WEDI Responds to NIST’S RFI, Urges Increased Focus on Ransomware

April 26, 2022 - The Workgroup for Electronic Data Interchange (WEDI) responded to the National Institute of Standards and Technology’s (NIST) request for information regarding improvements to its cybersecurity framework and its supply chain security guidance.

As previously reported, NIST issued a request for public comments in February, seeking industry feedback on the usefulness of its cybersecurity framework (NIST CF), challenges that may prevent organizations from using the framework, and any features that may need to be added or removed.

“The Cybersecurity Framework was last updated in April 2018,” the request for information explained. “Much has changed in the cybersecurity landscape in terms of threats, capabilities, technologies, education and workforce, and the availability of resources to help organizations to manage cybersecurity risk better.”

In response to the request, WEDI recommended that NIST adjust its framework and supply chain and critical infrastructure resources to better address the primary issues that healthcare will likely face in coming years.

Specifically, WEDI noted increasing concerns within the healthcare sector about ransomware, third-party application security, a lack of cybersecurity awareness and training, and security threats within portable and implantable medical devices.

In addition to updates to NIST’S resources, WEDI urged NIST to avoid federal government cybersecurity silos and encourage coordination between agencies within the government working on healthcare-related cybersecurity issues. In addition, the group recommended that NIST expand educational partnerships to educate the industry on cyber hygiene best practices.

In regard to modifying the NIST cybersecurity framework, WEDI’s key recommendation was to increase its focus on ransomware. Specifically, WEDI recommended that NIST incorporate specific case studies and define contingency planning strategies for healthcare entities to follow.

 “The immediate and persistent threat of ransomware attack is driving a lot of resource allocation on the part of health care entities and by incorporating the ransomware issue directly into the CF NIST will expand the reach and impact of this resource,” the letter suggested.

WEDI underscored the risk of third-party app security, as addressed in its previous letter to HHS and the Department of Commerce. WEDI and the Confidentiality Coalition penned a letter to the secretaries in late March with recommendations for improving the transparency, security, and privacy of third-party health apps with access to protected health information (PHI).

In its letter to NIST, WEDI similarly suggested that without HIPAA’s supervision, third-party health apps could pose privacy risks to patients.

“The potential exists for Protected Health Information (PHI) gained via the apps to be inappropriately disclosed to the detriment of patients and their families,” the letter emphasized.

“While we strongly support patient access to their PHI via apps, we assert that a national security framework, perhaps developed by NIST, is required to ensure that health care data obtained by third-party apps is held to appropriate privacy and security standards.”

WEDI also addressed numerous medical device security concerns and the issue of insider threats. Since organizations frequently look to NIST for security guidance, WEDI suggested that the institute consider incorporating these concerns in the next iteration of its cybersecurity framework.

In addition, WEDI recommended that NIST develop a targeted cybersecurity framework for consumers and for smaller organizations specifically. All these resources should emphasize a security-focused culture, WEDI suggested.

To improve supply chain security, WEDI recommended that NIST address the impact of ransomware on supply chains, recognize the various types of supply chains in the healthcare sector, and address supply chain contingency planning.

“Allocating sufficient resources to address security issues is often a significant challenge,” WEDI concluded.

“Recognizing this, the role of the federal government is to identify and make available to the industry the best possible protocols, policies, and procedures. We urge NIST to promote cyber hygiene tactics through every available communication channel, with an emphasis on smaller health care organizations.”