- While the National Institute for Standards and Technology’s (NIST) Cybersecurity Framework can be greatly beneficial for the healthcare industry, the Healthcare Information and Management Systems Society (HIMSS) explained that the Framework can be enhanced.
HIMSS submitted comments on the Framework for Improving Critical Infrastructure Cybersecurity, which was opened up for suggestions in December 2015. NIST also announced this week that it had extended the deadline for comments to February 23, 2016.
According to HIMSS, the NIST Cybersecurity Framework is most useful in that it helps organizations create or update their risk management programs.
“Since many healthcare organizations could benefit from improving their risk management process and better address cybersecurity risk, the NIST Cybersecurity Framework could be useful in helping healthcare organizations improve their security posture,” HIMSS wrote.
However, HIMSS added that the healthcare sector could greatly benefit if the NIST Cybersecurity Framework were to be made more industry-specific. For example, “the NIST Cybersecurity Framework could be more useful to healthcare stakeholders by providing metrics and other tools to measure progress with the Framework.”
Moreover, healthcare could benefit if NIST clarified what a Target Profile should be for healthcare organizations.
It is also positive that the NIST Cybersecurity Framework addresses the importance of protecting privacy and civil liberties, according to HIMSS. Even so, a more in-depth discussion “about the intersection between privacy risk management and information security risk management” could greatly assist the healthcare industry.
Harmful effects, including data loss and damage to IT systems and/or the organization, can be mitigated with effective privacy and security risk management. This means effective collaboration, communication, and processes between the privacy and information security functions at the organization.
HIMSS also suggested that the NIST Cybersecurity Framework have a “common set of consensus-based, private sector-led guidelines, best practices, methodologies, procedures, and processes in relation to privacy and information security risk management.” This should also be consistent with Section 405 of CSA.
“Generally, the Framework could be used as a tool to develop a common set of voluntary, consensus-based, and private sector-led guidelines, best practices, methodologies, procedures, and processes, consistent with Section 405 of CSA,” HIMSS wrote. “In addition, the Framework could be greatly enhanced to benefit the healthcare sector.”
Applying certain HIPAA regulations into the NIST Cybersecurity Framework could also assist the healthcare industry in its approach to cybersecurity.
Specifically, HIMSS commented that “the HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. Therefore, Section 3 of the Framework that addresses how to use it, could be updated to include the HIPAA Privacy Rule.
“In addition, the HIPAA Security Rule could be incorporated, as appropriate, into the discussion regarding the use of the NIST Cybersecurity Framework,” the letter explained.
Along with taking input from healthcare stakeholders, NIST should also bring together government, academia, and industry to continue to evolve the NIST Cybersecurity Framework, according to HIMSS.
“The U.S. government could increase sharing of best practices by facilitating cross-sector information sharing as well,” HIMSS wrote. “The healthcare sector has numerous dependencies upon other critical infrastructure sectors and would greatly benefit from such cross-sector information sharing.”
HIMSS also referenced the Cybersecurity Act of 2015, saying that there needs to be a common understanding in the industry where best practices will be developed before those best practices can be shared.
“The foundation (i.e., best practices, guidelines, methodologies, procedures, and processes that are private sector-led) needs to be established first by the healthcare sector by way of a collaborative process that includes a wide array of healthcare sector stakeholders,” the letter stated.
Overall, HIMSS was positive in its comments on the NIST Cybersecurity Framework, but was insistent that healthcare providers and organizations need to have the necessary defenses for cybersecurity threats. A large part of this is having a consistent data security framework that has also been properly implemented.