The NIST CSF Framework – What Does it Mean for Healthcare?


The NIST CSF Framework – What Does it Mean for Healthcare?

NIST, the National Institute of Standards and Technology, is a non-regulatory federal agency of the U.S. Commerce Department. Established in 1901, NIST was designed to promote innovation and competitiveness by advancing standards. And in February 2013, the United States President issued Executive Order 13636, which added a Cybersecurity Framework (CSF) to the mix. But how does the NIST CSF framework apply to modern-day healthcare and the technology that’s revolutionized the industry?

Functions of the NIST CSF

The NIST CSF was established for “helping organizations to better understand and improve their management of cybersecurity risk” while providing security controls for federal agencies and critical infrastructure systems. Although only public healthcare organizations are considered critical infrastructure, NIST provides useful tools for private healthcare systems to utilize when implementing and maintaining cybersecurity. There are five functions in the framework’s core:

  1. Identify:
    Developing an understanding how to discover and manage cybersecurity risks
  2. Protect:
    Supporting the ability to limit or contain the impact of cybersecurity events
  3. Detect:
    Defining how to identify cybersecurity events
  4. Respond:
    Outlining how to take action after a cybersecurity event is detected
  5. Recover:
    Identifying how to repair and restore any services that were affected by cybersecurity events

These functions are designed to represent the pillars of a holistic and successful cybersecurity program, helping organizations manage cybersecurity risks.

 “The Functions are the highest level of abstraction included in the Framework. They act as the backbone of the Framework Core that all other elements are organized around.”

How does the NIST CSF affect healthcare?

From HIPAA to the HITECH act, healthcare is heavily regulated. To remain compliant, it’s essential to protect both privacy and security. But even when an organization is compliant, that doesn’t necessarily mean PHI is secure. The challenge with implementing information security is that it’s a vast undertaking encompassing user access, infrastructure, and physical security – and it’s difficult to know where to start. The NIST CSF provides a cohesive framework – even considered a “cheat sheet” by some – to implement a comprehensive security program that will help organizations maintain compliance while protecting the safety of PHI and other sensitive information. The CSF provides a seven-step implementation process that can be used in a continuous cycle:

  1. Prioritize and scope
  2. Orient
  3. Create a current profile
  4. Conduct a risk assessment
  5. Create a target profile
  6. Determine, analyze, and prioritize gaps
  7. Implement an action plan

By following this process, organizations can use the NIST CSF to protect themselves from common cybersecurity risks. With threats like ransomware attacks, malware, and malicious insiders, data must always be protected – and to do so, a cybersecurity program is a must. 78% of healthcare organizations experienced a significant cybersecurity incident in the past 12 months, according to the HIMSS 2019 Cybersecurity survey. In light of this, healthcare organizations are adopting the NIST CSF – according to the 2018 HIMSS Cybersecurity Survey, nearly 58% of healthcare organizations already use the framework to strengthen their security posture.

NIST changes and customization

Technology is at the core of the NIST CSF. Because technology is constantly changing, NIST is designed to evolve along with it. In fact, it’s designed to be a living document with a deliberate, ongoing process for continued maintenance and innovation. “This will ensure the Framework is meeting the needs of critical infrastructure owners and operators in a dynamic and challenging environment of new threats, risks, and solutions.”Framework for Improving Critical Infrastructure Cybersecurity.

Because different organizations have different needs, the NIST CSF can also be customized. If a component doesn’t apply, it can be adjusted to suit any facility. According to the NIST Framework for Improving Critical Infrastructure Cybersecurity, “To account for the unique cybersecurity needs of organizations, there are a wide variety of ways use the Framework. The decision about how to apply it is left to the implementing organization.”

Although optional, implementing the NIST CSF is an excellent way for healthcare organizations to strengthen their security posture. Acting as a living document that changes along with technology and can be customized to suit any unique organization’s needs, it can be used as a “cheat sheet” for implementing an effective cybersecurity program that maintains the security of sensitive patient data.