NIST cybersecurity framework: How it will impact healthcare

cybersecurity (Pixabay)

In its long-awaited cybersecurity framework, the National Institute of Standards and Technology heeded the call from the American Hospital Association and others to keep it flexible and voluntary in the private sector.

Daniel Nutkis, CEO of the Health Information Trust Alliance, told HealthcareInfoSecurity, that the framework closely matches the recommendations in its HITRUST Common Security Framework and any new elements will be incorporated.

Based on collaboration between government and the private sector, the framework "uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses," the document states.

Innovation Awards

Submit your nominations for the FierceHealthcare Innovation Awards

The FierceHealthcare Innovation Awards showcases outstanding innovation that is driving improvements and transforming the industry. Our expert panel of judges will determine which companies demonstrate innovative solutions that have the greatest potential to save money, engage patients, or revolutionize the industry. Deadline for submissions is this Friday, October 18th.

"People said very early on, 'Make this risk based; don't make this compliance based.' We're trying to keep it at such a level that people have flexibility in how they use it," Adam Sedgewick, the NIST executive overseeing the creation of the framework, said, according to HealthcareInfoSecurity.

The framework includes three sections:

  • Framework Core: Activities grouped into five functions – Identify, Protect, Detect, Respond, Recover – that provide a high-level view of an organization's management of cyber risks.
  • Profiles: These can help organizations establish a roadmap for reducing cybersecurity risk that is aligned with organizational goals, regulatory requirements, industry best practices and risk-management priorities.
  • Tiers: Varying levels indicate an increasing degree of rigor in risk management practices, the degree to which they reflect business needs and are integrated into overall risk-management practices.

Through workshops and events over the next six months, NIST will work with organizations adopting the framework to improve it. Areas targeted for improvement in future versions, according to an article in InformationWeek Government, include authentication, automated information sharing, assessing compliance with standards, privacy standards and supply chain management.

At the same time, the Department of Homeland Security announced its Critical Infrastructure Cyber Community (C3) program to coordinate cross-sector cybersecurity efforts. It offers a free assessment--a "cyber resilience review"--which can be a self-assessment or conducted with in-person help.  

Simulated attacks on the federal government and health sector are planned in March to help the healthcare industry be better prepared for and better able to respond to cyberattacks, with HITRUST coordinating the event, dubbed CyberRX.

To learn more:
- find the framework (.pdf)
- read the HealthcareInfoSecurity article
- check out the InformationWeek story
- learn about the C3 program

Suggested Articles

Centene Corporation, Walgreens and RxAdvance announced this week that they’re joining forces to grow the use of a cloud-based PBM platform. 

Welcome to this week's Chutes & Ladders, our roundup of hirings, firings and retirings throughout the industry.

Microsoft is teaming up with Nuance Communications to use technology to solve a big pain point for doctors—too much time spent on documentation.