing that. So with that, let's get started with today's episode and bring in Greg. Good to see you. How are you doing, Greg? Very well, Michael. I'm fine. And thank you for having me. Absolutely. So before we get into the meat of today's discussion, just as a refresher, or even for those that may not be familiar, tell me what the Working Group is all about that you chair. Absolutely. We are an industry organized and managed advisory council for critical infrastructure protection. Healthcare is designated by the government as critical infrastructure, like a lot of other industry sectors like financial services and electricity and telecommunications, water, chemicals, everything that the public depends upon. So we have a public-private partnership that is enshrined in law that directs the federal agencies that have a responsibility over a given sector to work with their industry counterparts to identify and mitigate systemic threats to those critical infrastructures. So whether they're natural threats or man-made threats, in our case, man-made threats, cyber attack. So we are the industry, the cyber working group of the Healthcare and Public Health Sector Coordinating Council. We're about 460 organizations, both government and industry, mostly industry, maybe a couple of dozen government agencies in this partnership. And it's across the spectrum of the health industry. It's the health providers, it's the payers, it's the medical technology and pharmaceutical companies, the health IT, information exchange industry, and public health. So we need to be looking at cyber threats as a cross-cutting challenge, right? It's a shared challenge. Therefore, it's a shared responsibility. So that's what the cybersecurity working group is. And we've been working steadily since 2018 to put out a whole library of best practices and guidance documents by the sector for the sector. And the SMART toolkit is one of the most recent ones and I believe most impactful. I mean, this is almost, what, two years in the making, right, born out of the change healthcare attack? Is that correct? Exactly. It was, I'll say it's 16 months in the making, and it was sort of an odd alignment of stars. In February of 2024, last year, we released our five-year cybersecurity strategic plan, which has, you break it down to one page, it's 12 implementing objectives, a to-do list. And at the same time, just a couple of weeks before we released the strategic plan was the change healthcare incident. And objective number 10, strategic objective number 10 in our strategic plan says, develop meaningful cross-sector third-party risk management strategies for evaluating, monitoring, and responding to supply chain and third-party provider cybersecurity risks. It's a mouthful, but basically, you know, behind that objective statement is the change healthcare attack. This is something that we needed to address. Yeah. And I mean, not to retread the attack, but that was like, I think even you called it at the time, a choke point in the industry that really, you know, demonstrated kind of a lot of fragility and a lot of risk that was happening in the sector at the time and probably continues today. Yeah. And, you know, no one wants to throw change healthcare under the bus. It's not about change healthcare. It's about all of the other types of choke points, as you mentioned, critical services, critical utilities, or functions that support the healthcare system. And they are digital, they're electronic, they are connected over networks. Whether it's clinical, whether it's financial, whether it's administrative or operational, all of these services are connected and therefore vulnerable to cyber threats. And so the impetus for this was to be able to identify those critical services and the potential risks associated with them so that we would not be caught flat-footed again by another incident like change healthcare, which had a cascading impact across the health system. They have a third of the nation's patients in their service line, and we just wanted to be sure that we have as much visibility as possible, as much advanced visibility into that whole infrastructure. I used to say, let's rip up the floorboards and look at the plumbing and where are the loose joints? Where are the leaks in the plumbing that we need to fix? So how did it evolve? I'm sure you guys went into this thinking X, Y, and Z might be the output, but I'm sure as you kind of went into it, what did it evolve into? What was kind of the end goal you envisioned? Yeah, and the end goal was in fact maps. It was called at the time, the task group was called the Sector Mapping and Risk Template, which means we wanted to develop a set of templates for visualizing these workflows. So as it evolved then, we asked ourselves, okay, what workflows? All right, well, we started with eight or 10, but then it started to expand and we landed on 17 workflows, blood supply and distribution, claims and payments, dialysis, pharmaceutical and medical supplies manufacturing, on and on. All of these sort of core functions and workflows that happen day to day in the healthcare system. And let's look at each one of those discreetly and bring in to the process, those companies, those health providers, those individuals that are involved in claims and payments workflow or laboratories or radiology, who works in those workflows and let's map it out. So that was the process. It was just a lot of in-person. We have our twice annual all hands membership meetings and we workshop it. We workshop it. This was co-led by Samantha Jocks, the VP for Clinical Engineering at McLaren Health and the CISO for Primera Blue Cross and at least 50 chief information security officers and people on their teams. We brought in administrative and clinical people and the task was to build these maps with sufficient detail, but not down into the weeds. We had to find that balance of simplicity and utility to provide a template that every organization can use and tailor to their own unique, specific third party and supply chain structure. So we weren't naming names. If you talk about prior authorization, I get my prescription from the doctor, it's got to get prior authorization before it's going to be paid for. Well, that is a change healthcare function. There are other organizations that do prior authorization, but we didn't name those companies in the maps because that's up to you as the company to decide who's doing that for us. So that's the nature of the template. You paint by numbers, you fill it in according to your own enterprise. So these templates, obviously the intent is to make them fairly universal and fairly, I don't want to say generic, but high enough level that anyone can use it. Yeah, exactly. Universal and scalable so that a smaller organization can visualize. They can either look at who's doing this service for us or where do we fit in in this workflow as a service provider? And then the task is to use it. And we don't have all the answers, of course. And what we are asking the users, the readers, put it to work and give us the feedback, critique it. Did this map on dialysis hit the mark? What critical function did we miss? And how did you implement it? What were the steps that you used? What were the lessons learned? At our most recent All Hands meeting last week, in fact, or this week, sorry, this week earlier in St. Louis, we had one of our member healthcare providers walk us through. Since its publication, October 7th, they've already put it to work. And six weeks later, they have a lessons learned for how they did it. What were the steps that they took to put that map, put several of those maps into service in terms of identifying the critical services, assigning roles, assigning relative risk to those services based on, are they practicing good cyber hygiene, that third party provider? Is there a concentration risk? They own 80% of the market. Or is it geographic risk? Is the service or the data center located somewhere that might not be a friendly or stable country? So those kinds of factors. And then once you can assign risk, according to material impact, what would be the material impact on this workflow, on our organization, on patient care, if that service were to be disrupted? And then you can prioritize. It's a relative risk rating. And then you prioritize which of these critical functions are the most important. And therefore, where do we invest in mitigation of those priority risks, if we can do any mitigation? If it's a concentration risk and you've got a service provider that has 70% of the market, do you have any leverage over them? No, you don't. You have no leverage over them. You just better be prepared for right of boom. And if they go dark on us, what's our backup plan? What's our resiliency continuity of operations plan? And then at least you are prepared. You are not surprised. You have maybe exercised tabletop outage scenarios that will minimize the impact. Yeah. So speaking for myself, as someone outside of healthcare, looking at the maps and the visualization of it, I found it pretty powerful. I mean, you can see all the workflows. You can see the dependencies. And I'm sure that was the intent is to provide that kind of visual impact as well. Yeah. Make it usable. It is because it's, you know, we all take, I mean, you've been putting aside healthcare for a moment. I mean, there's so many things that have to happen in our day-to-day lives from beginning to end, whether it's through technology or whether it's human intervention, decision making policies. We often don't see day-to-day workflows as consumers. We don't see all the plumbing. You don't see the plumbing. Right. You take it for granted. But when you do see the plumbing, you go, holy cow, you know, and I just did that in my basement. I live in an old house. It's almost a hundred years old and it's got years and years and years of old plumbing and new plumbing. And they're zigzagging, you know, in the basement, in the floorboards, it's zigzagging this way and that way. Where's that pipe going? And I've actually done a risk assessment. I brought the plumber and I brought the plumber and then I said, there are so many joints in this, you know, and pipes that lead to nowhere. They've been capped. You know, I'm thinking, geez, you know, there's, there's just like, is there, is there an opportunity for one of these pipes to just, it's corroded and it will leak or burst? And the plumber had a look at it and said, well, you look pretty, you look okay for now. A lot of, a lot of single points of failure there. Exactly. Perfect way to put it. Um, so let's dig into the toolkit itself a little bit and a lot of emphasis on systemic risk, uh, third party services, um, et cetera. Take me through kind of the, the, the reasons behind focusing on third parties, for example, and obviously the systemic risks speaks for itself, but, um, just, just to focus on third parties, for example. Yeah. Good, good question. Um, a couple of things and, and it, you know, in, in my view, um, I, uh, you know, these maps were, were not intended at first to include, you know, embedded services within your enterprise that you have total control of, right. That, that's, that's a, that's another order of complexity, but, um, every enterprise ought to be looking internally as well, you know, to the, to the, to the resources, or maybe they've, they've, they've developed their own software programs. They've rolled their own to do some kind of, uh, discrete activity or service. Um, and that can present a risk as well that you haven't, you know, you didn't program it well, or you, you didn't configure it appropriately, or it's, it's in the wrong architecture, whatever it is. Um, so it, it, it ought to apply, um, to, to internal, um, application as well. Um, but on the third party side, um, we, we simply know that, um, you know, particularly in, in the health provider space, um, you know, health providers are often, um, beholden to their third parties. They are often left holding the bag by, um, you know, if, if not, um, negligence on the part of third parties, um, in terms of cybersecurity, then just inadvertent, you know, um, if it isn't a cyber attack, there can be simply, simply, there are outages, right. That happen, um, that you, you, you do not foresee, but there is, um, obviously a, a very large, um, population of third parties that are providing critical services to not just healthcare, but, but many critical in critical infrastructure industries. And those third party services are not regulated. Now I'm not generally, um, you know, I, I, I tread carefully when I suggest regulation. Um, but, um, part of the issue is if, if there isn't an incentive, uh, for, um, for third parties to build strong security, um, products, strong security into products or into services, um, and there's no leverage upon them to do so no market leverage, then likely they're not going to. So, um, and until such time that, uh, third party providers are held to a higher standard of cybersecurity because they are supporting the nation's critical infrastructure, you know, critical infrastructure means life and death. There's a meaning to critical infrastructure. So if you are supporting critical infrastructure, um, you ought to be held to a higher standard, but until that day comes, then, um, because the health system is so dependent on those third parties, you better have pretty good visibility as to what, who are all those third parties, um, what are they providing to us and what is their, what is their relative risk and, and, and benefit. So that's, um, you know, it's, and it's the hard thing. It's the hard thing to do. It can be expensive, complex and time consuming. Um, and in part because, you know, it's the technology innovation keeps on, um, keeps on evolving and the stakeholders, the players in technology are constantly shifting. There's consolidations and, uh, there's a lot of churn in the industry. A startup will do some whiz bang, um, technology or service. They'll be in business for two years and then they'll go out of business. Um, and, or they'll get bought up by somebody else. So actually tracking all of those, uh, you know, all of the movement in the industry that's providing third party services to us, that alone is, uh, is a major headache. Um, and then trying to, to, to assess their relative risk, uh, against, uh, you know, cyber threats, um, it is, it is expensive and time consuming. So we want to try to make it, um, we just want to take, take baby steps to make it more manageable, to visualize it, uh, to provide, um, uh, general guidance on how you actually do a risk assessment on those services and, and how you calculate materiality. And that's what a good part, you know, there's 17 maps, um, in the document and each one, each one of those maps pretty much occupies a whole page. And then the other, you know, 23 pages are kind of explanatory notes about how do you use these maps? How do you do the materiality test, um, measure risk, prioritize it, that kind of thing. And so it is a, it is a template methodology, um, uh, that, you know, a good number of, of better resourced, more mature cyber risk management, uh, programs in our membership, we're putting on the table. This is the way we think it ought to be done. And, uh, and it should work. You just said the word materiality again, I think for the second time. Um, it's one of those nebulous words. Is that intentional? Is that like going out organization by organization basis, they have to kind of determine what's material or are you providing some kind of guidance definition of what material means? Yes. Um, and, and, uh, yes, yes. To both of your questions, um, materiality does need to be, um, we, we offer a general definition. I don't think I have it at my fingertips, but it's, um, you know, materiality is, is, is, um, is a, is a, is a measure of the clinical, the administrative, the financial, um, or the regulatory impact, um, from, uh, any kind of incident, uh, that would affect the achievement of the workflow, the completion of the workflow. Um, and then you, then you assign, well, what is the clinical impact? So materiality you'll have, you will have, um, you will have gradations of material clinical impact from, uh, you know, um, you know, from delayed treatment to disrupted treatment to corrupted treatment and, and patient, uh, patient harm. So you can see this, there's lots of different ways to assess clinical materiality. And so that's, uh, and, but if you're not a hospital, you're a pharmaceutical manufacturer, right? You're going to have different manifest manifestations of material impact. And for them, it's going to be operational materiality. The, the, the factory floor just ground to a halt. So it took a ransomware attack and the machines aren't working. You better shut them off because you don't have confidence in the safety of, uh, of the drugs that, that it's a manufacturing. Well, then that's going to be a certain material financial impact. What's the measure of that? So, yeah, so it's, um, you know, there's a jet, there's a broad definition. And from that definition, each organization needs to, um, needs to apply that definition to their unique circumstances. Mm-hmm. Are the, the maps and the templates, are they better suited to organizations of particular maturity, whatever that may be? I'm thinking of smaller hospitals, for example, with, you know, fewer IT resources, et cetera. Does it work or can it work the same, the same effectiveness as a, you know, a better resourced organization? Yeah. I mean, I think, uh, I mean, a better resourced organization, um, is likely to be larger and therefore will have a much more complex mapping process. So it will be, uh, it will be expensive and complex and time-consuming for them using those maps because they just, their, their tentacles are, are more far reaching. Um, uh, uh, you know, a, uh, you know, a doctor's practice, um, you know, a family practice, um, will have a much, much simpler. Right. Map to deal with, you know, they might have just, you know, they might have two or three providers or they're using a single provider. That's, that's sort of, that's sort of the, uh, uh, the broker for all of their, for all of their stuff. Um, so it is scalable and, um, I, I, I, I think smaller organizations ought to be able to use it just as well, maybe even more easily again, because, um, they tend to have a, I believe, you know, a, a simpler, um, a simpler workflow. They are part of a simpler workflow because they're, because they're so, they're so small. I think I might be overgeneralizing there, but, um, uh, but, but even, even as a, as an educational tool there, like I said, there's, there's, there's two, two outcomes, uh, from using this map. One of them, you know, two outcomes from, from being able to visualize it. One is can we identify those services that we might have some leverage over, um, leverage, meaning we can get the service provider to change how they're doing business, or we can simply go get, go find another service provider because there's a lot of competition in the marketplace for that service. And maybe these guys are more secure than the other. Okay. That's cool. Then that's one outcome that you can actually, uh, visualize your risk in a way that you have some control over. And the other outcome is, yeah, I'm, I'm dependent on this service provider. There's no other option. They're in, and it would be extraordinarily expensive for us to change from one to the next. Um, if we did so, uh, the outcome is simply awareness. We see that this service could, if it went dark on us, what would be the impact on our business, on patient care, um, on our financials, on our regulatory, um, uh, liability. And so we better have a backup plan for that. Yeah. There's nothing specific to do. Maybe there's a small investment on some backup resources. Um, uh, you know, we, we go to, to manual, manual override. We make sure we have paper trails, paper copies of everything. Um, how do we go to a, you know, a paper-based system when the electronics are all dead? Um, so, you know, that level of awareness at least gives you, um, an ability to think in the worst case scenario and be prepared, be prepared for it. If you can't, if you can't influence, if you can't influence it, be prepared for it. I'm just curious. I'm sure you guys have been collecting feedback as people try out the, the templates and the maps. Um, are you seeing like any commonalities in the feedback in terms of, you know, a lot of people are seeing the same things bubble to the surface or, um, just, just curious on that front, what you're hearing? You know what, let's have this, let's have this podcast in another year and I'll have, I'll have something for you. I would think, um, no, I mean, we just published it. I mean, it's one month old or maybe a little bit more. It was the 21st. So it's, it's six weeks old. Uh, it's, uh, you know, um, some folks saw it coming and were part, they were part of the, um, the development of the smart maps. And so even as they were being developed, they're taking those concepts in house into their hospital and saying, okay, let's start working this now. Let's start working this now because every day matters because tomorrow could be the next, next hit. But, you know, save for the, um, the presentation we got, uh, on, uh, on Tuesday. Yeah. Tuesday about, uh, you know, smart, we haven't gotten any feedback yet. So we, um, I don't, I don't think we have a, in the, there's an email that, uh, that users that readers can go to, uh, in the smart document. Uh, I think it's, it's probably like feedback at feedback at health sector council.org, or it could be smart feedback. I'm not sure. I can't remember the details. Uh, but you know, anytime you have used it, any organization has used it and they say, well, this, this is wrong. This didn't work. This doesn't, this is not right. Um, they can, I, I hope, I hope absolutely hope and trust, um, that, uh, they will let us know because these, uh, these, these maps are living documents, um, uh, living because, uh, there, there may be, um, there may be inaccuracies or there may be improvements to be made. Um, and we need to do that. And it's a living document because the industry changes, right? There's, there's, there's, you know, we're going to see, we're going to see AI take over. Oh, I, I would assume take over a lot of those third-party services that otherwise were handled by, you know, um, by discrete companies, consulting firms, uh, uh, IT companies, what have you. Um, and you can, you can envision a world where, um, AI is doing a lot of this work. Um, and that, that introduces a whole, a whole different dynamic. Um, you'll see in the, in the preamble, in the introduction of the document or the smart document, um, we don't, we, we don't include AI, you know, uh, in, in these workflows just because it is still so, um, sort of, sort of incipient in, in the, uh, um, in, in the arc of AI's presence in, um, healthcare workflows that we need to let, let that mature a bit and come back to it later and see where, where some of these things are even more automated and, um, you know, think about the risk of, of that kind of automation, decision-making, uh, agentic AI making decisions for us in critical healthcare workflows. That's not reflected in these maps right now. Right. I mean, AI is just moving so quickly. I mean, it's an obvious statement, but it's kind of hard to establish any, any, any kind of framework right now, because two weeks from now it might be irrelevant. No, we've got it. We've got an AI task group. It's broken out into five subgroups, uh, like, like, like governance and third party and a few others. And it's almost like, you know, we're writing these best practices, these, these guidances, and it's like, everything keeps changing. It's like, okay, okay. Whip out the eraser, erase that part and scribble in the new, you know, the new paradigm, the new development, uh, you know, AI has just rendered irrelevant what we wrote last week. I'm overstating that point, but that's kind of the idea. Yeah. Maybe you're not. I am. Yeah. Um, all right. You kind of anticipated my last question earlier, but just in terms of what's next, what, what's the roadmap for this going forward and what do you anticipate? Well, um, again, waiting for, for feedback and, but, but also, um, you know, sort of taking it on a roadshow and, and I really appreciate the clarity of interest in this. Um, many, many organizations are interested in. So, uh, Sam jocks and I, and any, any number of the members of the smart task group are out, um, talking about this, um, as a matter of critical infrastructure, systemic critical infrastructure risk. Um, but then, you know, there will, at some point I expect, um, some government, um, attention to this in ways I can't predict right now. Um, I went through a similar, a similar, um, uh, process, um, project with the financial services sector when I was, when I was with financial services and we worked with the department of treasury to do exactly the same kind of thing. Um, uh, only it, it, it was, you know, almost 15 years ago, I think. Um, and you know, the output was imagine a piece of paper that is five feet tall and 12 feet long taped to a wall in the treasury department. And that paper is covered in, um, you know, boxes and circles and triangles and lines and arrows going, this is the, this is the financial services system, right? Here's where, here's how the money moves through the global economy. And it was absolutely bewildering and extraordinarily complex. And treasury looks at that and said, okay, how do we, as, as the government, um, keep tabs on this as, as a matter of, um, understanding those, uh, too big to fail functions and companies. Um, they didn't look at it in a regulatory context, but they wanted to have, um, uh, as clear a view as possible as to where are those choke points in the global financial system. So that as a government agency, they can be prepared to exercise their authorities. It didn't mean necessarily more regulation on the front end. It just mean, means making sure you have the, uh, operations and the programs in place. Um, if something goes south and you do have that visualization of those choke points, those, those weak points in the infrastructure that they can then step in, um, and support in terms of recovery, um, continuity, that kind of thing. I think the S the same, I would, I would think, uh, you know, as one who did come from government to, and the department of Homeland security, um, you want to be sure you, you can exercise the authorities that are given to you, um, to be, to, to be able to support your critical infrastructure. And so, um, HHS, um, as our partner in this, they did participate, um, how they, you know, how they take the results of this over time and try to fashion some, some kind of, uh, policy, um, and, and operational support mechanism. Don't yet. Don't know yet remains to be seen. Right. That's what comes next. All right, Greg, thank you so much. I really appreciate you coming on and this is really important work and I'm sure it feels good to get it out the door. So thanks for coming on the podcast. I appreciate it. Well, it was good to get to join you, Michael, and thank you for, you know, your, um, your interest it's, uh, and, and, and for, for amplifying this, it's important that we, we do get the word out that we do raise awareness, um, you know, about the availability of this resource, um, and whether or not you use the resource, at least to have the awareness that, um, as, as a healthcare entity, uh, organizations, they are part of a broader, broader ecosystem, uh, with a lot of, uh, dependencies and interconnection points that we can't, we can't remain blind to. Right. And this'll definitely make it apparent. All right, Greg, thank you, man. Appreciate it. Yep. Good to be with you. Thank you.
