Responding to a request for comments, the American Hospital Association is urging the National Institute of Standards and Technology to keep its cybersecurity framework flexible and voluntary in the private sector.
In a letter to Patrick Gallagher, Under Secretary of Commerce for Standards and Technology, the organization states that it agrees that an ongoing risk-management approach to cybersecurity is the most appropriate.
The president directed NIST to develop the framework last February. It opened a 45-day comment period on its preliminary framework on Oct. 29.
In addition, the framework should consider how to reconcile disparate cybersecurity implementation standards, allow enough time to implement changes and include existing information security rules applicable to health care organizations, in particular the Health Insurance Portability and Accountability Act and HITECH Act requirements, wrote Linda Fishman, AHA senior vice president of public policy analysis and development.
Flexibility is paramount, she wrote. Hospitals can range from large academic medical center to small, rural hospitals with fewer than 25 beds. Risk may vary even within an entity--the gift shop, for instance, doesn't carry the same risk as systems that hold patient data.
Healthcare has more critical system access points than other infrastructure sectors. Medical device companies, physician offices, insurers and individual patients may all interact with a hospital's information systems. All must be involved in cybersecurity risk assessment and reduction activities.
The Health Information Trust Alliance (HITRUST) has issued guidance to help healthcare organizations set priorities for cybersecurity preparedness. It notes, however, that cybersecurity protection differs from other requirements such as HIPAA, which is focused on protecting patients' privacy.
At issue for both security and privacy, NIST has launched a formal review of its processes for developing encryption standards after reports based on documents leaked by Edward Snowden showed the U.S. and U.K. governments have spent hundreds of millions of dollars to defeat Internet encryption.