The cybersecurity mandate in the Healthcare and Public Health (HPH) sector has fundamentally changed. It's no longer enough to secure individual endpoints or patch known vulnerabilities; the focus must now be on systemic risk—the potential for localized failure to cause sector-wide patient harm.
The Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG), an essential partnership of nearly 500 industry and government entities, recently released a critical resource: the Health Industry Cybersecurity Sector Mapping and Risk Toolkit (SMART). This toolkit provides CISOs with the framework to map the highly interconnected dependencies of modern healthcare, forcing a necessary strategic pivot from asset-based risk management to Critical Function Analysis (CFA).
For years, risk frameworks have centered on the confidentiality, integrity, and availability (CIA) of individual assets (e.g., servers, applications). The SMART toolkit challenges this approach, emphasizing that true resilience is built around maintaining Critical Functions.
The report clearly defines this concept, asking: "What are Critical Functions?" (page 7) and answering that they are the essential activities necessary for providing health outcomes and maintaining public health. The press release accompanying the toolkit underscored this purpose, calling the toolkit a "critical resource" for organizations to understand systemic risk.
What is systemic risk in healthcare?
The SMART report defines systemic risk (page 8) as the potential for a failure in a widely shared technology or service (a "network effect") to cause catastrophic, simultaneous disruption across the entire sector.
Network effects matter: A vulnerability in a single, common Electronic Health Record (EHR) platform, a widely-used remote monitoring device, or a dominant payment processor creates systemic risk because a failure in that component impacts thousands of organizations at once. The toolkit highlights that building resilience requires understanding "Why Network Effects Matter" (page 10).
From an HSCC press release: "Critical functions in the health sector form a complex ecosystem of interdependent organizations of all sizes, including
patient care, payment and data management systems, pharmaceutical, manufacturing, technology research, and public health administration," said Samantha Jacques, Vice Chair of the HSCC CWG and Co-Lead of the SMART Task Group.
"A cybersecurity event affecting a single supplier or third-party support for critical functions across healthcare workflows poses one-to-many impact," Jacques added. "A disruption to one payment clearinghouse, for example, can shut down a significant portion of the nation’s healthcare delivery." Jacques also serves as Vice President of Clinical Engineering for McLaren Health in Michigan.
This realization forces the CISO to think less like an IT manager securing a boundary and more like a supply chain manager securing essential services.
The core of the toolkit is the practical application of the SMART Map Tool. This mechanism provides a standardized way for organizations—from large hospital systems to specialized tech providers—to identify their dependencies on shared resources.
"This is a game changer for our industry," Anahi Santiago, CISO at ChristianaCare, said in a LinkedIn post. "Enabling our industry to understand and prepare for our reliance on third parties. Enabling each healthcare organization to review their supply chains and develop resiliency plans that are impactfull for them."
The SMART framework guides the CISO team through a Risk Identification Process (page 11) that culminates in "Step 3: Determine Applicability of Critical Function Maps" (page 13). Instead of starting with a list of devices, you start with the services that keep patients alive (e.g., Blood Bank Management, Remote Patient Monitoring).
This focus on functions achieves two strategic goals, articulated by the report as the difference between "The Pitfall of Reactive Responses" and the goal of "Resilience Over Reaction: The Role of CFA" (Page 11).
-
Prioritization clarity: By linking cyber risks directly to Critical Functions, CISOs can stop chasing every low-severity vulnerability and prioritize remediation efforts that directly preserve patient care, providing immediate clarity for security resource allocation.
-
Sector-wide collaboration: The common language provided by the SMART framework allows health providers, payers, and medical device manufacturers to finally communicate risk using the same map, fostering the sector-level collaboration that the HSCC was founded upon.
Premera BlueCross CISO Dr. Adrian Mayers, a co-lead of the SMART Task Group, observed that, "The impact of a cyber disruption on critical functions can include loss of patient data and payment information, theft of intellectual property, or exploitation of medical device vulnerabilities that lead to disruption of functionality or patient harm. The growth of ransomware," Mayers warned, "threatens the availability of critical functions and systems, leaving organizations unable to provide services or products relied upon by patients and health professionals."
The SMART toolkit is a professional mandate for all HPH security leaders to update their risk frameworks.
1. Re-orienting resource allocation
Your security budget and team focus must shift from general asset hardening to enabling continuous function delivery. If your Critical Function Map shows that a single third-party cloud service supports 80% of your patient monitoring and financial clearing, your due diligence and monitoring of that service must absorb a disproportionate amount of your TPRM budget.
2. Mandatory partnership with clinical leaders
Critical Function Analysis cannot be done in a vacuum. CISOs must partner with clinical and operational leaders to achieve a "Common Understanding of Materiality" (page 13). Only clinical staff can accurately define what constitutes a critical function and what level of degradation is acceptable before patient safety is compromised. The CISO's job is to translate that clinical materiality into technical control requirements.
3. Advocating for systemic visibility
The biggest long-term implication is the need for greater visibility into the digital ecosystem. CISOs must advocate within the industry for shared threat intelligence and collective defense mechanisms that monitor those "Network Effects." The SMART toolkit is the map; the next step is building the sector-wide dashboard to see the traffic on that map.
By adopting the SMART framework, the HPH sector takes a crucial step toward "Building Resilience Through Critical Function Analysis: A Strategic Imperative" (page 10), ensuring that the integrity of health services remains the paramount focus of our cyber defenses.
