Why more providers are relying on the NIST Cybersecurity Framework
Healthcare organizations are just beginning to understand the importance of adopting a cybersecurity framework as part of their overall information risk management program. A study by Dimensional Research, on behalf of Tenable Network Security, found that the healthcare industry lags behind many other industries in the adoption of a cybersecurity framework.
Tenable’s research showed that only 61 percent of healthcare or medical organizations had adopted a security framework, compared with 88 percent in banking and finance; 87 percent in information technology; 86 percent in government; 83 percent in manufacturing and 77 percent in education.
Those numbers are starting to change, however. One reason is the increasing traction of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) across all industries, including healthcare. A study by HIMSS Analytics, conducted on behalf of Symantec, found that of those healthcare organizations that had adopted a cybersecurity framework, the majority (56 percent) had adopted the NIST Cybersecurity Framework.
The framework provides voluntary guidance on how to manage cybersecurity risk. It is designed to be broadly applicable across 16 categories of critical infrastructure organizations, including healthcare and public health.
Matt Barrett, NIST Program Manager, Cybersecurity Framework, believes the inclusive nature of the NIST framework—the fact that it wasn’t designed specifically for a single industry, but is meant to be applicable across many sectors—is part of its strength. “The NIST CSF takes the best practices and lessons learned from across all the participating sectors and industries and makes them common practice by expressing them through the framework,” Barrett said.
Openness and inclusivity have been foundational parts of the design of the NIST framework from the beginning. Version 1.0 of the Cybersecurity Framework was released in February 2014. The year-long process leading up to the release of that document included many opportunities for public input, including an initial request for information; three public workshops; the publication of a first draft with the opportunity for public comment; and two additional public workshops.
“We knew, from the outset, that we wanted the framework to work for all parties and to incorporate the best of ideas from all parties,” Barrett says. “There is no way to get there by NIST going off and sitting in a room with NIST personnel only. Government can’t go off and suppose what the private sector might want. We have to go and dialogue with the people in the field to find out what is more valuable and what is less valuable. And then, we have to create something, propose it and refine it. That is what we did for the initial development process, and that is the process we are using for the continuing evolution of the framework.”
NIST expects to release a second draft of the Cybersecurity Framework 1.1 early this fall. Barrett anticipates a 30-day comment period will accompany the release of the second draft. This draft, like the drafts that preceded it, will be the result of input from the public sector, the private sector, academia and other stakeholders.
Version 1.1 uses the same Framework Core that was used in Version 1.0. Categories and subcategories of activities are arranged under the same five functional areas delineated in the first version of the framework, such as identify, protect, detect, respond and recover. Just as with Version 1.0, Version 1.1 is designed to be customizable, and it is designed to be technology and architecture agnostic. It is also designed to be interoperable with Version 1.0, to minimize challenges associated with transitions from one version to the other, or working with business partners using a different version of the framework.
According to Barrett, in response to feedback received, Version 1.1 will include specific references to the application of the framework to the cyber dimension of supply chain risk management. Version 1.1 also includes clarifications around the relationship between profiles and tiers (two of the three components of the original concept) and increased content on the topic of access controls.
When the final version of the updated framework is released, it will be the newest, but not the last, iteration. NIST will continue to solicit feedback on the usefulness and applicability of the framework from across industry sectors and from all stakeholders, including public, private and academic domains.
“The NIST Cybersecurity Framework is designed to be a living document,” said Barrett. “Both technology and cyberthreats move very, very quickly. The framework is designed to be agile and adaptable over time, so that it can keep pace with the evolving threat landscape.”
Clearwater Compliance, a company that helps healthcare organizations adopt and implement the NIST CSF, recently published a white paper on the NIST CSF entitled, “Choosing an Information Risk Management Framework: The Case for the NIST Cybersecurity Framework (CSF) in Healthcare Organizations.” The white paper describes the role a cybersecurity framework plays in a healthcare organization’s overall risk management program, and why the framework is an appropriate and effective framework for the healthcare industry.