Tailoring NIST Framework for HealthcareIndustry-Specific Cybersecurity Guidelines in the Works
A draft of a healthcare-specific version of the upcoming National Institute of Standards and Technology's Cybersecurity Framework will be unveiled this fall.
NIST's framework, being developed as a result of an executive order from President Obama, will be a set of voluntary best practice guidelines intended to help protect the nation's critical infrastructure, which includes healthcare and many other sectors, such as financial services, energy distribution and transportation.
The healthcare sector version of the framework will address areas of cybersecurity that are important for organizations of all types and sizes, says Deborah Kobza, executive director of NH-ISAC, the national healthcare and public health critical infrastructure Information Sharing & Analysis Center.
NH-ISAC, which is leading the healthcare framework project, is one of many ISACs formed in the wake of the 9/11 attacks to address security issues in various sectors. The not-for-profit, public/private partnership works in collaboration with the Department of Health and Human Services and other agencies.,
The group expects to release a draft of the healthcare version of the framework sometime in the fall after NIST issues its preliminary framework for public comment in October, Kobza says. NIST is expected to release its final framework for all sectors, including healthcare, next February.
The healthcare-specific framework will help organizations counter cyberthreats and provide a common foundation to support healthcare critical infrastructure resilience, Kobza says.
Reid Stephan, IT security manager at St. Luke's Health System in Idaho, is hopeful that the framework will prove practical in addressing real-world security concerns. For example, he hopes it will address security for medical devices.
The healthcare version of the framework will include use cases on how the NIST Cybersecurity Framework can be implemented, Kobza explains.
"About 70 percent of the NIST framework to support the nation's critical infrastructure will be the same regardless of industry," she says. "There are lots of health industry regulations around cybersecurity, and the healthcare sector version will address those needs."
For instance, the NH-ISAC version of the NIST framework will take into consideration the cybersecurity matters related to the HITECH Act, HIPAA and Food and Drug Administration activities, she says.
In addition, "any framework for critical infrastructure needs to address small organizations as well as large business. For healthcare that includes hospitals big and small, big pharmaceutical companies, and small physician practices," she says.
In February, Obama issued an executive order directing NIST, working with the private sector, to develop a framework to reduce cybersecurity risks that the mostly private operators of the nation's critical infrastructure could adopt voluntarily (see: Obama Issues Cybersecurity Executive Order).
The NIST Cybersecurity Framework will provide a risk-based approach for cybersecurity protection of national critical infrastructure systems and functions at all levels, Kobza says. NIST's framework core will offer a way to take "a high-level, overarching view of an organization's management of cybersecurity risk and includes a compendium of informative references, existing standards, guidelines and practices," Kobza says. The healthcare sector verision will build upon that, she adds.
A special version of the framework that addresses healthcare sector needs would be useful, say some healthcare data security leaders.
"While the framework will be generally applicable, each industry has unique needs that would benefit from specific guidance," says Stephan of St. Luke's Health System.
"In healthcare, for example, there is the area of clinical engineering that presents a particular challenge," he says. "[Medical] devices have moved from stand-alone care solutions to systems that run traditional operating systems, require network connectivity, and often have imposed limits from the manufacturer on what controls can and can't be applied to them. I would love to see a healthcare- specific element of the framework provide input in this area."
However, another security leader cautions that it's important that a healthcare sector version of a national cybersecurity framework not become overly granular or too jargon-laden.
"I believe a healthcare-specific framework will be helpful if it provides concrete direction and guidance for how specific controls can be mapped back to regulations," says Jennings Aske, chief information security and privacy officer of Partners HealthCare, a health delivery network that operates several Boston-area hospitals, including Massachusetts General. "My concern is that the framework must not 'isolate' from other industry verticals by introducing a healthcare specific vernacular."
Nonetheless, Aske says he'd like the healthcare iteration of the NIST Cybersecurity Framework to reflect several facets of care delivery.
"The framework must account for industry-specific use cases. As an example, the manner in which hospitals implement inactivity timeouts in an emergency department is different than a billing office," he says. "A 15 minute timeout in the ED could adversely affect urgent patient care, while it is appropriate for the billing office. Thus, the controls must be 'reasonable and scalable' as HIPAA itself recommends," he says.
"Additionally, I would like the framework to provide recommended controls for emerging threats for healthcare, including telephony denial-of-service [attacks] and BYOD," Aske says.
For more information about a debate on whether the NIST framework should include cyber-insurance, see: Debating the Maturity of Cyber-Insurance.