Skip over global navigation links
U.S. Department of Health and Human Services

Cybersecurity Act of 2015 Section 405(d) Task Group

In 2015, the United States Congress passed the Cybersecurity Act of 2015 (CSA), which includes Section 405(d), Aligning Health Care Industry Security Approaches. In 2017, HHS convened the CSA 405(d) Task Group, leveraging the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership. The Task Group is comprised of a diverse set of over 100 members representing many areas and roles, including cybersecurity, privacy, healthcare practitioners, Health IT organizations, and other subject matter experts.

The Task Group convened six times from May 2017 through March 2018 and produced a draft of the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients publication.

The draft was then “pretested” with over 120 stakeholders (i.e. practitioners/clinicians/non-IT and Information Security/IT professionals) within the healthcare industry in order to gauge usability, practicality, and scalability. The HICP publication will be updated regularly to keep the information on threats faced by the healthcare industry current and relevant. This public-private partnership is part of the ongoing effort to strengthen the cybersecurity posture of the Healthcare and Public Health (HPH) Sector.


Task Group Session Meetings

  • May 22-23, 2017: The CSA 405(d) Task Group held its inaugural session. The Healthcare and Public Health (HPH) sector leaders began the process of developing voluntary, industry-led and consensus-based guidelines to strengthen the sector’s cybersecurity posture.

  • June 26, 2017: The CSA 405(d) Task Group participants met to review the May session and to discuss the format for the draft cybersecurity guidelines. The Task Group focused their discussion on potential agenda topics for the next in-person meeting.

  • July 17-18, 2017: Key findings from the session include an initial set of best practices based on the missions/functions, threats, vulnerabilities and consequences of four healthcare provider communities that the participants of the CSA 405(d) Task Group identified during the first workshop. These illustrative communities include small physician practice, physician practice group, community hospital, and large hospital system.

  • September 18-19, 2017: The Task Group reviewed and discussed the CSA 405(d) Task Group Annotated Outline content generated by the Flexible Controls and Risk Management Subgroups, and Healthcare Industry Cybersecurity (HCIC) Task Force alignment conducted by the HCIC Alignment Subgroup.

  • December 11-14, 2017: A series of virtual sessions were held with members of the CSA 405(d) Task Group to discuss the final format for the publication.

  • March 26, 2018: The CSA 405(d) Task Group convened for a one day session to ratify the draft of version 1.0 of the publication—Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP)—for pretesting.


CSA 405(d) Task Group Members

Last Name First Name Title Organization
Adams Kenneth Director, Federal Advisor Synergy Healthcare Services, LLC
Alicea Michael Chief Information Officer (CIO) Boston PainCare Center
Anastasiou Peter Director, Security Strategy Tufts Health Plan
Anderson Carl Vice President (VP) HITRUST
Barrera Connie Director, Information Assurance (IA) and Chief Information Security Officer (CISO)

Jackson Health System

 

Barrett Lee Executive Director Electronic Healthcare Network (EHNAC)
Belfi Catherine Manager - Emergency Management and Enterprise Resilience New York University Langone Medical Center
Blanchette Karen Executive Director PAHCOM
Blass Gerard President and Chief Executive Officer (CEO) Comply/Assistant
Bollerer Chris Supervisory IT Specialist HHS/OIS
Bontsas Jeff VP and CISO Ascension Information Services
Bowden Daniel CISO Sentara Healthcare
Branch Robert Director, Information Systems and Technology Munroe Regional Medical Center
Carr Joseph CIO New Jersey Hospital Association
Castillo Janella Junior Information Security Analyst HITRUST
Chaput Robert CEO Clearwater Compliance LLC
Chua Julie HHS Security Risk Management Division Manager HHS/OCIO/OIS
Cline Bryan VP, Standards and Analytics HITRUST
Cofran Wendy CIO Natick VNA/Century Health Systems
Coughlin Jeff Senior Director, Federal and State Affairs HIMSS
Coyne Andrew CISO Mayo Clinic
Csulak Emery CISO

HHS/CMS

Cullen Mike Senior Manager Baker Tilly
Cummings Allana CIO Children's Healthcare of Atlanta
Curran Sean Senior Director West Monroe Partners
Curren Stephen Director, Division of Resilience HHS Office of the Assistant Secretary for Preparedness and Response
Curtiss Rich CISO Clearwater Compliance LLC
Dar Cristina Research Officer HHS/FDA
Davis Cynthia CHIO Methodist Le Bonheur Healthcare
Decker Erik Chief Security and Privacy Officer University of Chicago Medicine
Donat Terry Surgeon and Illinois Professional Emergency Manager CGH Medical Center
Dunkle Stephen CISO Geisinger Health
Durbin Kenneth Strategist, Certified Information Systems Security Professional Symantec
Echols Mike CEO IACI - International Association of ISAOs
Edmonson Vladimir Chief Privacy Officer & Senior Compliance Director Ohio Health
Etherton Anna IT Specialist (INFOSEC) DHS/CS&C
Farabella Helena National Chairperson PAHCOM
Finn David Health IT Officer Symantec
Fleet Eli Director of Federal Affairs HIMSS
Frederick Michael VP Operations HITRUST
Goldman Julian Clinician: Attending Anesthesiologist, Massachusetts General Hospital / Harvard Medical School Harvard Med
Goldstein Eric Branch Chief, Partnerships and Engagement DHS CS&C
Gomez John CEO Sensato
Gorme Craig IT Security Manager UF Health and Shands Hospital
Grillo Jorge CIO/VP Facilities, Safety, Security, Construction and EVS St Lawrence Health System
Heesters Nicholas Health Information Privacy Security Specialist HHS/OCR/HIPAA
Hicks Andrew Managing Principal Coalfire
Hinde William Managing Director West Monroe Partners
Holtzman David VP, Compliance Strategies CynergisTek, Inc.
Jackson Helen Program Analyst DHS/CS&C
James Bruce Director of Cybersecurity Architecture Intermountain Healthcare
Jarrett, MD Mark Chief Quality Officer, Association Chief Medical Officer Northwell Health
Jobes Kathy VP and CISO Ohio Health
Kacer Wendy Sr. Director, Cybersecurity Governance, Risk and Compliance Dignity Health
Kim Lee Director of Privacy and Security HIMSS
Klein Sharon Partner Pepper Hamilton
Krigstein Leslie VP, Congressional Affairs CHIME
Lacey Darren CISO John Hopkins
Lee Wayne Chief Cybersecurity Architect West Monroe Partners
Levy Leonard VP and CIS Spectrum Health
Love Talvis Senior Vice President (SVP), Enterprise Architecture, eCommerce and CISO Cardinal Health
Maksymow Michael VP and CIO Beebe Healthcare
Marquette Casey Sr. Director, Information Security (INFOSEC) CVS Health
McAllister Guy VP and CIO Tift Regional Medical Center
McDonald Blair IT INFOSEC Analyst HHS/OS/OCIO
McLendon John VP and CIO Johns Hopkins All Children's Hospital
Nonneman Lisa IT Director Mary Lanning Healthcare
Nordenberg Dale Executive Director MDISS
Palmer Dennis Sr. Assurance Associate HITRUST
Quinn Jessica SVP, Chief Compliance Officer Ohio Health
Quinn Matthew Sr. Advisor, Health Technology HRSA
Riethmiller Erika Director, Corporate Privacy Incident Program Anthem
Ross Aftin Senior Science Health Advisor FDA.HHS/OCIO/OIS
Royster Curtis IT Specialist DC Government/Department of Health Care Finance
Savickis Mari VP, Federal Affairs CHIME & AEHIS
Savoie Don Savoie Chief Operating Officer (COO) Meridian Behavioral Health Center
Schwartz Suzanne Associate Director for Science and Strategic Partnerships FDA.HHS/OCIO/OIS
Shaikh Munzoor Director West Monroe Partners
Siler Kendra President CommunityHealth IT
Skinner Rich Head of Strategy and Business Development - Cyber Security West Monroe Partners
Smith Philip President MedMorph LLC
Stephens Timothy Sr. Advisor Biologics Modular
Stevens Deborah VP and CISO Tufts Health Plan
Stine Kevin Chief of the Applied Cybersecurity Division NIST
Tennant Rob Director, HIT Policy Medical Group Management Association
Teyf Daniel Security Architect Colorado Governor's Office of IT, Office of Information Security, CISO
Thomas Mitchell Chief Security Officer HealthSouth, Inc.
Tierney Logan Project Manager Greater New York Hospital
Todd Nickol Deputy Director, Division of Resilience HHS Office of the Assistant Secretary for Preparedness and Response
Voigt Leah Chief Privacy and Research Integrity Officer Spectrum Health
Wang May Chief Technology Officer and Co-founder ZingBox
Watson Kelli Cybersecurity Operative and Researcher Sensato
Webb Tim Partner InfoArch Consulting, Inc.
West Karl CISO Intermountain Healthcare
Wheatley Cathleen System Chief Nurse Executive and VP of Clinical Operations Wake Forest Baptist Health
Willis David Medical Director Heart of Florida Health Center
Wilson Chad Director of Information Children's National Health System
Wilson Kafi Principle/CEO KWMD LLC
Wivoda Joe Sr. Director of Healthcare at Analysts Analysts
Wolf Laura Supervisory Program Analyst HHS Office of the Assistant Secretary for Preparedness and Response
Worzala Chantal VP, Health Informtion Policy American Hospital Association
Wright Michael Sr. Manager Baker Tilly
Zigmund-Luke Marilyn Sr. Counsel America's Health Insurance Plans (AHIP)

Cybersecurity Act of 2015, Section 405(d)

  • This page last reviewed: December 28, 2018