- The National Institute of Standards and Technology (NIST) recently released version 1.1 of its popular Cybersecurity Framework, which incorporates feedback received from public comments and workshops during 2016 and 2017.
Version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity (The Framework) includes updates on authentication and identity, self-assessing cybersecurity risk, managing cybersecurity within the supply chain, and vulnerability disclosure.
The new version adds a section explaining how the Framework can be used by organizations to understand and assess their cyber risk and sections on risks associated with the supply chain and purchasing commercial off-the-shelf products and services.
The Framework provides a common structure for different approaches to cybersecurity by compiling effective standards, guidelines, and practices in one place. It can also be used to help organizations address privacy issues related to customers, employees, patients, and other parties, the document explained.
“The release of the Cybersecurity Framework Version 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan in a news release.
“From the very beginning, the Cybersecurity Framework has been a collaborative effort involving stakeholders from government, industry and academia. The impact of their work is evident in the widespread adoption of the framework by organizations across the United States, as well as internationally,” Copan said.
The Framework was developed with a focus on critical infrastructure industries, including energy, banking, communications, and the defense industrial base. It is flexible enough to be adopted voluntarily by large and small companies and organizations across all industry sectors, including healthcare, as well as by federal, state and local governments.
“This update refines, clarifies and enhances Version 1.0,” said Program Manager for the Cybersecurity Framework Matt Barrett. “It is still flexible [enough] to meet an individual organization’s business or mission needs and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.”
NIST said that later this year it plans to release an update to the Framework’s companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity, which includes areas for development, alignment, and collaboration.
“Engagement and collaboration will continue to be essential to the framework’s success,” said Barrett. “The Cybersecurity Framework will need to evolve as threats, technologies and industries evolve. With this update, we’ve demonstrated that we have a good process in place for bringing stakeholders together to ensure the framework remains a great tool for managing cybersecurity risk.”
The Framework represents what comprehensive cybersecurity looks like and can aid healthcare organizations in securing data and fighting ransomware, explained Barrett in a recent interview with HealthITSecurity.com.
“The cyber hygiene dimension of things is critically important, as we see with circumstances like WannaCry that took advantage of a patch that was released not too terribly far before the WannaCry ransomware propagated itself,” he said. “It really discerned a line of demarcation: who patches within a certain threshold of months and who doesn't.
“That's an example of one where there's specific subcategory guidance within Framework around patching within reasonable risk thresholds,” Barrett continued. “Clearly, those who did not patch within that timeline, they were beyond a threshold that's set by the threat environment. If they got pinched by WannaCry, of course they can revise that and integrate that into their risk management strategy moving forward. But the Framework certainly would have helped with that risk decision.”
The diversity of the healthcare landscape is a cybersecurity challenge, Barrett said. There are small medical practices where one physician might be the bookkeeper and the CEO, while there are also large hospital systems and research universities.
One of the research universities that has successfully implemented the Cybersecurity Framework is the University of Chicago’s Biological Sciences Division (BSD), which used the framework to help it comply with HIPAA and other federal data security rules.
“There are many security frameworks, but we found that the Cybersecurity Framework was well-aligned with our main objective, which was to establish a common language for communicating cybersecurity risks across the division,” said BSD Chief Information Security Officer Plamen Martinov.
To explain the changes made in version 1.1, NIST plans to host a public webcast on April 27, 2018, at 1 p.m. Eastern time. It is also planning a Cybersecurity Risk Management Conference, which will include a major focus on the framework, for Nov. 6-8, 2018, in Baltimore, Maryland.