How providers can implement the NIST cybersecurity framework
The use of cybersecurity frameworks is becoming more prevalent because of pervasive threats and attacks across the healthcare industry. Large organizations are now especially motivated to adopt a framework and implement tighter, more consistent controls.
The NIST Cybersecurity Framework is designed to help organizations establish the minimum viable policies, procedures and practices to safeguard against theft of data or attacks on their systems. And, while organizations are not required to use the NIST Cybersecurity Framework, or report on the type of framework in place, they must at the very least comply with the HIPAA Security Rule, which has been crosswalked to the NIST Cybersecurity Framework.
Here are some fundamental questions and recommendations for instituting a cybersecurity framework based largely on the NIST model.
Is it free?
Although it’s been four years since NIST issued the first version of its Cybersecurity Framework, many organizations still don’t know it exists. Unlike the HITRUST CSF, which is proprietary and can be very expensive, the NIST Framework is available at no cost to any organization regardless of size.
What does it take to implement it?
Many compliance and IT leaders have not taken the time to truly understand the Framework. It’s really not that complicated. The Framework consists of five functions—Identify, Protect, Detect, Respond and Recover. The design is flexible enough for organizations to implement sections at a time, based on their level of sophistication and resources. We typically experience a three-month implementation, but that can differ depending on the type of organization. After that, organizations must fill in gaps and maintain the Framework.
Are proper resources available for implementation and ongoing maintenance?
Healthcare organizations previously have not invested enough to properly analyze their systems, manage change and focus on long-term controls. While this status quo is changing because of the rise in healthcare data breaches, securing funds is a slow-moving ship. And, for smaller organizations with more restricted budgets, resource allocation will continue to be an issue.
Is security a foundational requirement, or still seen as a cost center?
In today’s environment, security should be the foundation for everything else occurring at the hospital. It’s even more important than implementing an EMR. But traditionally, security is considered a cost center, without a return on investment. Now, instituting frameworks such as NIST’s can be perceived as preventing potential expenses incurred from a breach—which could be tied to a positive ROI. In addition, organizations need to invest in technical solutions that prove ROI, including the ability to report breach prevention.
Where does the CISO sit in an organization's hierarchy?
There are often internal political struggles that prevent a cohesive strategy and implementation. The CISO should always be an unbiased party separate from the IT team, with the freedom to report accurately on issues without undue influence. This will result in the best recommendations and security practices for your organization.
While that appears to be a daunting list of challenges, here’s a brief checklist to optimize the NIST Cybersecurity Framework for an organization.
- Review the NIST Framework. Decide if it works for you. If it doesn’t, choose a cybersecurity framework that makes better sense for your organization.
- Hire or designate a CISO who is independent from the IT team.
- Secure immediate and ongoing funding for security resources.
- Fund the purchase and maintenance of technical equipment.
- Institute and enforce proper governance over your Framework.
- Ensure visibility and accountability from the C-suite.
- Contact a cybersecurity expert who can guide you through the process. You don’t have to be alone.
Because it’s not a matter of if, but when, an attack will occur, it’s wise for healthcare organizations to adopt a framework that suits your organization and stick to it. A data protection framework can always evolve over time—the key is to get started and keep it going.