Building Holistic, Robust Security with the NIST Cybersecurity Framework

A Call to Action for Healthcare Organizations (and their Partners)

Security frameworks help organizations build a comprehensive security program with guidance on how to identify and prioritize actions for reducing cybersecurity risk.  Security frameworks are essential for every organization—especially with insider threat activity and cyber-attacks being at a record high.  HIPAA compliance alone is not enough. 

While the HIPAA Security Rule addresses the need for confidentiality, integrity, and availability of information, it does not provide guidance, standards, best practices, or know-how.  The HIPAA Security Rule just simply says, “This is what you need to do,” but it does not answer the quintessential question of “How do I do this?” 

An Overview of Cybersecurity Frameworks

Security frameworks, on the other hand, address all of these aspects:

  • best practices,
  • standards,
  • processes,
  • guidance,
  • —essentially,

much of what you need to build a comprehensive security program. 

Popular security frameworks include:

  • International Standards Organization (ISO) 27001 and 27002,
  • COBIT (formerly known as the Control Objectives for Information and related Technology),
  • HITRUST Common Security Framework, and
  • NIST Cybersecurity Framework.

A number of security frameworks have mapped to the NIST Cybersecurity Framework.  Examples include the Critical Security Controls, HITRUST, and COBIT

An advantage of the NIST Cybersecurity Framework is that it is voluntary and can be applied to virtually all organizations.  In the latest iteration of the Framework, draft version 1.1, NIST emphasizes the importance of holistic security and, most importantly, cybersecurity as a business enabler. 

If a cybersecurity program is not aligned with an organization’s business objectives and if it impedes workforce members from performing their job functions, then the program has significant gaps, and thus, exposes the organization to cyber-attacks, negligent insiders, malicious insiders, and other compromises.

If a cybersecurity program is not suitable for an organization, it will inevitably fail.

In other words, if a cybersecurity program is not suitable for an organization (i.e., the program is not aligned with the organization’s business objectives and workforce member needs), it will inevitably fail (and the main tenets of information assurance--confidentiality, integrity, and availability of information--will not be upheld).

HIMSS Cybersecurity Call to Action

Through its Cybersecurity Call to Action, HIMSS encourages healthcare organizations to adopt a security framework, such as the NIST Cybersecurity Framework, to improve their security programs.  The Framework not only provides technical guidance on how to build a comprehensive security program, but it also provides suggested methodology for communicating among internal and external stakeholders about cybersecurity risk.  This latter point is significant in that every organization’s weakest link is its people.  The NIST Cybersecurity Framework provides guidance on how executives and non-executives can communicate about cybersecurity risk both inside and outside of the organization.

Communication is perhaps the most important aspect of any organization’s security program.

The security posture of any organization can be greatly improved with good, clear communication and fewer communication gaps.  The value of information sharing within an organization—and with its third party partners—cannot be emphasized enough. 
Moreover, if all organizations were “on the same page” in regard to a universal security framework, the health sector would be more resilient to cyber-attacks and other compromises—and, this proactive step would likely help facilitate interoperability (since healthcare organizations would be less hesitant to exchange information). 

HIMSS advocates for all healthcare organizations to adopt a common security framework.  Robust information security is necessary to protect patient safety.   More information is available in Preparing the Health Sector for Robust and the Cybersecurity Call to Action.

HIMSS advocates for all healthcare organizations to adopt a common security framework.

Your voice is needed!  As part of HIMSS’ ongoing health IT research efforts, we are asking you to share your thoughts on the 2017 HIMSS Cybersecurity Survey today!