Zffoto - stock.adobe.com

HHS, HSCC Release Guidance to Help Healthcare Align With NIST Cybersecurity Framework

The new Framework Implementation Guide aims to help healthcare organizations better manage cybersecurity risks with the help of actionable steps aligned with the NIST Cybersecurity Framework.

HHS, through the Administration for Strategic Preparedness and Response (ASPR), and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group released the Cybersecurity Framework Implementation Guide to help the healthcare sector manage cybersecurity risks amid an increasingly sophisticated threat landscape.

The guide aims to help healthcare organizations align their cyber programs with the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF).

“To be effective in today’s constantly evolving threat and regulatory compliance landscape, health care organizations must adopt an approach that goes beyond the threats, vulnerabilities and controls du jour and helps communicate how cybersecurity investments result in meaningful risk reduction,” the guide’s foreword states.

“One way organizations can improve their ability to manage cyber-related risk is to adopt a comprehensive cybersecurity framework that can provide a common language and structure for discussions around risk and the methods and tools used to manage risk to a level that is not only acceptable to the organization but to other stakeholders such as business partners, customers, and industry and governmental regulators.”

The publication is not intended to replace other cybersecurity programs or provide a roadmap to compliance, the guide states. Rather, the voluntary guidance can help healthcare organizations bolster their existing programs and ideally reduce risk by aligning the healthcare sector with NIST’s robust framework.  

HHS and HSCC described the guide as a “roadmap for health care and private health sector organizations to implement the NIST Cybersecurity Framework.”

Specifically, the guidance aims to help organizations identify and implement risk management best practices, provide a common language to manage cyber risk, and outline effective standards to manage risk in a cost-effective manner.

Healthcare cybersecurity experts have long championed the value of the NIST CSF in a healthcare setting. The framework is used across a variety of industries and organization sizes and can help the sector communicate risk in a more streamlined manner.

The publication points out numerous incentives for using the framework, such as the potential for reductions in cybersecurity insurance premiums and prioritized technical assistance from the federal government.

The guidance has been met with approval by Senator Mark Warner (D-VA), a long-time proponent of healthcare cybersecurity improvements.

“As cyber criminals continue to target health systems in order to steal or hold for ransom the sensitive medical data of American patients and jeopardize the daily operations of health care providers, I am pleased to see the Department of Health and Human Services issue new voluntary guidance to bolster health care cybersecurity,” Warner said.

“I applaud the Health Sector Coordinating Council Cybersecurity Working Group for working to translate cyber practices into appropriate standards for providers in the health care space. I look forward to continuing to work with cyber experts, health stakeholders, and officials in the Biden Administration to determine which voluntary measures we need to start requiring to ensure patient safety.”  

The new guidance can also be used in conjunction with the variety of other publicly-available cyber guidance, such as the Health Industry Cybersecurity Practices (HICP) guidance, a four-volume publication that was jointly published by HHS and HSCC in 2019 which also aligns with the NIST CSF.

While entirely voluntary, organizations that choose to leverage the Framework Implementation Guide may be able to better manage cyber risk and improve their security programs.

Next Steps

Dig Deeper on Cybersecurity strategies