AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field. AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the American health care system.
AHLA's Speaking of Health Law
Information Sharing in Health Care: Mitigating Risk and Enhancing Cooperation
John F. Banghart, Senior Director for Cybersecurity Services, Venable LLP, speaks with Errol S. Weiss, Chief Security Officer, Health-ISAC, Inc., about the unique challenges associated with information sharing in the health care sector. They discuss what an ISAC is; what information sharing means in the context of the health care sector and why it is important; legal, regulatory, and compliance risks; risk mitigation strategies; the impact of the Cybersecurity Information Sharing Act of 2015; and how to facilitate cooperation in information sharing among various stakeholders. Sponsored by Venable.
Watch this episode: https://www.youtube.com/watch?v=2sRx96w1U70
Learn more about Venable: https://www.venable.com/
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
This episode of AHLA's Speaking of Health Law is sponsored by Venable. For more information, visit venable.com.
SPEAKER_02:All right, well, welcome everybody to our discussion on information sharing in the healthcare sector today. My name is John Banghardt. I'm a senior director for cybersecurity services at the law firm Venable. I think it's worth noting that I am not an attorney, so you might be surprised to find that there's non-attorneys working at a law firm. But we established a team of cybersecurity professionals at Venable over 10 years ago now. And it's been a tremendous pleasure to be there for almost that entire time. And part of the great thing that I get to do in my job is, in addition to working with lawyers, is getting to work across a lot of really great communities. And one of my great clients and friends joins me today, Errol Weiss. Errol, let me kick it over to you. Tell us a little bit about yourself, your background, tell us what an ISAC is, and then we'll kind of get into the topic here.
SPEAKER_01:Great, John. Thanks a lot. And thanks a lot for having me here today, everybody. So my name's Errol Weiss. I'm Health ISAC's Chief Security Officer. I've been here for six and a half years now in this role. Prior to that, I was in the banking and finance sector for 13 years between places like Citibank and Bank of America. When I was at Citibank during that time frame, I created and ran their global cyber threat intelligence organization delivering threat intelligence to thousands of internal customers worldwide. So had a lot of fun and interesting uh experiences there. And got to work with another ISAC, the Financial Services ISAC during that time as well. So uh as John alluded to, what is an ISAC? It stands for Information Sharing and Analysis Center. And it's a it's a concept that was created in way back in the mid-1990s after a federal uh government study found that much of the critical infrastructure was owned and operated by the private sector. So it was really an idea to help encourage the private sector to share incident information best practices with each other and to really help protect those organizations and essentially the each critical infrastructure from what was suddenly becoming a very threatened uh uh set of targets in the US.
SPEAKER_02:And hey Errol, let me let me jump in real quick because I think one of the things that might be helpful just for context for folks is when we say critical infrastructure, um, you know, there's very specific definitions around that, right? So I think everybody kind of understands that things like your energy and your water, um, that those are things that are critical, right, to our daily lives and to our country. Um, but there's a lot of other critical infrastructure sectors too, like healthcare, for example, financial services, transportation. And so it's a really interesting mix. And I think it was um just wanted people to understand that there's what is it, like 16 or 17, I think, defined critical infrastructure sectors now.
SPEAKER_01:I think 16 is the right number, yeah.
SPEAKER_02:Yeah, 16. So it's it's interesting. And I think um, you know, obviously healthcare is one that touches on everyone's lives, uh, and it certainly is is critical to all of us. So just just wanted to add that context, but please keep keep going.
SPEAKER_01:Yeah, actually, I think that uh that that's a pretty good background about the ISOCs themselves. They're all very different from each other, and I think because they're really laser focused on each of those sectors that they support. But essentially at the core, they do promote information sharing, best sharing best practices, sharing incident information amongst the members inside each of those, uh inside of each of those sectors. In the case of uh Health ISAC, we've been around since 2010, so 15 years at this point. First ISAC uh was the financial services ISAC that got launched in 20 in 1999. So they've uh they've been around for over 25 years now.
SPEAKER_02:Yeah. So my first interactions with the ISACs is when I was in government. Um, you know, I spent some time at NIST and with the National Security Council and you know, really started to engage with that community and and see the value in it. And I think one of the things that I really had to learn was what did we really mean when we say information sharing, right? Because you know, you put those two words together, great, information sharing. That sort of makes sense, and and everybody can sort of conceptually understand what that means. Um, but I never really fully appreciated what we were really talking about when we talk information sharing, um, particularly in the context of critical infrastructure. And and so maybe maybe if you can spend just a few minutes on when you say information sharing, what does that mean to the healthcare sector? What does that mean to the ISAC? Um, and I think importantly to your members, right? Because you're you're made up of, I forget what the number is, but it's a large number of healthcare organizations from all over the country and really around the world, right?
SPEAKER_01:Right, right.
SPEAKER_02:Yeah.
SPEAKER_01:Yeah, so uh yeah, so definitely an interesting issue there. And and I think what it boils down to really, I'd I would kind of separate it into like three general buckets when we talk about information sharing in general. And if we just think about tactical, strategic, and operational, and I can just give you high-level examples of each one of those without getting super technical. But on the tactical side, the idea is like if if I'm seeing an attack, if I get a malicious email, I can take that information and share it with our peer organizations and help them use that kind of information to look to see have they been attacked by these things, have they seen them in their own environment to try to better protect the organization? And by tactical, I mean things like maybe IP addresses or the subject lines of that malicious email, or maybe uh where that malicious email came from, what was the from address on there, or even file attachments, for example. Anything that I can use to describe very specific email or IP address information, for example, could be very helpful for others to protect their organizations. Um, on the strategic side, you know, and going up like 30,000 feet from that viewpoint, it's you know, what what trends are we seeing in attacks now? What different methods, for example, are the bad guys using to run these attacks? What new innovative techniques are there do are they doing? You know, just as an example, like almost every day, right, we're hearing about a new scam and uh and what's sort of the twist on it that that we haven't heard before. So if you can kind of think about it that way, that's some of the things that we might share from a from a strategic standpoint.
SPEAKER_02:Yeah, I think that's a really oh sorry, let me just real quick, because I think that's a really important one, right? That that really everybody, regardless of of what sector you're in, regardless of whether you're a lawyer or a technical person, I think everybody really appreciates how quickly the the the attacks change, how um quickly we get targeted. Certainly those of us who are working in the healthcare sector, we're targeted all the time. And it's it's effectively impossible, I think, for any one organization to keep up on their own, right? Yeah, because we're all under attack. We gotta have that collective defense.
SPEAKER_01:And and every time we do a threat report, it feels like it just gets worse every year. It never gets better. And it's like the things that we learned 20 years ago, you still have to worry about today. And then, of course, with things like artificial intelligence, AI, it the problem gets worse every day. So never a good story there. Um, so John, the last thing I was going to bring up was operational sharing. So things like best practices, um, uh survey information, right? We can send a pulse check out to the uh community to say, hey, how are you handling this problem? Or where in the organization does the CISA report to, or how much are you spending on information security? Even surveys like that can be super helpful and demonstrate best practices that others might want to pick up on. And then even doing things like sharing document templates. Like if somebody has a template for a process or a policy, just being able to share that out to the community so that they can kind of get a head start on their own and develop something from there. But I think you know, the other piece of this, the other dimension on the tactical, strategic, and operational that I'll just leave you with here is that it's also about sharing these things during steady state. So when we're not under attack, but then also during the incidents, which I think is one of the most important places where we should be sharing actively.
SPEAKER_02:Yeah. Yeah, and it's I'm glad you brought that up because that was as somebody who sort of came at the ISACs, you know, from the outside, um, particularly when I started working with you all at the health ISAC six, seven years ago now, um, you know, I had it in my head that, okay, ISACs, I've heard about that, and you know, they're really just doing threat indicators and all this like technical stuff and whatever. Um, but I really did come to appreciate how much of the sharing that was happening really was that steady state or that proactive of just like, hey, I'm doing something this way and it's working great for me at my hospital. If you are also working at a hospital, you should consider this, right? Because it's this is something that I'm doing. And so, you know, watching those interactions and realizing and and seeing the ISAC create a safe space, and we'll come back to to why it's a safe space here in a minute, but creating that safe space for people to be able to share openly um was an eye-opener for me and you know, really gratifying to see, you know, just how much people appreciated that.
SPEAKER_01:Yeah, I love that you brought that up because I'm constantly thinking that that um the working groups and those and those smaller um groups getting together to share ideas and learn from each other. I think to me it's probably one of the best experiences I had when I was on the financial services side and learned so much, not not even just technically, but also about uh leadership and management and operating under incidents, just watching other people and again, just from a personal professional standpoint, helped me out tremendously from a growth perspective.
SPEAKER_02:Yeah. So let's let's I think we'll we can come back to some um other other benefits as we go through this. But I I want to think a little bit, you know, given the folks that are are listening to the podcast today, watching the podcast, and and trying to put myself in their shoes, which having now worked at a law firm for 10 years, um, I certainly have learned how to put myself in the shoes of lawyers, you know, both inside and outside counsel. And so if I'm sitting here and I'm listening to all this and that sounds great, information sharing's great, um, there's a lot of these great benefits, but I might also start thinking about well, but aren't we putting ourselves at risk, right? If our if our company is sharing information about an incident that we're having or about our internal practices with others, um, I might start to feel a little concerned about that, right? Because my job as whether I'm inside or outside council, my job is to protect my organization from liability, protect them from potential harm. And so we do hear a lot of this, right? So you and I have heard this now over the last several years, we've been working on this issue. So we do hear a lot of those pieces. So I wanted to kind of turn our attention to that a little bit. Can you give just just give me your perspective? And then I'm happy to share mine. Amongst your membership or amongst companies you run into in the healthcare sector, what sort of pushback do you get from that sort of legal regulatory compliance side that you think would be worth tackling here?
SPEAKER_01:Yeah, I I think uh the um the bit the biggest one that I that I want to bring up, and I really want to hear your perspective on this, is um the biggest issue I see is when there's an incident. When an organization, maybe a hospital is a great example. Hospitals have been targeted by ransomware, they are under attack, and systems are starting to shut down, and they're having to divert patients to other uh hot local area hospitals. Um to me, that is the opportune moment to be able to share information about that attack. What are they seeing? What um what were the indicators of the attack itself? What are you know, what did it come in from an email? Did somebody click on something and suddenly computers are infected? To be able to share that kind of information as quickly as possible could lead to all kinds of other benefits for them. And we'll get into that later, I know. But to me, that's that's the toughest part I see is when organizations like that get attacked and they get shut down from a communication standpoint. There, people are told they cannot talk to anybody, they shouldn't be speaking with anybody, and that would include uh potentially sharing information to one of these uh ISACs or other communities. And yeah, and again, I think it's a lost opportunity.
SPEAKER_02:Well, yeah, absolutely. And in your specific example, um, I mean, that's that immediately gets to patient safety, right? Because now if you look at the way these attacks often occur, and I this is this is what you're highlighting. So great, or not great, hospital gets hit, they start to divert patients. Um, if the hospital they're diverting patients to then gets hit, then what, right? So you get this sort of cascading problem. Whereas in your example, if they do start sharing information, maybe that second hospital won't get hit or the damage won't be quite as bad, and they'll be able to take patients. And so immediately in that in that crisis, you're immediately helping patient safety just by sharing what ultimately what you and I know is is fairly basic information, fundamental information about the attack.
SPEAKER_01:Yeah, and John, the other big point there on that example you brought up was they could potentially share something and then learn from others who have had a similar or maybe the same attack, and they can learn how they recovered and got back up to speed quicker, and that could help you know the victim here uh you know get back up to speed even faster.
SPEAKER_02:Yeah, no, exactly, exactly right. So I'll put my lawyer hat back on, um, reminding everybody I'm not a lawyer. There's no legal advice here. Um, but I'll put my lawyer hat back on. And so I get it, that makes sense. Patient safety, some things that we can share. Um, but I'm still concerned in the broader sense, right? Because our hospital, or maybe, maybe let's pivot to say a biopharmaceutical company, right? So our pharmaceutical company, we have a lot of intellectual property, we're heavily regulated, um, both, you know, particularly if we're a multinational. I'm sitting here, I'm the general counsel or I'm outside counsel, I'm responsible for managing all of this, keeping us out of trouble. Um, and I get nervous when my CISO or somebody says, hey, I want to share this information. Um, let's put it into the context of the ISAC, right? Because I think here in the US, the health ISAC and its its corollaries, you've got some pretty specific structures to help reduce that potential liability or reduce that risk. And I think it would be important for folks to understand that. So just dive into that a little bit.
SPEAKER_01:Yeah, no, I I think uh, you know, one of the benefits there with the ISAC is that you know ultimately you can share something uh anonymously. So we have mechanisms that or our member organizations can share information about an incident, for example, or anything else that they want to share with us. And they can they can essentially um log in securely to our portal, indicate to the portal that they do not want attribution or identity, they do not want to be identified. They can create that record, share what they want to share, submit it. And in in in every ISAC that I know uh works this way, where that information will essentially go to an analyst team, they will review it, vet it, make sure if it's marked as um as anonymous, they will make sure it does not include any identifying information uh that that was maybe accidentally submitted by that person. They'll double check it and then they will turn it around and share it with their respective memberships. So we've got a way to ensure that you know that organization member can submit something and ensure anonymity for them while helping it protect the rest of the community.
SPEAKER_02:Yeah. Um that's that's perfect. And I think that that is one of the real powers of the ISACs, um, health ISAC in particular, that you know, sometimes not everybody realizes, right? They don't realize you know there are these protections, processes put in place to encourage sharing and protect the organizations um that are doing doing the sharing. And so I think that's really, really important. So I appreciate that one. Um what else from your perspective would you say? And I've got some thoughts I can dive into if you want, but is there are there other perspectives on things you hear from organizations who are like, well, we we joined the ISAC or we want to join the ISAC, but we're concerned about sharing and we're concerned about these risks. Is there anything else that you want to kind of hear or that you do hear from people that you want to highlight?
SPEAKER_01:Yeah, I I think that um, you know, as I sort of indicated in the beginning, when you have uh someone in the organization, maybe it's the CISO goes to council and says, hey, we want to share with our peer organizations, there there's there's not enough definition to what does that mean. You know, it's your point earlier. Yeah. And I and I think that that if we're able to specifically define, you know, these are the exact kinds of things that we want to share, some of the examples that I mentioned earlier, like IP address or email information, or maybe it's a best uh high-level description of a best practice or a uh policy template. If we can get down to that granular level and talk to um a council about that, for example, hopefully put their minds at ease that the kinds of things that we're talking about sharing here are not necessarily going to put the firm at risk.
SPEAKER_02:I absolutely love that. And what I like about it is who whoever you are that's listening to us out there, maybe you're on the council side, maybe you're on the the CISO or the technical side, what Errol just said, um, it it works, works for all of you, right? Because the key there is if as an organization we want to do sharing, we need to be defining what that is. So if you're the CISO and you need to go to your council, be ready, right? Be ready with specifics. Don't just go and say, yeah, I want to share a bunch of information, just sign the dotted line. No, go with specifics about what you're talking about. And if you're on the council side, inside or outside, you know, understand that you can ask those questions. Ask them specifically, what is it that you want to share? So, yeah, it takes a little bit of work to get it set up and get it working. But I think if we go back to some of our earlier discussion, the benefits, not just to individual organizations, but the benefit to the sector at large, I think is so valuable. And I think that's one of the things that I love about working with the Health ISAC is that shared sense of mission, right? I mean, you and I were in California last week at the Health ISAC Summit, you know, with hundreds and hundreds of people, um, many of whom are direct competitors, day over day, fierce competitors, yet they're able to come together, work together, because even as competitors, they recognize that information sharing, collaborating on these shared challenges, um, is really the only way that they can be successful. And it's so great to see. And I'm sure you probably feel and see the same thing. Oh, yeah. Yeah. So I wanted to bring up a topic just so we don't run out of time. It's just a 2015. So some of you, if you follow information sharing at all, or if you just follow sort of what goes on inside the US government uh at the moment, uh, which is a lot, um, we we have this law called the Cybersecurity Information Sharing Act of 2015. Not to be confused with CIS of the Agency, but it's a whole separate act that came out in 2015. And one of the reasons that that act was created, CISA 2015, was in order to encourage sharing by putting into law protections around sharing between private sector and government, as well as a little bit between the private sector. This has become a big issue because CISA 2015 had a 10-year lifespan. It expired, they've renewed it until the end of January, temporarily for the continuing resolution. We won't get into how government works. But nevertheless, you know, there's some real concern around if the CISA 2015 doesn't get renewed, the the lack of legal protections, I think a lot of people feel like, well, boy, that's really going to put a chilling effect on information sharing. But Errol, I'll turn this back over to you. I think you would argue that we had information sharing before CISA 2015, excuse me, and information sharing can continue regardless.
SPEAKER_01:Right. Yeah, I think that's yeah, that's exactly where I would go. Um, you know, as I mentioned earlier, the FSIS Act started in 1999. Um, and clearly we were actively sharing information way before CISA 2015 ever came into being. But I will say that that I was definitely a proponent of it when it was being talked about. Glad to see that it got passed uh back in 2015, because I think it kept the momentum moving in the right direction. As we've talked about, you know, information information sharing sounds great, but there's definitely challenges with it. There's it's hard to get people involved for all the reasons that we've talked about and more. And I think that uh when system 2015 came along, it helped with the momentum. And it when it was threatening to uh expire uh at the end of September in uh 2025, you know, we we didn't want to lose that momentum. So we wanted definitely to see that continue.
SPEAKER_02:Yeah, and I I think, yeah, no, no, I think that's right. And I and I think that's an important, an important piece of this, and it's something that you know a lot of us across the information sharing community um in the broadest sense have really been communicating to government, right, to Congress to say, look, um, you know, we need we there are reasons why CISA 2015 is helpful, and here's what they are. I I would say, just to even put a finer point on that, um, you know, I've talked with a number of my attorney colleagues at Venable and and uh across the private sector. And one of the things that I've learned about the legal community is they they do like to be able to put their finger on something very specific, right? So when you have a law that says doing this thing is okay, then great, we have a law, we've got legal protections and so on. Um, regardless of whether there's other ways of doing it, just having the law is really helpful. And so I do think that's just a 2015. I agree with you, it did help grease the wheels a little bit, it did help the momentum keep going. Um, and I am hopeful that they will renew it in the simplest sense for exactly that reason. But nevertheless, I think there are other ways, if it goes away, that we can help the legal and compliance community to be able to put their fingers on things and say, okay, I see specifically why we would be protected here, whether it's through NDAs, working through the ISACs, um, and so on, or perhaps other kinds of legislation. And there are a number of things that you can do. And I before we before I forget, so that I don't forget before we get to the end, um, the Health ISAC and Venable and some other organizations have been working on a white paper that gets into some of these topics, including a lot of the additional legal protections or legal pathways around information sharing. So, um, Errol, let's go back to you know some of the other, um, some of the other benefits. I know you've had some specific examples made in your career, both in the financial services sector as well as in the healthcare sector. People love stories, so maybe just a couple minutes of a story where information sharing, you know, led to some really positive and tangible benefits.
SPEAKER_01:Yeah, I can definitely bring up a few. So uh so kind of you know, reaching back way back um in the career, going back to the finance sector days, um, in the fall of 2012. Uh you may recall that the finance sector was under attack by a allegedly by a hacktivist group called the Al Qassan Cyberfighters, which in turn turned out to be the the Iranian government, who was essentially fighting back against the um sanctions that were placed against them and the whole uh nuclear uh arms race that was happening at the time. And and so that um essentially that hacktivist group front was launching distributed denial of service attacks against the finance sector. What does that mean? They used malware to gain control of thousands of computers all over the world, pointed them at banking websites with the idea of just oversaturating the websites so that they would become inoperable. And they were successful. Um, like I mentioned before, they I was at Citibank at the time, and we were watching this activity happening at other organizations that were being targeted by them. This group announced exactly who they were going after, when and where, and uh they were throwing a lot of um uh uh denial service traffic at these organizations, volumes that nobody had ever seen. I mean, an industry was born essentially being able to create like an anti-DoS service as a result of what happened here. But the banks were really having a hard time in some cases uh uh mitigating some of the threats that were happening at the time. And so I think, you know, from my time in the trenches there and working through the financial services ISAC at the time, uh banded together with the other banks, and we were sharing, actively sharing information about the attack types, what we saw, what the impact was happening, and then the methods that people were using to try to uh mitigate those attacks. And and and that became wildly successful in terms of trying to really help protect each other. So uh during the attacks, we were able to quickly share that information and then get it out to the broader community in case you were being targeted tomorrow. Uh you could use some of these methods. So that was that was really pretty neat um uh experience uh going way back then. And there's I can I can go through some other afternoon, right?
SPEAKER_02:Yeah, no, I I I think that's I think that's great. And I think you know the the the takeaway that I have from that and and from other you know other circumstances, again, it comes back to and we touched on this a little bit um earlier as well. We're all under attack by largely the same people using largely the same methods. Yes, it evolves. Um, some attackers, bad guys are more sophisticated than others. I realize that they're I'm making a bit of a generalization, but the reality is if you're a hospital or you're a drug manufacturer or a medical device manufacturer, or if you're supporting those companies, they're all being attacked constantly by the essentially the same threat actors, same group of threat actors uh day over day. And I think that's why it's so important to recognize if we're getting attacked by the same people in the same way, we need to defend ourselves together. And that's what's great about that story you told. It comes back to that idea of banks are super competitive with one another. They are spending a lot of time trying to put each other out of business, but yet they're able to set that aside to say we can't function at all if we can't get control or if we can't fight back against these bad guys or push back against these bad guys. And I think that has been such a powerful, powerful thing that's been enabled by just the willingness of those organizations to share. And I know we're seeing it in healthcare as well, right? Again, not through the ISAC and working with partners like Microsoft and others and law enforcement to be able to really say, look, we can work together, we can share information between private sector and government and make things work. And that's where I was going with that was to see if you wanted to share a little bit about, you know, how does the health ISAC interact with government partners directly or indirectly? You know, what does that look like and how does that sharing sharing work?
SPEAKER_01:Yeah, I mean, we've got a number, like I mentioned earlier, thinking about sort of steady state. You know, we've got a number of outreach programs in place where we have analysts getting together on a regular basis, public-private sector um again joining each other and sharing notes about what we're seeing, what our experiences are in terms of new threats or current threats and new trends that we're seeing, and being able to share and learn from each other. And again, that's happening at the analyst level. Uh, likewise, the leadership is getting together on a regular basis, uh, probably through things like the Sector Coordinating Council, which is a sister agency of ours. But um it there are definitely several forums where we can get together with, in the case of healthcare, get together with our counterparts at HHS or CISA or even law enforcement, and um being able to work with each other on a regular basis. And then during the incident times, it's being able to, you know, it it's great to be able to know who to call, for example, and be able to get together with them quickly when things are happening. I can think about the probably one of the big ones that we had in 2024 was the change healthcare incident and and what was happening then. And and here's a situation where the the help from the government was definitely needed um to help uh bail out some of the cash flow problems that we're having that were happening as a result of that incident as well. But you know, it was definitely a place and time for all of that and some some really good relationships that uh we've been able to make.
SPEAKER_02:Yeah, and I think that's so important too, right? Because um, you know, one of the well, let me let me ask you a question. So if I'm I'm uh I'm a CISO, I'm at a hospital, I have some information that I want to share with law enforcement, um, but maybe I'm feeling nervous about it. Can I work through the ISAC? If I'm an ISAC member, can I get that information to you and you can kind of pass it on to law enforcement anonymously, if you will?
SPEAKER_01:Yeah, I'd say we do that uh quite a bit, actually.
SPEAKER_02:Yes. Yeah, I think that's great. And I think that that's that that's something that I think a lot of organizations would appreciate, particularly if they are nervous about sharing directly, but also want to help the community, they want to help their their peers. Um, again, it's another sort of a great thing that the ISAC does really well, which is awesome. Um, so what else haven't we covered that you wanted to touch on? Um, anything from your perspective, things that you're seeing on a regular basis, or just things that you think you know our audience here uh might like to know in terms of learning more or getting more comfortable with the idea of sharing?
SPEAKER_01:Yeah, I mean, I'm excited to see that uh white paper that you mentioned get out and start to get some circulation and see if we can get some feedback from the audience here as well. But uh, you know, as you and I have worked before, I think that to me is sort of a critical part in terms of trying to help organizations make information sharing, not just the legal decision, but also more of a business decision in general. You know, by talking about a lot of the positives that we've mentioned here today, hopefully uh it moves the needle in the right direction when it comes to organizations wanting and being able to participate in these information sharing networks.
SPEAKER_02:Yeah, no, I think that's right. And I think um, you know, one of the things that I highlight a lot and that, you know, in the years I've been working with the Health ISAC and getting to know so many great people is seeing the benefit inside an organization when they can work together, when the legal side, the technical side, you know, under the under the guidance of management, obviously, but where they they recognize that look, we're we're both different parts of the risk management engine of our company, right? Or or our organization. And we need to work together to help define things like information sharing, which we talked about, to find a path towards doing the right thing, because it does help our organization. I've also seen the opposite of that, right? Where I've talked to both lawyers and technical folks, CISOs, who are like, I can't get my, you know, if I talk to a lawyer, they're like, my CISO won't talk to me, right? They won't share with me. They just think all I want to do is say no all the time. Um, and so I see that a lot. And I think, you know, one of the key takeaways I would have for folks listening today is regardless of where you sit in your organization, if you have a stake in this or uh or whatever, you know, go and reach across the aisle, if you will, right? Reach across to these other business units and think about how we can work together to both help us and and to help our communities. Because I just I think that's so important to figure that out. And when it's done right, it works really, really well. Would you agree?
SPEAKER_01:Yeah, no, absolutely. And what I would add to that is, John, I mean, you know, some of the um things that are going to be in that white paper that you talked about are already in another paper that you and I worked on, the sharing best practices. But the the idea in that paper um that I'll that I'll mention is one of the little tips that we talk about in there is working with your legal counsel and maybe even inviting that team to participate in a tabletop exercise, for example. And that was one of the things I did when I was in the banking sector is uh inviting legal counsel, internal counsel to uh some of those internal tabletops and sitting around and and watching what happens in an incident, understanding what's going on uh internally, and then working with others externally, including the ISAC and what that experience is like, and having them at the table is just you know such a great way to do that.
SPEAKER_02:Yeah, I'm really glad you brought up exercises because they are such a powerful, powerful tool. Um I I do I do them quite a bit through my capacity at Venable for our clients, but also you and I have worked on several together within the health sector. And you know, it's such it is such a powerful tool, whether you're doing it internally or interestingly enough, um even outside the context of the health ISAC, where we bring together lots of companies, government agencies. Just at the summit last week, I saw a presentation by some of your members, uh, three different companies, I think, that work together, um, a hospital system, a medical device manufacturer, and I'm forgetting who the third one was, but the three of them came together and they ran an exercise, right? Because they recognize those critical dependencies. And if there is going to be an incident or something that's gonna impact patient care, being able to work together. So I do think exercises are uh hugely valuable and really, really important to be multifaceted where it's not just the CISO and his or her team, it's bringing in legal, it's bringing in compliance and management, sometimes even the board or so on. So it's uh it really is a powerful thing.
SPEAKER_01:Yeah, as you talked about before, you know, reaching across the aisle, there's no better way to do that than getting them all in the same room.
SPEAKER_02:Yeah, exactly. Exactly. And I'll say just sort of the final note on that as we look to wrap up, I would say too that you know, one of the things that you and I have been doing is expanding the view of our sector exercise as well, right? We've spent a lot of years focused inside healthcare. Uh, and now we're starting to look at, well, what are the dependencies between healthcare and water or healthcare and energy? And again, broadening that aperture a little bit so that we're not just sharing within our sector, but we're sharing between sectors, right? We're now being by understanding what are those dependencies, we can define better how and what we want to share with companies, organizations outside of our sector, which I think is just increasingly important. So um, all really good stuff. So um, Errol, let me give you the floor again. Any sort of final comments, anything that we didn't cover, or you know, something you'd really like to share with folks, or or maybe just another anecdote, whatever, whatever works for you.
SPEAKER_01:Yeah, no, what I'd love to just leave folks with is uh if um if you're in the health sector, uh we'd love to have you as a health ISAC member. Um you may already be a member, which uh is certainly a case, or you may be working for a client who is already a member, and there's uh definitely ways to find that out. Uh, if you're not in the health sector, there is definitely an ISAC for you on the National Council of ISACs. If you visit their webpage, uh they will point you in the right direction in terms of trying to find out about some of the other ISACs that are available.
SPEAKER_02:Yeah. No, that's great. And I'll I'll just add to that too whether whether your organization is a member or you're interested in becoming a member, there are increasingly resources for folks that are outside of the traditional technical as well, right? So um I'll just mention uh, you know, we we stood up uh a cybersecurity regulatory compliance working group recently, which, yeah, it's talking about technology, but it's talking about in the context of global regulation. And this is an area where we've started to see more folks from corporate compliance or even a couple of legal folks show up and say, I'm responsible for this. I for my company, I need to understand this better. So even if you're not a technical person watching this today, um, you may find that the ISAC has a lot of resources and a lot of great ways to collaborate. So certainly encourage you to do that. Um, so with that, I'll just say thank you. Um very much appreciate uh you all spending time with us here. Uh hopefully you learned a lot, um, at least enough to get you interested. So again, thank you very much. Appreciate the time, and uh, hope you all have a great day.
SPEAKER_00:If you enjoyed this episode, be sure to subscribe to AHLA Speaking of Health Law wherever you get your podcasts. For more information about AHLA and the educational resources available to the health law community, visit American Health Law.org and stay updated on breaking healthcare industry news from the major media outlets with AHLA's Health Law Daily Podcast, exclusively for AHLA comprehensive members. To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org slash daily podcast.