- Having a holistic approach to healthcare cybersecurity is essential in the industry, but there is a lack of alignment between the people, processes, and technology, according to HIMSS.
That lack of alignment often creates difficulty for healthcare organizations trying to implement a successful cybersecurity program. However, HIMSS made several suggestions to NIST in how it can improve the NIST Cybersecurity Framework.
HIMSS explained in a letter to NIST Acting Director Kent Rochford, PhD, MBA that the NIST Cybersecurity Framework (the Framework) “is an excellent work product resulting from a robust public-private partnership.” Even so, improvements can be made to “enable healthcare organizations and others to improve their cybersecurity capabilities and reduce cybersecurity risk.”
First, HIMSS recommended that more explanation be given on cyber supply chain risk management (SCRM). Not all products and services are created with the same level of scrutiny toward cyber threats, HIMSS explained.
“Both care providers and public health leaders have great concerns with respect to the medical device supply chain, given the potentially significant risk to patient safety,” the letter stated. “Accordingly, HIMSS recommends that the Framework provide more granular detail on the ‘how’ and ‘why’ of SCRM, to include a relevant context of insider threat detection and management.”
HIMSS also urged NIST to better address the lifecycle of assets (i.e. software, hardware, devices, equipment).
For example, healthcare organizations may still utilize legacy systems. Manufacturers and vendors for such systems no longer have continued support, HIMSS explained. Therefore, the Framework should better address how these assets can be supported.
“In the absence of sufficient compensating controls for these legacy devices, organizations may be presented with an unacceptable level of risk,” the letter maintained. “Furthermore, in the health sector, many of these legacy devices may be life-sustaining devices and thus may pose a level of unacceptable risk to patients as well (e.g., serious injury or possibly death).”
NIST should also measure the Framework’s progress, and thoroughly explain how metrics and measures are being used to track that progress.
In addition, HIMSS recommended that the next Framework iteration focus on insider threat management. Healthcare organizations are increasingly facing threats from either negligent or malicious insiders, and must understand how best to prepare for such threats.
“Tthe problem is real and any individual has the potential to expose an organization to significant risk, depending upon his or her actions or inactions,” HIMSS explained. “Furthermore, insider attacks are usually much more common than external attacks.”
As previously mentioned, HIMSS also suggested a holistic cybersecurity approach for healthcare. Cybersecurity is sometimes viewed as a barrier, and individuals may even try and create a “work around” for security measures. Staff members may have perceived a cybersecurity measure as an impediment to daily workflow, and instead opted to work around the measure.
“Organizations can gauge the effectiveness of their cybersecurity program by tracking how many work-arounds (or other violations) of security policy and procedures are happening, and track the number of requested exceptions to the security policy and procedures,” the letter noted. “If there is an unacceptable number of such violations, it may be time for the organization’s leadership to re-evaluate or redesign its cybersecurity program.”
HIMSS also recommended the following areas be approached in the next Framework iteration:
- Awareness and training
- Internal and external information sharing
- Implementation of Framework tiers
Overall, HIMSS stressed that the Framework is a great tool for public and private collaboration on improving cybersecurity measures.
“HIMSS recommends additions to the Framework to enable users of the Framework to better adopt and implement the Framework,” the letter concluded. “We note that, while healthcare organizations are the focus of our response, our recommendations are equally applicable to other critical infrastructure sectors.”