NIST cybersecurity framework: How it will impact healthcare

cybersecurity (Pixabay)

In its long-awaited cybersecurity framework, the National Institute of Standards and Technology heeded the call from the American Hospital Association and others to keep it flexible and voluntary in the private sector.

Daniel Nutkis, CEO of the Health Information Trust Alliance, told HealthcareInfoSecurity, that the framework closely matches the recommendations in its HITRUST Common Security Framework and any new elements will be incorporated.

Based on collaboration between government and the private sector, the framework "uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses," the document states.

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

"People said very early on, 'Make this risk based; don't make this compliance based.' We're trying to keep it at such a level that people have flexibility in how they use it," Adam Sedgewick, the NIST executive overseeing the creation of the framework, said, according to HealthcareInfoSecurity.

The framework includes three sections:

  • Framework Core: Activities grouped into five functions – Identify, Protect, Detect, Respond, Recover – that provide a high-level view of an organization's management of cyber risks.
  • Profiles: These can help organizations establish a roadmap for reducing cybersecurity risk that is aligned with organizational goals, regulatory requirements, industry best practices and risk-management priorities.
  • Tiers: Varying levels indicate an increasing degree of rigor in risk management practices, the degree to which they reflect business needs and are integrated into overall risk-management practices.

Through workshops and events over the next six months, NIST will work with organizations adopting the framework to improve it. Areas targeted for improvement in future versions, according to an article in InformationWeek Government, include authentication, automated information sharing, assessing compliance with standards, privacy standards and supply chain management.

At the same time, the Department of Homeland Security announced its Critical Infrastructure Cyber Community (C3) program to coordinate cross-sector cybersecurity efforts. It offers a free assessment--a "cyber resilience review"--which can be a self-assessment or conducted with in-person help.  

Simulated attacks on the federal government and health sector are planned in March to help the healthcare industry be better prepared for and better able to respond to cyberattacks, with HITRUST coordinating the event, dubbed CyberRX.

To learn more:
- find the framework (.pdf)
- read the HealthcareInfoSecurity article
- check out the InformationWeek story
- learn about the C3 program

Suggested Articles

An assessment looking at 12 health systems that allow patients to download their health records to their smartphones via APIs finds modest uptake.

The National Institutes of Health-led All of Us precision medicine health research database project has enrolled 230,000 participants.

Hospitals must pursue a deliberate strategy for managing their public image—and a powerful tool for doing so is inpatient clinical data registries.