Breaking Down the NIST Cybersecurity Framework, How It Applies to Healthcare

June 24, 2022 - If implemented carefully, the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) can help healthcare organizations bolster their cybersecurity programs and further safeguard patient data and critical systems.

NIST launched its cybersecurity framework in 2014 following a 2013 executive order on improving critical infrastructure cybersecurity under the Obama administration. Adopting the framework is voluntary but can help critical infrastructure entities, including those in the healthcare sector, enhance their cybersecurity programs and mitigate cyber risks.

NIST designed the framework to evolve to meet current cybersecurity challenges. After receiving industry feedback, NIST updated the CSF in 2017 and again in 2018. In 2022, NIST issued a request for public comments on improving the framework and is expected to release version 2.0 in the near future. This article will focus on version 1.1, which was released in 2018 and contains the most up-to-date official guidance and best practices.

Healthcare organizations can use the framework in conjunction with other voluntary frameworks and HIPAA Security Rule compliance efforts to protect the confidentiality and security of patient data. In the following sections, HealthITSecurity will provide a high-level overview of the NIST CSF and its core components, discuss how the framework can benefit healthcare, and provide tips for implementing the NIST CSF in healthcare settings.

Core Components of the NIST Cybersecurity Framework

“Recognizing the role that the protection of privacy and civil liberties plays in creating greater public trust, the Framework includes a methodology to protect individual privacy and civil liberties when critical infrastructure organizations conduct cybersecurity activities,” the NIST CSF framework text states.

“Many organizations already have processes for addressing privacy and civil liberties. The methodology is designed to complement such processes and provide guidance to facilitate privacy risk management consistent with an organization’s approach to cybersecurity risk management. Integrating privacy and cybersecurity can benefit organizations by increasing customer confidence, enabling more standardized sharing of information, and simplifying operations across legal regimes.”

Using this framework, NIST aims to help organizations assess their current cybersecurity postures, describe their target state for cybersecurity, prioritize improvement opportunities, progress toward their target state, and communicate with relevant stakeholders about cyber risks.

The CSF consists of three main components: the Framework Core, the Implementation Tiers, and the Framework Profiles.

The Framework Core is described as “a set of cybersecurity activities, outcomes, and informative references that are common across sectors and critical infrastructure.”

The Framework Core is further divided into five essential functions: identify, protect, detect, respond, and recover. The core functions are meant to be performed simultaneously to craft a culture of cybersecurity within an organization. Each core function has its own outcome categories, ranging from risk management strategy to detection processes and security awareness and training. The NIST CSF defines each essential function as follows:

• Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
• Protect – Develop and implement appropriate safeguards to ensure delivery of critical services.
• Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
• Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
• Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

“When considered together, these Functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk,” the framework continues.

“The Framework Core then identifies underlying key Categories and Subcategories – which are discrete outcomes – for each Function, and matches them with example Informative References such as existing standards, guidelines, and practices for each Subcategory.”

In version 1.1, there are nearly 100 subcategories, each supporting the achievement of certain outcomes in each category.

Beyond the Framework Core, the Framework Implementation Tiers quantify the degree of sophistication in cybersecurity risk management practices. The four tiers (partial, risk informed, repeatable, and adaptive) do not represent maturity levels, but serve as a decision-making guide for organizations trying to manage cybersecurity risk.

“The Tier selection process considers an organization’s current risk management practices, threat environment, legal and regulatory requirements, information sharing practices, business/mission objectives, supply chain cybersecurity requirements, and organizational constraints,” the framework explains.

“Organizations should determine the desired Tier, ensuring that the selected level meets the organizational goals, is feasible to implement, and reduces cybersecurity risk to critical assets and resources to levels acceptable to the organization.”

The Framework Profile is “the alignment of the Functions, Categories, and Subcategories with the business requirements, risk tolerance, and resources of the organization,” the framework states.

“A Profile enables organizations to establish a roadmap for reducing cybersecurity risk that is well aligned with organizational and sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities.”

Considering an individual organization’s level of complexity, they may choose to align with multiple profiles.

For example, in 2021, NIST released its “Cybersecurity Framework Profile for Ransomware Risk Management,” aimed at assisting organizations in preventing, responding to, and recovering from ransomware attacks.

Throughout the framework’s text, NIST emphasizes the fact that the framework is not meant to replace existing security processes. Instead, organizations should use the framework to determine gaps in their cybersecurity risk approach and make plans for improvement.

“It can serve as the foundation for a new cybersecurity program or a mechanism for improving an existing program,” NIST states.

“The Framework provides a means of expressing cybersecurity requirements to business partners and customers and can help identify gaps in an organization’s cybersecurity practices. It also provides a general set of considerations and processes for considering privacy and civil liberties implications in the context of a cybersecurity program.”

Implementing the NIST CSF in Healthcare

The benefits of adopting the NIST Cybersecurity Framework for healthcare are plentiful. The framework can help organizations reduce cyber risk, cut costs, and potentially reduce cyber insurance premiums.

Even though the NIST CSF has dozens of specific subcategories and controls to reference, it is flexible and dynamic by nature. It can be applied in ways that best suit an individual organization or sector. The framework can work in harmony with HIPAA Security Rule compliance to strengthen a healthcare organization’s cybersecurity architecture.

NIST’s website contains a multitude of resources regarding NIST CSF implementation in the healthcare sector specifically. Among them is HHS’ “HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework,” which describes how healthcare organizations can align their security programs to both the NIST CSF and the HIPAA Security Rule.

The crosswalk aligns each administrative, technical, and physical safeguard and implementation specification of the HIPAA Security Rule to a NIST CSF subcategory.

“Due to the granularity of the NIST Cybersecurity Framework’s Subcategories, some HIPAA Security Rule requirements may map to more than one Subcategory. Activities to be performed for a particular Subcategory of the NIST Cybersecurity Framework may be more specific and detailed than those performed for the mapped HIPAA Security Rule requirement,” the document explained.

“However, the HIPAA Security Rule is designed to be flexible, scalable and technology-neutral, which enables it to accommodate integration with frameworks such as the NIST Cybersecurity Framework. A HIPAA covered entity or business associate should be able to assess and implement new and evolving technologies and best practices that it determines would be reasonable and appropriate to ensure the confidentiality, integrity and availability of the ePHI it creates, receives, maintains, or transmits.”

It is important to note that the NIST Cybersecurity Framework does not translate seamlessly to HIPAA compliance. HHS reminded organizations to not rely on the crosswalk document entirely for HIPAA compliance.

In addition to the crosswalk, organizations can consult HITRUST’s “Healthcare Sector Cybersecurity Framework Implementation Guide”, which helps organizations use HITRUST’s framework to effectively implement NIST’s framework.

To get started, healthcare organizations should assess their current security programs, assign roles and responsibilities for framework implementation, and figure out which security measures to prioritize in order to achieve their goals.

As cyberattacks continue to overwhelm the healthcare sector implementing a reliable cybersecurity framework can help organizations prevent, prepare for, and recover from cyber incidents.