HIMSS seeks specific guidance from NIST on cybersecurity framework

The healthcare industry needs the National Institute of Standards and Technology (NIST) to get specific about how to implement its cybersecurity framework, HIMSS writes in a letter to NIST Acting Director Willie E. May.

The NIST released its cybersecurity framework in February, which was published in the Federal Register in late August. The framework is based on collaboration between the government and the private sector and "uses a common language to address and manage cybersecurity risk in a cost-effective way," FierceHealthIT previously reported.

In the letter to May, HIMSS said healthcare entities have long been focused on HIPAA compliance, yet compliance does not equal security.

"[H]ealthcare providers, other covered entities, and the business associates that do work on behalf of these covered entities, all need practical and detailed guidance on making the transition from 'compliance only' to being secure," the letter says.

It also asks for specific guidance on what an ideal "target state" would be for a healthcare organization and standard metrics or tools to measure progress toward that goal. In addition, both privacy risk management and information security risk management should be addressed.

HIMSS also asks in the letter that NIST explain in detail what constitutes an accurate, thorough, and holistic risk assessment and to explain in detail how privacy and cybersecurity are interrelated--especially across various infrastructure sectors, which can result in shared threats and vulnerabilities.

It urges NIST to bring together government, academia, and industry to ensure the framework addresses real-world risk management. 

So far, awareness of the cybersecurity framework is modest among healthcare organizations, HIMSS said, though it is working to educate stakeholders through its website and with privacy and security toolkits. It suggests increasing awareness by having those who have implemented the framework discuss their experiences with it.

PeaceHealth in Portland, Oregon, for one, has adapted the framework to meet its needs, according to a HealthcareInfoSecurity.com article. Those adaptations include identifying risk priorities; mapping organizational maturity for strengths, weaknesses and threats; and making an action plan and remediation roadmap.

To learn more:
- read the letter (.pdf)