AHA Comments on a National Cybersecurity Framework
The American Hospital Association generally likes what it sees in the federal governments Preliminary Cybersecurity Framework released for public comment in late October.
The American Hospital Association generally likes what it sees in the federal governments Preliminary Cybersecurity Framework released for public comment in late October.
Encompassing 18 industry sectors considered to be critical infrastructure, the framework--mandatory for federal government agencies--is flexible and voluntary for the private sector and should stay that way, AHA recommends in a comment letter to the U.S. Department of Commerce.
The preliminary cybersecurity framework supports hospitals efforts to protect their information systems by providing a helpful, high-level structure for individual organizations to consider when addressing cybersecurity risk, AHA asserts. Specifically, it identifies five core functions--identify, protect, detect, respond, recover--that must be part of a risk-based approach to manage cybersecurity, with specific categories of activity under each (such as asset management or access control). It then identifies existing guidelines and technical standards that support the individual recommended functions.
Given that there are 18 diverse sectors that the framework would affect, its high-level approach is appropriate, AHA says in the letter. But it offers these recommendations:
* The final framework should consider how different infrastructures might reconcile different cybersecurity implementation standards,
* The government should give the large and varied health care sector sufficient time to develop and implement the sector-specific definitions, tools and processes for the framework, and
* A detailed crosswalk to the HIPAA and HITECH security requirements must be included directly in the final framework.
The complete five-page comment letter from AHA is available here.
Encompassing 18 industry sectors considered to be critical infrastructure, the framework--mandatory for federal government agencies--is flexible and voluntary for the private sector and should stay that way, AHA recommends in a comment letter to the U.S. Department of Commerce.
The preliminary cybersecurity framework supports hospitals efforts to protect their information systems by providing a helpful, high-level structure for individual organizations to consider when addressing cybersecurity risk, AHA asserts. Specifically, it identifies five core functions--identify, protect, detect, respond, recover--that must be part of a risk-based approach to manage cybersecurity, with specific categories of activity under each (such as asset management or access control). It then identifies existing guidelines and technical standards that support the individual recommended functions.
Given that there are 18 diverse sectors that the framework would affect, its high-level approach is appropriate, AHA says in the letter. But it offers these recommendations:
* The final framework should consider how different infrastructures might reconcile different cybersecurity implementation standards,
* The government should give the large and varied health care sector sufficient time to develop and implement the sector-specific definitions, tools and processes for the framework, and
* A detailed crosswalk to the HIPAA and HITECH security requirements must be included directly in the final framework.
The complete five-page comment letter from AHA is available here.
More for you
Loading data for hdm_tax_topic #reducing-cost...