Health Care Industry Cybersecurity Task Force Overview

The Health Care Industry Cybersecurity Task Force has released its report to Congress titled Report on Improving Cybersecurity in the Health Care Industry.

The Health Care Industry Cybersecurity Task Force, established by the Department of Health and Human Services in March 2016 per the Cybersecurity Act of 2015, Section 405(c), has officially completed its analysis and delivered its report to Congress.

To meet its charge under the Cybersecurity Act and improve cybersecurity practices in the health care industry, the Task Force members held four in-person meetings which were open to the public (public summaries are archived on this site for public review), as well as additional virtual meetings to address the following five (5) requirements of the Act:

analyze how industries, other than the health care industry, have implemented strategies and safeguards for addressing cybersecurity threats within their respective industries;
analyze challenges and barriers private entities (notwithstanding section 102(15)(B), excluding any State, tribal, or local government) in the health care industry face securing themselves against cyber attacks;
review challenges that covered entities and business associates face in securing networked medical devices and other software or systems that connect to an electronic health record;
provide the Secretary with information to disseminate to health care industry stakeholders for purposes of improving their preparedness for, and response to, cybersecurity threats affecting the health care industry; and
establish a plan for implementing title I of this division, so that the Federal Government and health care industry stakeholders may in real time share actionable cyber threat indicators and defensive measures.

The Task Force members represented a wide variety of organizations within the health care and public health sector, including hospitals, insurers, patient advocates, security researchers, pharmaceutical companies, medical device manufacturers, health information technology developers and vendors, and laboratories.

Over the course of the year, the Task Force invited various health care industry leaders and experts from other critical infrastructure sectors to provide information regarding cybersecurity best practices, trends, threats, and general concerns with the members. Additionally, the Task Force posted several blogs that encouraged the public to provide information, thoughts, and ideas that the Task Force could use to inform their deliberations and address the Act requirements.
Now that the report has been delivered the Task Force has officially disbanded.

Task Force members were selected based on recommendations from a panel of subject matter experts from HHS, DHS, and NIST. The following criteria were used in selecting Task Force members:

Service in a position of influence in an organization that is representative of a component of the broad health care and public health sector
Experience in dealing with technical, administrative, management, and/or legal aspects of health information security
Knowledge of major health information security policies, best practices, organizations, and trends
Ability to participate actively in Task Force meetings and contribute to Task Force products

The members of the Health Care Industry Cybersecurity Task Force were:

Theresa Meadows, MS, RN, CHCIO, FHIMSS, FACHE
Senior Vice President and
Chief Information Officer
Cook Children’s Health Care System

George DeCesare, JD
Senior Vice President and
Chief Technology Risk Officer
Kaiser Permanente Health Plan

Roy Mellinger, CISSP-ISSAP, ISSMP, CIM
Vice President
IT Security and
Chief Information Security Officer
Anthem, Inc.

Mark Jarrett, MD, MBA, MS
Senior Vice President and Chief Quality Officer
Northwell Health and
Professor of Medicine
Hofstra Northwell School of Medicine

Jacki Monson, JD
Chief Privacy and
Information Security Officer
Sutter Health

Ram Ramadoss, MBA, CISA, CISM, CISSP, CRISC, CIPP
Vice President
CRP Privacy and Information Security and
EHR Compliance Oversight
Catholic Health Initiatives

Fred Trotter
Data Journalist
CareSet Systems

David Ting
Co-Founder and Chief Technology Officer
Imprivata, Inc.

Christine Sublett, MA, CISSP, CIPT, CRISC, CGEIT
Chief Information Security Officer and
Head of Compliance
Augmedix, Inc.

David Finn, CISA, CISM, CRISC
Health Information Technology Officer
Symantec Corp.

Michael McNeil
Global Product Security and Services Office
Philips Healthcare

Terry Rice
Vice President
IT Risk Management and
Chief Information Security Officer
Merck & Co.

Joshua Corman
Co-Founder
I Am The Cavalry

Alissa Johnson, PhD
Chief Information Security Officer
Stryker Corp.

Vito Sardanopoli, CSM, CISSP, CISA
Director of Cyber Security Services and Governance
Quest Diagnostics

Dan McWhorter
Vice President and
Chief Intelligence Strategist
FireEye, Inc.

Anura Fernando
Principal Engineer
Medical Software and Systems Interoperability
Health Sciences Division
UL LLC

Emery Csulak
Chief Information Security Officer
Centers for Medicare and Medicaid Services
U.S. Department of Health and Human Services

Laura Laybourn
Director
Stakeholder Engagement and
Cyber Infrastructure Resilience
Office of Cybersecurity and Communications
U.S. Department of Homeland Security

Kevin Stine
Chief, Applied Cybersecurity Division
Information Technology Laboratory
National Institute of Standards and Technology

Lauren Thompson, Ph.D.
Director
Department of Defense/Department of Veterans Affairs Interagency Program Office
Defense Health Management Systems

Rob Suárez
Director of Corporate Product Security
BD (Becton, Dickinson and Company)

Health Care Industry Cybersecurity Task Force

This page last reviewed: November 27, 2018