NIST cybersecurity framework: How it will impact healthcare

cybersecurity (Pixabay)

In its long-awaited cybersecurity framework, the National Institute of Standards and Technology heeded the call from the American Hospital Association and others to keep it flexible and voluntary in the private sector.

Daniel Nutkis, CEO of the Health Information Trust Alliance, told HealthcareInfoSecurity, that the framework closely matches the recommendations in its HITRUST Common Security Framework and any new elements will be incorporated.

Based on collaboration between government and the private sector, the framework "uses a common language to address and manage cybersecurity risk in a cost-effective way based on business needs without placing additional regulatory requirements on businesses," the document states.

Digital Transformation

Unlock the Digital Front Door with an App

The Member Mobile App is the smarter and better way to engage members anytime and anywhere. Members can find the right doctors, receive alerts, track spending, use telehealth, and more — all within a guided, intuitive, and seamless experience. Built exclusively for payers, it is ready to install and launch in a few months. Request a consult on how to enable the digital front door with the Mobile App, today.

"People said very early on, 'Make this risk based; don't make this compliance based.' We're trying to keep it at such a level that people have flexibility in how they use it," Adam Sedgewick, the NIST executive overseeing the creation of the framework, said, according to HealthcareInfoSecurity.

The framework includes three sections:

  • Framework Core: Activities grouped into five functions – Identify, Protect, Detect, Respond, Recover – that provide a high-level view of an organization's management of cyber risks.
  • Profiles: These can help organizations establish a roadmap for reducing cybersecurity risk that is aligned with organizational goals, regulatory requirements, industry best practices and risk-management priorities.
  • Tiers: Varying levels indicate an increasing degree of rigor in risk management practices, the degree to which they reflect business needs and are integrated into overall risk-management practices.

Through workshops and events over the next six months, NIST will work with organizations adopting the framework to improve it. Areas targeted for improvement in future versions, according to an article in InformationWeek Government, include authentication, automated information sharing, assessing compliance with standards, privacy standards and supply chain management.

At the same time, the Department of Homeland Security announced its Critical Infrastructure Cyber Community (C3) program to coordinate cross-sector cybersecurity efforts. It offers a free assessment--a "cyber resilience review"--which can be a self-assessment or conducted with in-person help.  

Simulated attacks on the federal government and health sector are planned in March to help the healthcare industry be better prepared for and better able to respond to cyberattacks, with HITRUST coordinating the event, dubbed CyberRX.

To learn more:
- find the framework (.pdf)
- read the HealthcareInfoSecurity article
- check out the InformationWeek story
- learn about the C3 program

Suggested Articles

Walmart is piloting drone delivery of home sample collection kits for COVID-19 in partnership with Quest Diagnostics.

The membership warehouse club is extending a telehealth discount with virtual care provider 98point6 to all members.

Over-reliance on one-size-fits-all approaches has never worked, particularly in healthcare.