NIST cybersecurity framework: How it will impact healthcare

In its long-awaited cybersecurity framework, the National Institute of Standards and Technology heeded the call from the American Hospital Association and others to keep it flexible and voluntary in the private sector.

Daniel Nutkis, CEO of the Health Information Trust Alliance, told HealthcareInfoSecurity, that the framework closely matches the recommendations in its HITRUST Common Security Framework and any new elements will be incorporated.

Based on collaboration between government and the private sector, the framework "uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses," the document states.

"People said very early on, 'Make this risk based; don't make this compliance based.' We're trying to keep it at such a level that people have flexibility in how they use it," Adam Sedgewick, the NIST executive overseeing the creation of the framework, said, according to HealthcareInfoSecurity.

The framework includes three sections:

  • Framework Core: Activities grouped into five functions – Identify, Protect, Detect, Respond, Recover – that provide a high-level view of an organization's management of cyber risks.
  • Profiles: These can help organizations establish a roadmap for reducing cybersecurity risk that is aligned with organizational goals, regulatory requirements, industry best practices and risk-management priorities.
  • Tiers: Varying levels indicate an increasing degree of rigor in risk management practices, the degree to which they reflect business needs and are integrated into overall risk-management practices.

Through workshops and events over the next six months, NIST will work with organizations adopting the framework to improve it. Areas targeted for improvement in future versions, according to an article in InformationWeek Government, include authentication, automated information sharing, assessing compliance with standards, privacy standards and supply chain management.

At the same time, the Department of Homeland Security announced its Critical Infrastructure Cyber Community (C3) program to coordinate cross-sector cybersecurity efforts. It offers a free assessment--a "cyber resilience review"--which can be a self-assessment or conducted with in-person help.  

Simulated attacks on the federal government and health sector are planned in March to help the healthcare industry be better prepared for and better able to respond to cyberattacks, with HITRUST coordinating the event, dubbed CyberRX.

To learn more:
- find the framework (.pdf)
- read the HealthcareInfoSecurity article
- check out the InformationWeek story

- learn about the C3 program