- Cybersecurity frameworks are often cited as key ways for organizations to improve their approach to healthcare data security, especially as more entities utilize connected devices and work toward interoperability.
The National Institute of Standards and Technology (NIST) has one of the more popular frameworks, which was first published in February 2014 under a presidential executive order direction.
NIST released a revised draft of its Cybersecurity Framework in December 2017. Healthcare organizations can improve their cybersecurity approach by implementing NIST’s Framework.
Ensuring that people understand the strengths of the Framework is important for cybersecurity, according to NIST Cybersecurity Framework Program Manager Matt Barrett. Entities need to have a higher level of risk management dialogue, he said.
The Framework is meant to be a living document, Barrett maintained.
“The whole spirit of this is something that can move faster than law and regulation can,” he said. “It’s something that can keep pace with threats and technology trends, give us a place to integrate any lessons learned or best practices from a given sector and bring them back into common practice.”
NIST has been working on an update since December 2015, which is when the agency published a request for information. NIST asked stakeholders whether it would soon be time for an update and, if so, what they would like to see in it.
There have been two drafts published, and NIST has held two workshops to start the dialogue around what organizations wanted in the update.
“This is the second draft that we've published, and the proposed update is called Version 1.1 of the Cybersecurity Framework. We are seeking to clarify, refine, and enhance the Framework,” Barrett said.
Many stakeholders have said that the Framework is working great in numerous ways, so the draft is more about clarifying, refining, and enhancing the Framework.
“For instance, we clarify the applicability of the Framework broadly to technology that minimally includes IT, operational technology like ICS and [supervisory control and data acquisition], cyber physical systems, internet of things,” Barrett explained. “The Framework really seeks to be applicable across all of these and we find in a great many instances it's applicable across all of those types of technology genres or architectures.”
“We also clarify that the Framework proves out to be applicable across many different system lifecycle phases: design, develop, deploy, operate and maintain, decommission,” he continued. “The Framework is a lens through which to view cybersecurity in all those phases of a system life cycle.”
Other Framework updates were more topic specific, Barrett added. Stakeholders asked for clarification on how the Framework could be used for the cyber dimension of supply chain risk management, so NIST added a category for that.
“We've really built out the explanatory text around how one might use the Framework for supply chain risk management, and even for making buying decisions that are aligned with their risk management objectives,” he stated.
Self-Assessing Cybersecurity Risk Management is another new section in the document, which is more about the measurement of risk.
“This is really how an organization might use the Framework and associated measures to self-assess,” Barrett noted. “This is not only for organizations’ own internal improvement, but perhaps also to express that outwardly in various ways in order to build digital trust.”
That same section is an expansion of the access control category, he pointed out. Some stakeholders highlighted that identity proofing or authentication were not adequately addressed. NIST then added specific subcategories around those areas, Barret said.
“We've also accounted for coordinated vulnerability disclosure and what do you do if you receive information about a previously undisclosed vulnerability,” he stated. “How does your organization address that? How do they handle that if there’s a new thing that has to integrate emerges from the research communities?”
NIST also updated administrative areas, such as how the Framework works well with other documents (i.e. ISO 27001). Barrett maintained that the Framework is meant to be paired with other documents, and is very effective when it is paired. Other documents are often more technically detailed than the Framework, he posited.
“We purposely did that,” Barrett said. “We said, ‘Hey, we look we got all those preexisting things. No need to build the Framework down to that level of detail. Let's just show folks how they pair Framework with other things.’ We've done the administrative update on some of those informative references so people can see that a little bit more clearly.”
Healthcare ransomware preparation with the Framework
In terms of prevention, Barrett asserted that the Framework represents what comprehensive cybersecurity looks like and can aid healthcare organizations.
“The cyber hygiene dimension of things is critically important, as we see with circumstances like WannaCry that took advantage of a patch that was released not too terribly far before the WannaCry ransomware propagated itself,” he said. “It really discerned a line of demarcation: who patches within a certain threshold of months and who doesn't.
“That's an example of one where there's specific subcategory guidance within Framework around patching within reasonable risk thresholds,” Barrett continued. “Clearly, those who did not patch within that timeline, they were beyond a threshold that's set by the threat environment. If they got pinched by WannCry, of course they can revise that and integrate that into their risk management strategy moving forward. But the Framework certainly would have helped with that risk decision.”
NIST has always wanted to make the Framework as valuable as possible, Barrett said. The initial development of the Framework was fully open and anyone could participate.
“Even though we wanted to design a Framework for reducing critical infrastructure risk, any party could participate in the dialog and we did that in a full transparency,” he explained. “Even to this day you can go see all of the written responses from the RFIs and RFCs over time, and you can see the various workshop materials that we did.”
“We felt like the Framework got better and better and better the more we collaborated,” Barrett added. “We always hoped and thought it would, and it proved out that it would.”
The Framework as started to have a life of its own as more organizations have started to adopt and implement it, he noted.
“It's not propagating in industries and around the world right now solely because of NIST's effort,” Barrett said. “It's propagating because of all those advocates that we gained up throughout the development process.”
The diversity of the healthcare landscape is a cybersecurity challenge, Barrett stated. For example, there are small medical practices where one physician might be the bookkeeper, the CEO, and other positions. But there are also the incredibly intricate hospital systems.
Larger hospitals typically have an exquisitely complicated technology landscape and architectures inclusive of IoT in the form of medical devices. There is an emerging technology space and emerging threat space. Small physician practice will also have IT concerns though, whether they're in-house or on how things are hosted outside of the strict boundary of the organization.
“The challenge is in the vast difference in these environments and the way they're managed and the education and awareness that's required,” Barrett said.
Referring to the small physician practice example, Barrett pointed out that there may be an individual who is not a cybersecurity expert but is still running that practice.
“Do they understand that cybersecurity is a concern?” he asked. “Do they understand where that intersects with things like protection of patient health records? And even if they understand those things, do they understand the short list of high impact things they can do?”
“Do they understand what kind of iterative, dynamic cybersecurity risk management looks like?” he concluded. “That is really the space where the Framework lives.”