Best practices and recommendations for public-private partnerships to protect health critical infrastructure
Cybersecurity public-private partnerships (PPPs) for the health sector are considered essential to tackle new challenges and risks of information and communications technologies (ICTs) across the healthcare industry. Given the fact that the private sector plays a substantial role in the provision of healthcare — either as a direct provider of medical services, or as a supplier of medical equipment, governments should take the private sector as a crucial partner in their national cybersecurity endeavours. Hence, partnering with the private sector is vital for attainment of national cybersecurity goals in the healthcare sector and critical infrastructure (CI) in general.
Amid the COVID-19 pandemic, forging partnerships with the private sector has proven more critical than ever before. CI protection is now at the forefront of current political debates and there are many efforts underway to better secure sectors considered as CI; including the communications, chemicals, transportation, energy, and financial services sectors.
Cybersecurity PPPs have been accentuated as the backbone of national cybersecurity strategies (NCS). For instance, the International Telecommunications Union (ITU) refers to the PPPs to be a ‘cornerstone’ of NCS of effectively protecting national CI. However, despite the fact that governments acknowledge cybersecurity PPPs to be of utmost importance and crucial to better secure CI in their NCS, partnerships in reality end up in a lot of vagueness.
A case study: PPPs in the USA
For almost two decades, the USA has been working on the establishment of PPPs. The aim was to coordinate security planning and information sharing within and across all 16 CI sectors, including healthcare.
Former US President Barack Obama pioneered PPPs when he took office in 2009. He said his administration would pursue a ‘new comprehensive approach’ in the pursuit of combating cyber threats in a speech:
The Federal government cannot succeed in the many facets of securing cyberspace if it works in isolation. The public and private sectors’ interests are intertwined with a shared responsibility for ensuring a secure, reliable infrastructure upon which businesses and government services depend. Government and industry leaders—both nationally and internationally—need to delineate roles and responsibilities, integrate capabilities, and take ownership of the problem to develop holistic solutions. Only through such partnerships will the United States be able to enhance cybersecurity and reap the full benefits of the digital revolution.
The USA PPP model for each CI sector
The USA’s model is a great example that portrays how the PPPs might work in practice. To illustrate, the National Infrastructure Protection Plan (NIPP) 2013: Partnering for Critical Infrastructure Security and Resilience serves as the umbrella framework for a partnership approach between the government and the private sector. In a nutshell, NIPP develops mechanisms for collaboration and establishes requirements for partnership between business industry, operators, and government agencies.
Even more significant in the US model which should be especially acknowledged is that PPPs are sector specific. This implies that the PPPs can be centered on a diverse risk landscape within the given sector. Accordingly, the bedrock of every CI sector´s specific goals is the so-called Sector-Specific Plan and is focused on the unique operating conditions.
In addition, each one of the 16 CI sectors has its own institutions:
- Sector Specific Agency
- Government Coordinating Council
- Sector Coordinating Council and Information Sharing and Analysis Council
An illustrative model
An instance of such a PPP in the healthcare sector is the Healthcare and Public Health Sector-Specific Plan. The plan defines goals and takes into consideration the uniqueness of the healthcare sector and its threat landscape.
The model of PPP of the healthcare sector in the USA consists of a Government Coordinating Council made of government partners and a Sector Coordinating Council made of private sector partners. Both councils collaborate through joint working groups. The Cybersecurity Working Group addresses emergent cyber threats to health information and IT systems.
PPPs in the EU
Typically, EU member states recognise the need of public-private engagement in the critical infrastructure protection (CIP) and put emphasis on developing cooperation with business entities in their respective NCS.
There are two formal structures that aim to enhance the cooperation in the national cybersecurity endeavours in the EU – PPPs and Information Sharing and Analysis Centres (ISACs).
ISACs are trusted entities or non-profit organisations that foster information sharing between public and private entities. ISACs in the EU were established following the US model of sectoral ISACs which have proven to be effective in the overall improvement of cybersecurity. In comparison to the PPPs, ISACs are more formal in their nature.
With regard to PPPs, according to the European Union Agency for Cybersecurity (ENISA), today there are more than 15 member states that have established an official PPP. Unlike in the US model, these partnerships are developed to carry on specific projects; such as a national cyber security exercise or a cybersecurity awareness campaign (European Cybersecurity Month) or research and development. Nevertheless, ENISA raises the weakness of these partnerships and points to the need for a clear framework specifying the roles of the public and private sectors, their relationships and the areas for cooperation.
On the EU level, only three ISACs exist that are sector-specific – the financial/banking sector, the energy sector, and the aviation sector. The European Cyber Security Organisation (ECSO) suggests creating a single pan-European ISAC that should be led by public healthcare organisations. Healthcare ISAC would clearly improve the overall cooperation of private and public entities under the umbrella of PPP.
Recommendations for creating cybersecurity PPPs in the healthcare sector
National and institutional cybersecurity goals in the healthcare sector can’t be achieved without partnerships with the private sector. Yet, partnerships can bring many obstacles and challenges, mostly associated with lack of trust and transparency that leads to poor information sharing which can be described as a vicious circle.
We recommend the policy action points below to develop an effective cybersecurity PPP in the healthcare sector:
- Genuine interest of private sector when engaging in PPPs should be a priority
It is of paramount importance for participants of public-private cooperation to see a broader picture, that is to say, the interest is above all to enhance the resilience of the healthcare sector and cybersecurity, not merely a financial profit. Private sector should better understand the overall geopolitical processes and broader context when engaging in PPPs.
- Public and private sector should work towards a common understanding of interests, priorities, concerns and limitations of both parties
It is generally agreed that both the public and private sector should work towards a common understanding of interests, concerns and limitations. Mutual understanding of diverging mandates and legal capacities can alleviate the burden and lead to a more pragmatic approach towards a stronger PPP.
Nevertheless, lack of trust and transparency is usually the major impediment to overcome although it is considered as a prerequisite of an effective PPP. To overcome these hardships, governments should appoint a national focal point to communicate with business representatives. As ENISA points out, businesses wish to see the government act and not to see disagreement between public bodies involved in cybersecurity who cannot even agree on a single focal point. Likewise, industries should appoint senior cybersecurity experts who would take up the role and communicate with senior government representatives.
- Public and private sector should adopt a ‘human-centric approach’ towards cybersecurity in the healthcare sector
Recognising the impact of ICTs on human beings will facilitate the overall direction of partnership. Likewise, maintaining a human-centric approach has been highlighted also at the international level, for instance in the final report of the UN Working Group of Governmental Experts in the Field of ICTs (UN OEWG).
- Public sector should take the first step to establish PPPs
Bearing in mind CIP and cybersecurity is a matter of national security and indeed a top priority for states, governments should take leadership in developing adequate governance models to tackle and mitigate rising threats. For instance, this can be done in a similar way as was demonstrated in the US’ model by developing a robust Healthcare Sector-Specific Plan in close collaboration with the private sector (and in consultation with technical sector/community) that would serve as a road-map, designed to guide strategic direction and planning of sector’s endeavours in cybersecurity. Furthermore, it would ensure that both entities are working towards common goals, objectives and risk assessment and management unique to the healthcare industry.
- Small and medium enterprises (SMEs) should be invited to participate in PPPs
Expansion of SMEs and a number of start-ups into healthcare innovation in the last couple of years in Europe adds to the reasoning that SMEs play a key role. Unlike in the USA, where there is a tradition of big companies being the key business players, in the EU SMEs are representing almost all the business entities in the region. As ENISA suggests, increasing the level of engagement of SMEs in PPPs could be, inter alia, advantageous for increasing the level of NIS in the EU.
On a separate note, another important aspect that should be taken into consideration when developing a PPPs is the supply chain. Various healthcare solutions (hardware and software) are a product of layers of components by multiple suppliers (and suppliers of suppliers) across the world. Often, even the manufacturers of end-products for the health sector don’t really know what’s in the final product; let alone the health sector itself as a user. Many of those components within are created by open source community, startups, etc, and are vulnerable – exploiting one such vulnerability compromises the entire supply chain and the final product. Thus it is important to involve these various communities of producers of pieces of code or IoT hardware which end up in final products in the health industry.