New Guide to Help Healthcare Entities Implement NIST CSFHHS, Health Sector Coordinating Council Toolkit Will Help Sector Better Manage Risk
A new toolkit aims to help healthcare entities align their security programs with the Cybersecurity Framework - the five-step model maintained by the National Institute of Standards and Technology that is the closest thing the United States has to a national cybersecurity standard.
The Department of Health and Human Services and the Health Sector Coordinating Council on Wednesday published a guide for the healthcare sector in understanding and making use of the framework.
“Healthcare cyberattacks are among the fastest growing type of cybercrime - jeopardizing patient care, damaging the integrity of health care systems, and threatening the U.S. economy,” said Dawn O'Connell, HHS assistant secretary for preparedness and response.
The framework divides cybersecurity activities into five functions: identify, protect, detect, respond and recover. It suggests cybersecurity controls that organizations can apply to achieve the five functions, as well a set of four tiers - ranging from "partial" to "adaptive" - against which organizations can grade their adoption of the framework.
NIST unveiled the framework in 2014 after a prolonged process of consultation with industry, cementing Washington's approach to the private sector as a voluntary undertaking outside of already-regulated industries. That consensus is under pressure, especially from the sustained wave of ransomware attacks buffeting critical infrastructure (see: White House Unveils Biden's National Cybersecurity Strategy).
Any healthcare entity that touches protected health information is already regulated by the HIPAA Security Rule, and other documents exist to coordinate implementation of the rule with the framework. NIST in 2022 issued draft guidance to update the crosswalk document.
But not all healthcare entities come under the rule and, in any case, industry insiders think following the framework results in better outcomes for security.
"One of the biggest problems organizations face is how to provide meaningful assurances about their cybersecurity programs to both internal and external stakeholders, especially regulators. The NIST Cybersecurity Framework allows organizations to communicate how they're meeting specific cybersecurity objectives in a standardized way," said Robert Booker, chief strategy officer of HITRUST.
"More consistent execution of all companies' performance against the NIST Cybersecurity Framework's cybersecurity objectives will increase the overall posture of the healthcare sector at large," Booker said. He characterizes the state of framework uptake as mixed. "The biggest gaps in adoption appear to be with small and medium-sized enterprises."
In addition to the new joint NIST cybersecurity framework toolkit, the Health Sector Coordinating Council and HHS are also close to completing an update of a joint 2019 publication, Health Industry Cybersecurity Practices.
"I don't know what the government may decide about proposed mandates, but the industry certainly gets behind NIST and HICP," Greg Garcia, executive director of HSCC's Cybersecurity Working Group told Information Security Media Group.