How the HSCC Joint Cybersecurity Working Group Meeting Drove Regional Conversation and Cross-Country Collaboration

by Susan Clark, Senior Director of Community and Advocacy

Whew—what. a. day. April 15th, 2025, was anything but your average Tuesday. I had the privilege of attending the Health Sector Coordinating Council (HSCC) Joint Cybersecurity Working Group All-Hands Across America meeting—and let me just say, this event delivered. Think cross-country coordination, deep dives into policy and preparedness, and face-to-face dialogue between some of the sharpest minds across healthcare cybersecurity. And I got to be part of the regional experience at Roche Diagnostics in Indianapolis, IN.

First off: This was no Zoom-only snoozefest.

The meeting had a unique and super-effective structure: a blend of regional in-person sessions and a joint virtual national broadcast. In Indy, our regional gathering had a powerful mix of attendees—representatives from medical device manufacturers, pharma companies, hospitals, insurance payers, tech vendors, academic institutions, FBI, and standards/accreditation bodies (me!). All these perspectives in one room? That’s the good stuff.

Kicking It Off: IU Cybersecurity Clinic, You Rock!

Our regional discussion started strong with a facilitated discussion from Indiana University’s Cybersecurity Clinic, a low to no cost resource for businesses, including healthcare, throughout the state. They led a smart, solutions-focused discussion that dug into some of the biggest challenges we’re all facing right now in healthcare cyber:

• Community preparedness – How do we build stronger, more resilient local ecosystems?
• Incident response – The conversation led me to discover cyberciviliancorps.com, a game-changing idea where volunteers step in during cyber incidents. Imagine a cyber version of the volunteer fire department. We need more of this.
• Information sharing – How do organizations get past the fear of revealing too much about their businesses to openly share to law enforcement and with other organizations who may be in danger from a similar threat?
• Policy – Oh boy, we could’ve spent all day here. But the key outcome from this topic is next.
  

“Trustmark” Me, This Is Important

One of the most lively parts of our in-room discussion was the frustration we all feel around the procurement and vendor security assessment process. You know what I’m talking about: the 200-page security questionnaires that every health organization sends out asking for policies, plans, and controls, all slightly different, all a little confusing, and let’s be real—some orgs probably (definitely) don’t even know what to do with the responses once they come back as to whether the vendor has responded in an acceptable way.

There was a clear, almost unanimous call for the development of a federally or state-recognized seal—a kind of “Trustmark” that vendors could earn once they meet an agreed-upon set of security criteria. Think of it like a “certified secure” stamp that hospitals and payers could trust without reinventing the wheel every time they onboard a new vendor. 

YES, PLEASE.

This is where DirectTrust can play a key role—they already have credibility in privacy and security accreditation, so why not expand into a universal vendor trust seal? (Have you SEEN our Credly badges??) Plus, I’d just heard this same idea bubble up at a recent hospital associations meeting, where there was strong interest in a vetted vendor list.

Time to bring in the third-party cyber insurers too—if vendors carry this “Trustmark,” why not offer them better cyber insurance rates? Incentivize security, simplify onboarding, reduce risk. Everybody wins.

FBI Takes the Floor: Cue the Spy Music

Next up, we had a riveting session with the Indianapolis region FBI—and I don’t use “riveting” lightly. Our local agent laid out exactly how and why healthcare orgs are such juicy targets for cybercrime. Spoiler: it’s not just about patient records.

They walked us through the many flavors of cybercrime targeting our industry:

• Investment fraud
  
• Business email compromise
  
• Government impersonation scams
  
• Ransomware (no surprise there)
  

But what really stood out was the range of assets at risk: financial data, intellectual property like customer lists and R&D, even industrial control systems. This isn’t just about data anymore—it’s about national security.

HSCC National Meeting: Zooming Out (Literally)

After the regional sessions, we plugged into the national virtual meeting, and wow—so much happening at the national level.

The highlight? The presentation of the HSCC Strategic Plan (you can check it out here). The key themes: Access, Workforce, Community, Innovation. I love that they’re leaning into “community” and not just “compliance.” Cybersecurity is a team sport, and community wins championships.

Gems from the National Broadcast

There were several speakers and sessions that really hit home:

Prof. Lokke Moerel (Morrison and Foerster, Amsterdam)

This was a mic-drop moment. She emphasized that when it comes to cybersecurity and board governance, don’t just dump metrics on your board. Provide context. Use measures that actually resonate. Show progress, own your risks, and avoid the “checkbox” mentality. Transparency > compliance.

DEA’s Erin Hager

Erin gave us a behind-the-scenes look at the battle against fraudulent e-prescribing. The key takeaway: we need rock-solid identity standards across the board. That’s the only way to secure the prescription supply chain. Couldn’t agree more. DirectTrust has these standards too and are eager to help. 

Jim Roeder & Greg Garcia: On the Edge

Their session, “On the Edge: Cybersecurity Health America’s Resource-Constrained Health Providers,” was eye-opening. We can’t leave small or rural providers behind—they are part of the healthcare ecosystem and often the weakest link. But here’s the twist: we shouldn’t talk about this in terms of the need for “funding” anymore. Instead, talk about mechanisms for support. The term “resource-constrained” helps frame the issue more constructively for regulators. And yes, we need the larger health orgs to reach back and help their smaller counterparts. This isn’t charity—it’s self-preservation.

NIST Is In the Mix

I was thrilled to hear about the ongoing NIST National Cybersecurity Center of Excellence Partnership—this public-private model is where real progress happens. Collaboration across sectors, clear frameworks, and testbed environments to prove solutions before they scale? Yes, yes, yes.

Final Thoughts: Inspired and Energized

Coming out of this meeting, I felt a mix of hope, urgency, and a healthy respect for the work ahead. We’re facing complex threats, but we’ve also got some incredible minds on the case.

If there’s one takeaway that stuck with me, it’s this: we are stronger when we work together. Whether it’s a hospital IT director in Indiana, a security analyst at a pharma company, a student at IU, or a policy wonk in D.C., we each have a role to play.

Let’s build that Trustmark. Let’s stop overburdening vendors with compliance forms that don’t actually increase security. Let’s help our smaller providers shore up their defenses. Let’s lean into community.

And most importantly—let’s keep showing up.

Until next time, stay secure, stay connected, and stay caffeinated.