Health system adapts NIST framework to meet security risk needs

Data breaches have become the "inciting incident" that--much like in a story--precipitates the plot, writes Christopher Paidhrin in a blog post for Now, he says, that incident must lead to a refocusing of thinking and behavior in IT security.

Healthcare systems must start with a cybersecurity strategy, according to Paidhrin, security administration manager in the information security technology division at PeaceHealth in Portland, Oregon. He writes that organizations should identify what's at risk, detect threats as they happen and respond to those threats as quickly as possible. 

PeaceHealth has also taken the National Institute of Standards and Technology framework and adapted it to meet the system's needs, Paidhrin says.

Those adaptations, he writes, include:

  • Aligning core functions with the health system's COBIT Information Security Service Catalog
  • Identifying risk priorities
  • Mapping organizational maturity for strengths, weaknesses and threats
  • Making an action plan and remediation roadmap

Paidhrin says the NIST framework is key because it can be easily adapted to help organizations establish baseline security.

Last year, the American Hospital Association urged NIST to keep its framework flexible and voluntary in the private sector.

However, the security story does not have an ending, Paidhrin adds. It is an ever-evolving process.

"Detection and response capabilities need to show up before the credits role, and all actors ... need to awaken to our collective roles and responsibilities in shaping the outcome of this climatic stage," Paidhrin says.

It is especially important for healthcare organizations to evolve and prepare for news risks with this week's reveal that the Heartbleed bug helped hackers to access the records of millions of patients at Community Health Systems. 

To learn more:
- read the post