ipopba - stock.adobe.com

Breaking Down the NIST Cybersecurity Framework, How It Applies to Healthcare

Healthcare organizations can strengthen their overall security postures by using the NIST Cybersecurity Framework's collection of standards and best practices.

When implemented carefully, the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) can help healthcare organizations bolster their cybersecurity programs and further safeguard patient data and critical systems.

NIST launched its cybersecurity framework in 2014 following a 2013 executive order on improving critical infrastructure cybersecurity under the Obama administration. Adopting the framework is voluntary but can help critical infrastructure entities, including those in the healthcare sector, enhance their cybersecurity programs and mitigate cyber risks.

NIST designed the framework to evolve to meet current cybersecurity challenges. After receiving industry feedback, NIST made minor updates to the CSF in 2017 and again in 2018. In 2024, NIST released version 2.0 of the CSF, expanding its reach by broadening the intended audience beyond critical infrastructure.

Healthcare organizations can use the framework in conjunction with other voluntary frameworks and HIPAA Security Rule compliance efforts to protect the confidentiality and security of patient data. In the following sections, HealthITSecurity will provide a high-level overview of the NIST CSF version 2.0 and its core components, discuss how the framework can benefit healthcare, and provide tips for implementing the NIST CSF in healthcare settings.

CORE COMPONENTS OF THE NIST CYBERSECURITY FRAMEWORK

“The NIST Cybersecurity Framework (CSF) 2.0 provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks,” NIST states in the CSF’s introduction.

“It offers a taxonomy of high-level cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts.”

Using this framework, NIST aims to help organizations assess their current cybersecurity postures, describe their target state for cybersecurity, prioritize improvement opportunities, progress toward their target state, and communicate with relevant stakeholders about cyber risks.

Version 2.0 consists of a suite of resources, including the in-depth CSF 2.0 document, detailed implementation examples, quick start guides, and mappings.

The CSF Core, which NIST describes as the “nucleus of the CSF,” is at the center of the CSF's efforts. It consists of a hierarchy of functions, categories, and subcategories that detail desired outcomes in a sector-neutral manner.

The CSF Core is divided into five essential functions: govern, identify, protect, detect, respond and recover. The core functions are meant to be performed simultaneously to craft a culture of cybersecurity within an organization. Each core function has its own outcome categories and subcategories. The NIST CSF defines each essential function as follows:

  • Govern: The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.
  • Identify: The organization’s current cybersecurity risks are understood.
  • Protect: Safeguards to manage the organization’s cybersecurity risks are used.
  • Detect: Possible cybersecurity attacks and compromises are found and analyzed.
  • Respond: Actions regarding a detected cybersecurity incident are taken.
  • Recover: Assets and operations affected by a cybersecurity incident are restored.

NIST emphasizes that actions supporting the govern, identify, protect and detect functions should occur simultaneously, while actions supporting the respond and recover functions should be prepared at all times in the event of a cyber incident.

“The Functions, Categories, and Subcategories apply to all ICT used by an organization, including information technology (IT), the Internet of Things (IoT), and operational technology (OT),” the CSF states.

“They also apply to all types of technology environments, including cloud, mobile, and artificial intelligence systems. The CSF Core is forward-looking and intended to apply to future changes in technologies and environments.”

NIST CSF ORGANIZATIONAL PROFILES, CSF TIERS

Beyond the CSF Core, the document also contains CSF Organizational Profiles, which describe an organization’s current and target cybersecurity posture in relation to the Core’s outcomes. Security practitioners can use the Organizational Profiles to communicate the Core’s outcomes to stakeholders, prioritize specific actions, and identify gaps between current and target states.

Additionally, the document contains CSF Tiers, which characterize cyber risk governance and management practices. The tiers range from partial (tier one) to risk-informed, repeatable, and adaptive (tier four).

“Tiers should complement an organization’s cybersecurity risk management methodology rather than replace it. For example, an organization can use the Tiers to communicate internally as a benchmark for an organization-wide approach to managing cybersecurity risks,” NIST states.

 “Progression to higher Tiers is encouraged when risks or mandates are greater or when a cost-benefit analysis indicates a feasible and cost-effective reduction of negative cybersecurity risks. 

“The Tier selection process considers an organization’s current risk management practices, threat environment, legal and regulatory requirements, information sharing practices, business/mission objectives, supply chain cybersecurity requirements, and organizational constraints,” the framework explains.

“Organizations should determine the desired Tier, ensuring that the selected level meets the organizational goals, is feasible to implement, and reduces cybersecurity risk to critical assets and resources to levels acceptable to the organization.”

Throughout the framework’s text, NIST emphasizes the fact that the framework is not meant to replace existing security processes. Instead, organizations should use the framework to determine gaps in their cybersecurity risk approach and make plans for improvement.

“The CSF is designed to be used by organizations of all sizes and sectors, including industry, government, academia, and nonprofit organizations, regardless of the maturity level of their cybersecurity programs,” NIST states.

In healthcare, the CSF can be used in conjunction with other free and low-cost resources to strengthen an organization’s security posture.

IMPLEMENTING THE NIST CSF IN HEALTHCARE

The NIST CSF can help healthcare organizations reduce cyber risk, cut costs, and potentially reduce cyber insurance premiums.

Even though the NIST CSF has dozens of specific subcategories and controls to reference, it is flexible and dynamic by nature. It can be applied in ways that best suit an individual organization or sector. The framework can work in harmony with HIPAA Security Rule compliance to strengthen a healthcare organization’s cybersecurity architecture.

NIST’s website contains a multitude of resources regarding NIST CSF implementation, including the NIST CSF 2.0 Reference Tool, which allows users to explore the functions, categories, subcategoires and implementation examples in a user-friendly format.

In addition, healthcare organizations can use NIST’s quick start guides (QSGs) pertaining to specific aspects of the CSF. For example, NIST maintains a QSG about creating Organizational Profiles, and another about using the CSF Tiers. It is important to note that the NIST Cybersecurity Framework does not translate seamlessly to HIPAA compliance, even though many security actions outlined in the CSF do support HIPAA compliance. Rather, healthcare organizations can use the CSF to holistically bolster their security efforts and safeguard their systems, which will likely have positive effects on HIPAA compliance efforts as well.

To get started, healthcare organizations should assess their current security programs, assign roles and responsibilities for framework implementation, and identify which security measures to prioritize in order to achieve their goals. These priorities will vary depending on organization size and resource availability.

As cyberattacks continue to overwhelm the healthcare sector implementing a reliable cybersecurity framework can help organizations prevent, prepare for, and recover from cyber incidents.  

Next Steps

Dig Deeper on Cybersecurity strategies