This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Thanks as always to our partner Fortified Health Security. No matter where you're at in your cybersecurity journey, Fortified can help you improve your cybersecurity posture through their 24 7 threat defense services or advisory services delivered through Central Command, a first of its kind platform that simplifies cybersecurity management and provides the visibility you need to mature your program.
Learn more at fortifiedhealthsecurity. com
Introduction
📍 Hi, I'm Drex DeFord, a recovering CIO from several large health systems and a longtime cyber advisor and strategist for some of the world's most innovative security companies. And now I'm president of This Week Health's 229 Cyber and Risk Community. And this is Unhack the Podcast, a mostly plain English, mostly non technical show about cybersecurity, and RISC, and the people in process and technology making healthcare more secure.
And now this episode of Unhack the Podcast.
Hey everyone, welcome to Unhack the Podcast. I'm your host, Drex DeFord, and today we're going to talk about some of the completely free and incredibly useful material that's produced by the Health Sector Coordinating Council's Cybersecurity Working Group.
It's a mouthful acronym wise we'll just call it CWG. And The CWG includes more than 400 industry and government organizations that come together to work on strategies to address cybersecurity challenges in the health sector. And one of the many things the CWG does through a task group process is that they develop these free resources that are focused on security best practices, and they're across a whole range of disciplines.
And today we're going to talk about one of those resources, one in particular called the health industry cyber practices. And the acronym is HICP. And we actually refer to it as HICUP often when we talk about it. And it turns out nobody knows more about HICUP than today's guest, Eric Decker, the CISO at Intermountain Health.
Thanks for being on the show, Eric.
Thanks, Drex. Appreciate it.
So let me start with, introduce yourself. It'll probably set the stage for the show. You've been involved in everything. We've talked about this in the past. You're a tireless cyber champion and often, I think probably an actual tired one.
I was
going to say, I don't think tireless is the right adjective. There's, There's a lot of tired going on here.
Tell me a little bit about your background and how you ended up at
I'm Eric Decker, VP of CISO for Intermountain Health. If you're not familiar with Intermountain Health, we're the very large integrated delivery network in the Mountain West region.
So we cover seven states based in Salt Lake City but like Nevada, Colorado, Utah. Idaho, Montana bits of Arizona, and so forth. So we've got a fairly large coverage area. We also have a, because we're an integrated delivery network, we have a health plan called Select Health that covers a million lives, and we're very much a Based in the value based care model, I think it's something like more than 50 percent of our revenue in Utah is actually value based care contracts.
Yeah, so we're, we are like big into that model. We believe in it. The second job that I call it a second job, even though it's not compensated has been something I've been doing for the last nearly 10 years now at different levels of leadership culminating to the level I'm in right now, which is the chairman of the cybersecurity working group of the Health Sector Council.
Drex, as you said, that's a group, we have 450 organizations, we have over a thousand members representing those 450 organizations, and it's the critical infrastructure partnership that comes where the government partners with the industry. We're actually a codified forum. By which we have this discussion.
It's called CPAC, Critical Infrastructure Policy Advisory Committee. So this is not just like another association that's out there doing some stuff. It is a codified into presidential directives, executive orders, and the National Defense and Authorization Act. So when we come together, we create Products or work on strategies with HHS and CISA and the ONCD, which is the Office of the National Cyber Security Director, or the NSC, the National Security Council of the White House.
We've interacted with all of them on the challenges of, that healthcare faces and in cyber specifically. And some of the sometimes when we produce publications, they are industry only publications, so we've done a bunch of work on vulnerability management in medical devices how to build secure by design in medical products to.
ht now to stable condition by: products. It was released in: somware attacks happening, in:And that's what HICUP became. It's five threats, 10 practices. And then we built different technical volumes. Based on what kind of organization you are. So if you're a small organization, the way you do those 10 practices is actually going to be very different than if you're a large integrated delivery network like Intermountain, because the complexity and size of Intermountain is different.
The scale and scope is different. So there's 3 technical volumes, small, medium, and large. 2 actually, and then broken up into small, medium, and large. And, that became the beginning of the journey for standardizing our healthcare cybersecurity practices.
I like that it's for large, medium, small organizations. I like the standard work part of it because I'm a, Lean Toyota, lean production. Yeah, like that whole thing. way that you can use it too, for me, it's probably one of the favorites for folks who go out and look at this material when they find that one, that is usually the one that they seem to really latch on to because it's really easy to read and not just for cyber pros, it's really easy to read for anyone who wants to understand how cybersecurity works inside their own organization, right?
Do you see other people using it too?
I think we what was the latest numbers? We've had 4 million hits on that website and 300, 000 downloads or I forgot what the latest stats are. But it was from when we it's crazy kind of being there from the beginning. And I remember logging.
Events that I would go to and I would talk about HICUP and nobody had any idea what this stuff was and we would Get like one or two hits, you know on the site and everybody was like, ah, it's just more noise, too Suddenly, it's almost it's not like HIPAA ingrained in the nomenclature But more and more when I go to a conference and I ask have you heard of HICUP?
I get a fair amount of hands like raising up in the room and that's pretty cool.
I do the same thing. I asked that question and I have seen the wave over time, get more and more hands come up.
journeys, right? So that was:Ideally, we would put out a new update every two years. The practices, they're not really shifting. If anything, they've expanded in scope a little bit. We used to have a practice just about policy, and we changed that to governance. That's fine. The beauty of HICUP is it's a how to guide.
So if you don't know what to do, and you're like, yeah, okay, everybody says do two factor authentication. And for sure, of course, we have two factor authentication as one of the practices. Because why wouldn't you? It's one of the sub practices. And, you get into the but where? And how?
And what? And in healthcare, It's big and complicated. Are you saying two factor authentication on medical devices, or two factor authentication on externally exposed assets? The latter you better be doing. The former, maybe not, if they might not even be supportable to do that.
And so there's a uniqueness in there and when you look at HICUP in its totality, it's 250 pages. The reason why is because there's all that how embedded it. In
the technical volumes, right? So the technical volumes, the
main document is pretty approachable. Yeah, it's 20 some pages.
Yeah. Yeah, the main document. The other part of it is just the embedded links, the things to be able to you don't have to go search this stuff out. If you want to link to the FBI or the HISAC or CISA, like those links are just in the document when you talk about that. So it's, again, I like the way that you've approached it.
The other thing that makes it really approachable that I find that I think we all could continue to learn from is that you. Use language that The people who are reading the document may be using hand hygiene for cybersecurity. Talk about, I'm sure that was a conversation as you developed it. How do you come up with the right language and the right analogies to make it approachable?
I'd like to say that it was some master design but no, The idea of, the purposeful design on this was, on the main document especially, we're trying to hit multiple audiences, how do you approach the non IT, non cyber people to drive awareness and drive momentum, and so you can't use a bunch of jargon, you gotta relate, to who the person is that's reading it And HICUP and the cybersecurity performance goals, which we'll talk about in a second it's hygiene at the end of the day.
It's the basic things that we should all be doing.
In fact, it's even embedded in law now, HICUP is. It's embedded in an amendment to HITECH, which instructs OCR to consider your adoption of HICUP over the last 12 months if you have a breach. It's not Safe Harbor, but it's a little bit of a line in the sand that says, if you're doing these things, then OSIR is, they're instructed to consider that on any enforcement action.
So that's great. That's a carrot. That's a really good carrot. It's an incentive to do better practices.
And this idea of we've got to get cyber out of the back room and into the clinicians understanding. Hand hygiene is a piece of that. Cyber safety is patient safety.
That's a tagline that came out of the 405D effort HICUP in particular. And what we mean by that is, hopefully it's well understood. Yes. Our systems aren't up and operational or they're down for a prolonged period of time. That could cause safety issues.
For sure. And
so cyber safety, keeping that stuff up, keeping the hygiene clean is patient safety. It's, it very much directly relates. And so that's, yeah, we were very intentional on the main document to keep jargon out for the technical wonks that want their technical, Deep Dive.
That's the technical volumes. That's where you go in and we don't play with the words there, for the most part. Call it what it is, because there is technical work that has to be done in order to achieve it.
Yeah. One of the things you just mentioned a moment ago was the cyber performance goals.
And so the connection in the spirit of everything's connected to everything else, HICP is connected to lots of other things to talk about. Cyber performance goals. We hear a lot about those in the last few months.
So CISA started this a couple of years ago CISA, Cybersecurity Infrastructure Security Agency.
They're trying to secure all 16 , critical infrastructure that's been defined under law. And there are this thing called under regulatory parlance, there's this thing called risk management agencies. That's SMAs so everybody can start putting out their government acronyms.
And the SRMA is the federal agency that interfaces with the industry. So that of course is HHS is our Smri, SRMA. So since I put out a broad blanket of cybersecurity performance goals that said, Hey, critical infrastructure, these are some things, voluntary based things that you should do.
e've had HICUP in place since:And there was a directive that we needed to build healthcare specific cybersecurity goals. And that came from the Deputy Secretary's Office of HHS. But rather than some bureaucrat in the back room just go building a list of stuff, let's do it together. So we really push, we have wonderful partnerships with HHS.
And honestly, I think this is one of the, Great examples of how industry and government can actually work together when we have the relationships and we can show how these things tie together. Of course, I'm completely biased by saying that. I recognize at the end of the day, when the edict came down that we needed to build cybersecurity performance goals, of course, 1st, we were like let's just do it.
Put HICUP in there. No, it's not. HICUP is too big. So the aha moment for me was the CCP G has goal statements inside of them, and when you look at cisa CPGs, there's like a goal that's listed out.
The goal is the magic sauce in the CPG. It defines what should be done. It doesn't tell you how to do it. And so HICUP tells you how to do it. when we started doing this, it's let's refine the goals, let's define the outcome that we're trying to achieve with all of this, and then mash it with HICUP.
And that's exactly what we did. So it really does fit nicely. When you read the CPGs, very much pay special attention to the goal statements. You'll see two factor authentication is one of the CPGs. It does not say two-factor authentication on every single system. It specifically says two-factor authentication on internet accessible systems.
So that means if you have it on the internet and it's exposed to 8 billion people, it better have two factor. Doesn't matter if it's got PHI or not. That's not the point. if it has a dedication page, it should have two factor. So that's the gist of what we did. We argued over those goals.
There's a small handful of us. that did that. We did the arm twisting we went through several rounds of this. And I'm frankly very happy with the end result.
The other thing to note is we did this with the intention that this is going to become the minimum mandate.
Again it's the precursor step, thinking strategically here. As we build these voluntary CPGs HHS, working with us, helped define, what is going to be the strategic Direction that we're taking this. So it's four phases. It's voluntary practices stimulus and incentives to the industry because there's definitely needs based organizations that cannot do this without help.
mandates, and then a one stop shop for HHS, because there's a lot of different ways to get in HHS, and they're trying to condense that in a conforming kind of way. So we did, the voluntary was the CPGs, the stimulus, we've given a lot of input into. There's 1. 8 billion in budget proposals, and even Congress has put some bills out there that has the 1.
8 billion out there for stimulating the needs based organizations. Minimum mandates is going to be HHS has already announced that they're opening up the HIPAA security rule soon. I don't know exactly when that's going to be, but they're going to be tying that into it in order to get to a better defined baseline what I call the non negotiables, at the end of the day.
We need to stop arguing on. Do we put two factor on the internet or not? Do we patch a cap or a non exploded vulnerability on the internet that's another CPG? Of course you do. And of course that has to be done. If you're not doing that, you're going to get hit. It's guaranteed that you're going to get hit.
That's the beauty. And when I look at my arc in all of this I started off as a task group lead at 405D. I became an executive committee member, board member of the whole cyber working group, and then I got elected in as chair, serving, I'm coming off my three year term in two months.
I'll be done as chair. One of the things I wanted to do at the beginning of all of this was, can we get to some kind of agreed upon memo, that we all work off of. So I feel you
gotta be this tall to ride the ride. Yeah.
Yeah, exactly. And there's a lot more to do, trust me, like AI and all the other things that are spitting up.
Those are other issues and other problems, don't get me wrong. But when we talk about ransomware attacks and how organizations are getting shut down for 30, 45 days, it's hygiene. That's how it's happening.
Yeah. Yeah. I feel like we barely touched the surface and we're out of time. All this stuff is available for free.
We will make sure we post the links. At the end of the podcast and the comments on LinkedIn, we'll make sure we embed it when we post it to wherever you get your podcasts. Man, thanks for being on the show today. What a long, strange trip you've been on and what a long, strange trip we probably still have left to go.
True. Thanks Drex. Really appreciate it.
That's a wrap for this episode of Unhack the Podcast. Do me a favor and share this episode with your peers. And by the way, your feedback matters, so please subscribe and rate and leave a review wherever you listen to podcasts. I'm your host, Drex DeFord. Thanks for spending some time with me today. And that's it for Unhack the Podcast. As always, stay a little paranoid. I'll see you around campus.