Comments are trickling in for the request for information proposed in December by the National Institute of Standards and Technology focusing on use of its cybersecurity framework, with organizations both praising the updates to the framework and offering suggestions on how to make it even stronger.
The College of Healthcare Information Management Executives (CHIME) and the Association for Executives in Healthcare Information Security (AEHIS), in a joint letter, call the framework is important, but also say it's just "one piece of a larger effort around risk management" and not "a full solution for addressing it."
The groups add that a question still remains as to how much is enough when it comes to risk analysis and risk management. The letter notes that providers are challenged with managing security while juggling other priorities and resources, and a lack of federal requirements "on what constitutes good cyber hygiene" is also a barrier.
Additional comments from CHIME and AEHIS include:
- More education is needed for providers about the framework and how to implement it
- Better steps need to be highlighted when it comes to protecting data at rest, especially apart from encryption--which won't keep data safe in all cases
- The tiers were useful for measuring cybersecurity programs against other organization's plans
- The HIPAA security rules lack of prescriptive approaches for managing risk limits use of the framework
- Federal agencies working on security guidance or that have key roles, such as NIST and the Office of the National Coordinator for Health IT, should work with auditing providers like the Office for Civil Rights to provide more certainty around what constitutes compliance
HIMSS, in its letter to NIST, centers its comments on the requirements in the Cybersecurity Act of 2015 regarding healthcare. Section 405 of the law states the need for "a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes."
Other comments from HIMSS include:
- The framework should better define what the "target profile" of an organization should be
- Subsections should be more sector-specific
- Metrics and other tools to measure progress with the framework are needed
- In-depth discussion is needed on the intersection between privacy risk management and information security risk management
The organizations all agree that cybersecurity is a moving target and say that the framework should continually be updated. What's more, they say the framework needs to be more detailed to ensure that providers are properly prepared for any security threats or audits.