On Monday, February 8, HIMSS submitted its comment letter to the National Institute of Standards and Technology (NIST) on its Views on the Framework for Improving Critical Infrastructure Cybersecurity Request for Information. HIMSS applauded NIST’s efforts in developing the NIST Cybersecurity Framework in collaboration with the private sector, but noted that healthcare providers and organizations must be equipped to defend against growing cyber threats using a consistent and effectively-implemented data security framework.
In addition, HIMSS emphasized that the Framework could be used as a tool to develop a common set of consensus-based, private sector-led guidelines, best practices, methodologies, procedures, and processes in relation to privacy and information security risk management. Moreover, the HIMSS comment letter noted that the NIST Cybersecurity Framework should continue to be voluntary.
In its comment letter, HIMSS also discussed how NIST’s Cybersecurity Framework serves to inform organizations that are in need of either creating or updating their own risk management program. Whether an organization is standing up a new cybersecurity program or has a sophisticated program already in place, the Framework has the potential to serve organizations well in advancing the capabilities of organizations in addressing cybersecurity risk.
The Framework Core provides a set of functions (i.e., activities and outcomes) that organizations, including healthcare organizations, need to implement to address security incidents and, generally, managing cybersecurity risk: (1) Identify, (2) Protect, (3) Detect, (4) Respond, and (5) Recover.
Since many healthcare organizations could benefit from improving their risk management process and better address cybersecurity risks, HIMSS supports the idea that the Framework could be useful in helping healthcare organizations improve their security posture.
HIMSS also suggests that NIST (with input from healthcare stakeholders) bring together government, academia, and industry to continue to evolve the Framework so that it remains fluid and flexible enough to be a living document that can be improved to ensure that the Framework content reflects real world risks and risk management, including in view of interdependencies among the critical infrastructure sectors.
In terms of the steps that the US government could take to increase sharing of best practices, HIMSS commented that the government (i.e., NIST and other relevant government agencies) could assist in this effort through wide dissemination of such information across the healthcare sector (including, without limitation, small physician practices, long-term care facilities, and other healthcare organization constituents, large and small).
Also, HIMSS cited Section 405 of the Cybersecurity Act of 2015, as a positive step in this area. Finally, HIMSS discussed how the US government could increase sharing of best practices by facilitating cross-sector information sharing as well. The healthcare sector has numerous dependencies upon other critical infrastructure sectors and would greatly benefit from such cross-sector information sharing.