- The National Institutes of Standards and Technology (NIST) will finally release its widely-anticipated voluntary cybersecurity framework this Wednesday, Feb. 12.
Originally ordered by President Barack Obama last February, this public and private framework has had different iterations during that time. And there was plenty of opportunity for public feedback as well. NIST issued a discussion draft of its cybersecurity framework back in August and then announced a 45-day public framework comment period to help set the stage for the final version in November. The discussion draft included these areas of particular concentration in healthcare:
Authentication challenges continue to exist across the critical infrastructure. As a result, inadequate authentication solutions are a commonly exploited vector of attack by adversaries.
4.2 Automated indicator sharing
The automated sharing of indicator information is an important tool to provide organizations with timely, actionable information that they can use to detect and respond to cybersecurity events as they are occurring.
4.4 Data analytics
Big data and the associated analytic tools coupled with the emergence of cloud, mobile, and social computing offer opportunities to process and analyze structured and unstructured cybersecurity-relevant data on an unprecedented scale and specificity.
The Fair Information Practice Principles (FIPPs) are a longstanding framework for evaluating and mitigating privacy impacts around the collection, use, disclosure, and retention of personally identifiable information (PII).
NIST said it would plan on using that 45-day period to hear from the different sectors on standards, best practices, and guidelines that would meaningfully improve critical infrastructure cybersecurity and shore up any lingering confusion from the areas listed above. NIST also held a workshop to discuss the Preliminary Framework on November 14 and 15, 2013, at North Carolina State University where it could get insight and feedback on the framework from stakeholders.
In response to the voluntary framework, the American Hospital Association (AHA) released a statement supporting the concept, but said that some parts needed to be tweaked. According to the AHA, NIST had to add sector-specific definitions, tools and processes; sufficient time for those sector specific requirements; and to include HIPAA and HITECH requirements directly in the final framework. According to FCW.com, NIST has put more of an emphasis on privacy in the final version.