The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HSCC & HHS Release Guide to Help Healthcare Organizations Adopt the NIST Cybersecurity Framework

Posted By on Mar 9, 2023

A new guide has been published by the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group and the U.S. Department of Health and Human Services (HHS) to help healthcare organizations align their cybersecurity programs with the NIST Framework for Improving Critical Infrastructure Cybersecurity.

The NIST Cybersecurity Framework is one of the most widely adopted frameworks for identifying and managing cybersecurity risks. The framework was released by NIST in 2015, updated in 2018, and the NIST CSF 2.0 is due for release later this year. The NIST CSF is based on five core functions – Identify, Protect, Detect, Respond, and Recover – and suggests cybersecurity controls that can be implemented in all five functional areas. The framework also includes four tiers against which organizations can rate their adoption of the framework, which allows them to communicate how there are achieving their cybersecurity objectives in a standardized way. The NIST CSF has become the standard cybersecurity framework for government agencies and private sector companies for managing cybersecurity risks.

The healthcare industry is extensively targeted by cybercriminal groups and nation-state actors and must defend against increasingly sophisticated and numerous threats. Healthcare organizations typically have fragmented infrastructures, legacy systems, huge numbers of applications, and must protect an ever-increasing number of network-connected medical devices. Consequently, many healthcare organizations struggle with managing cybersecurity effectively.

“Healthcare cyberattacks are among the fastest growing type of cybercrime – jeopardizing patient care, damaging the integrity of health care systems, and threatening the U.S. economy,” said Dawn O’Connell, HHS  Assistant Secretary for Preparedness and Response. “Health care organizations must safeguard their information technology systems to help prevent attacks and create a culture of cyber safety in the health care industry.”

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

According to the HSCC, a comprehensive cybersecurity framework – such as the NIST CSF – will “provide a common language and structure for discussions around risk and the methods and tools used to manage risk to a level that is not only acceptable to the organization but to other stakeholders such as business partners, customers, and industry and governmental regulators.” Healthcare organizations that base their cybersecurity programs on the NIST CSF can better direct capital, operational, and resource allocations to lines of business generating the greatest return on protecting assets/information and minimizing risk exposure.

While the NIST CSF has been developed to be suitable for organizations of all sizes in all industry sectors, some healthcare organizations have struggled to adopt the framework. The Cybersecurity Framework Implementation Guide is intended to help healthcare organizations adopt the NIST CSF and details specific steps that can be taken to immediately manage cyber risks to their IT systems and better protect against the full range of cyber threats. The guide will help healthcare organizations to assess their current cybersecurity practices and risks and identify gaps for remediation.

“With data breaches having doubled over the past five years and ransomware attacks reaching almost 400 in the same period, it is clear that the healthcare industry needs to up its game, said Bryan Cline, industry lead for the guide and Chief Research Officer for HITRUST. “Health industry stakeholders of all sizes and subsectors can reduce their cyber risk exposure by implementing this resource and many others produced by the HSCC and government partners.”

The Cybersecurity Framework Implementation Guide was jointly developed by the HSCC and the HHS, and NIST and other federal agencies contributed substantially to its content. “The guide supplements an earlier joint publication of the HHS/HSCC 405(d) Program – the ‘Health Industry Cybersecurity Practices’ –which is aligned with the NIST Cybersecurity Framework.  With this toolkit, organizations of all sizes can implement cybersecurity best practices, protect their patients, and make the sector more resilient,” said HSCC Cybersecurity Working Group Chair and Intermountain Healthcare CISO Erik Decker.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist