Breaking Down the NIST Cybersecurity Framework, How It Applies to Healthcare

CORE COMPONENTS OF THE NIST CYBERSECURITY FRAMEWORK

“The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks,” NIST states in the CSF’s introduction.

“It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts.”

Using this framework, NIST aims to help organizations assess their current cybersecurity postures, describe their target state for cybersecurity, prioritize improvement opportunities, progress toward their target state, and communicate with relevant stakeholders about cyber risks.

Version 2.0 consists of a suite of resources, including the in-depth CSF 2.0 document, detailed implementation examples, quick start guides, and mappings.

The CSF Core, which NIST describes as the “nucleus of the CSF,” is at the center of the CSF's efforts. It consists of a hierarchy of functions, categories, and subcategories that detail desired outcomes in a sector-neutral manner.

The CSF Core is divided into five essential functions: govern, identify, protect, detect, respond and recover. The core functions are meant to be performed simultaneously to craft a culture of cybersecurity within an organization. Each core function has its own outcome categories and subcategories. The NIST CSF defines each essential function as follows:

• Govern: The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
• Identify: The organization’s current cybersecurity risks are understood.
• Protect: Safeguards to manage the organization’s cybersecurity risks are used.
• Detect: Possible cybersecurity attacks and compromises are found and analyzed.
• Respond: Actions regarding a detected cybersecurity incident are taken.
• Recover: Assets and operations affected by a cybersecurity incident are restored.

NIST emphasizes that actions supporting the govern, identify, protect and detect functions should occur simultaneously, while actions supporting the respond and recover functions should be prepared at all times in the event of a cyber incident.

“The Functions, Categories, and Subcategories apply to all ICT used by an organization, including information technology (IT), the Internet of Things (IoT), and operational technology (OT),” the CSF states.

“They also apply to all types of technology environments, including cloud, mobile, and artificial intelligence systems. The CSF Core is forward-looking and intended to apply to future changes in technologies and environments.”

NIST CSF ORGANIZATIONAL PROFILES, CSF TIERS

Beyond the CSF Core, the document also contains CSF Organizational Profiles, which describe an organization’s current and target cybersecurity posture in relation to the Core’s outcomes. Security practitioners can use the Organizational Profiles to communicate the Core’s outcomes to stakeholders, prioritize specific actions, and identify gaps between current and target states.

Additionally, the document contains CSF Tiers, which characterize cyber risk governance and management practices. The tiers range from partial (tier one) to risk-informed, repeatable, and adaptive (tier four).

“Tiers should complement an organization’s cybersecurity risk management methodology rather than replace it. For example, an organization can use the Tiers to communicate internally as a benchmark for an organization-wide approach to managing cybersecurity risks,” NIST states.

 “Progression to higher Tiers is encouraged when risks or mandates are greater or when a cost-benefit analysis indicates a feasible and cost-effective reduction of negative cybersecurity risks. 

“The Tier selection process considers an organization’s current risk management practices, threat environment, legal and regulatory requirements, information sharing practices, business/mission objectives, supply chain cybersecurity requirements, and organizational constraints,” the framework explains.

“Organizations should determine the desired Tier, ensuring that the selected level meets the organizational goals, is feasible to implement, and reduces cybersecurity risk to critical assets and resources to levels acceptable to the organization.”

Throughout the framework’s text, NIST emphasizes the fact that the framework is not meant to replace existing security processes. Instead, organizations should use the framework to determine gaps in their cybersecurity risk approach and make plans for improvement.

“The CSF is designed to be used by organizations of all sizes and sectors, including industry, government, academia, and nonprofit organizations, regardless of the maturity level of their cybersecurity programs,” NIST states.

In healthcare, the CSF can be used in conjunction with other free and low-cost resources to strengthen an organization’s security posture.

IMPLEMENTING THE NIST CSF IN HEALTHCARE

The NIST CSF can help healthcare organizations reduce cyber risk, cut costs, and potentially reduce cyber insurance premiums.

Even though the NIST CSF has dozens of specific subcategories and controls to reference, it is flexible and dynamic by nature. It can be applied in ways that best suit an individual organization or sector. The framework can work in harmony with HIPAA Security Rule compliance to strengthen a healthcare organization’s cybersecurity architecture.

NIST’s website contains a multitude of resources regarding NIST CSF implementation, including the NIST CSF 2.0 Reference Tool, which allows users to explore the functions, categories, subcategoires and implementation examples in a user-friendly format.

In addition, healthcare organizations can use NIST’s quick start guides (QSGs) pertaining to specific aspects of the CSF. For example, NIST maintains a QSG about creating Organizational Profiles, and another about using the CSF Tiers. It is important to note that the NIST Cybersecurity Framework does not translate seamlessly to HIPAA compliance, even though many security actions outlined in the CSF do support HIPAA compliance. Rather, healthcare organizations can use the CSF to holistically bolster their security efforts and safeguard their systems, which will likely have positive effects on HIPAA compliance efforts as well.

To get started, healthcare organizations should assess their current security programs, assign roles and responsibilities for framework implementation, and identify which security measures to prioritize in order to achieve their goals. These priorities will vary depending on organization size and resource availability.

As cyberattacks continue to overwhelm the healthcare sector implementing a reliable cybersecurity framework can help organizations prevent, prepare for, and recover from cyber incidents.