At first glance, the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) may seem daunting. With 98 subcategory outcomes spread across five core Functions, each designed to target a specific cybersecurity risk category, the thought of implementing this framework into an established healthcare system could serve as a deterrent. But, it’s not as difficult a task as one might perceive and the benefits far outweigh the repercussions of not having a formal security baseline in place.
Throughout this past year, Symantec has hosted a webinar series that attempted to demystify the NIST CSF for the healthcare community. The framework, as embodied by these subcategory outcomes, not only serves as the backbone of a sound risk management strategy, but works to unify the different parts of a healthcare organization to improve overall security. The goal of the webinar series was to identify the key elements of the framework and offer clear recommendations on how to easily, and effectively, integrate it to drive the most impactful outcomes.
As you know, healthcare organizations have not always made cybersecurity a top priority. That is understandable with the wide-range of tasks they must manage. A lack of attention, though, has had an adverse effect. The healthcare industry has fallen toward the bottom of the pack when compared to other industries in terms of protecting data. Adopting the NIST CSF can help improve this by enabling healthcare organizations to see where they are at the most risk.
The framework focuses on five core functions: Identify, Protect, Detect, Respond and Recover. All of these are crucial parts of a cybersecurity ecosystem, but they all follow the same basic premises: organizations can only protect what they know they have. Offering a way for organizations to improve visibility into their networks and identify potential blind spots, the NIST CSF serves as a basis to build out a robust cybersecurity system.
The webinar series has touched on each part of the NIST CSF with Symantec experts highlighting the different key components of the framework’s core functions. More than anything, though, the series showed how cybersecurity is truly an organization-wide responsibility. While information technology departments serve as the stewards of cybersecurity, it takes everyone in an organization – from the CXO to management to all employees – working together and being responsible to keep systems secure.
The NIST CSF is not simply a checklist of things to do but a comprehensive way for healthcare organizations to understand, and ultimately, minimize the cybersecurity risk they face. While approximately 100 subcategory outcomes organizations will prioritize the controls they address in alignment with their business/mission priorities, regulatory requirements, budget, and risk appetite.
In the final webinar of the series, Symantec shared some key tips for healthcare organizations looking to take that first step, providing the following recommendations:
- Create a security controls policy, which provides a high-level description of objectives along with the framework for those impacted.
- Document roles and responsibilities so each team or department knows who is responsible for what aspect of implementation.
- Document standard operating procedures that explain how the different controls should be implemented. They need to be filtered by team and department and document how they should be done, as well as when and what artifacts will be kept once completed.
- Document detailed task lists for each team and department, including who is responsible for each task and when it needs to be done.
- Assign tasks. Standard operating procedures and scripts can be adjusted following the original implementation for future use to improve the process.
There are multiple paths an organization can take when leveraging the NIST CSF, but each is designed to help improve their cybersecurity posture based on their needs and requirements. Too often organizations do not take the time to step back and view cybersecurity from an enterprise level and look at cyber risks from the larger business perspective. As threats become more complex and the number of attacks against healthcare organizations continue to grow, it is important to understand the risks an organization faces and create a plan to address them.
The NIST CSF has already proven to be an effective tool for government agencies, educational institutions and private sector companies. As healthcare organizations continue to be a prime target of hackers, it is critical that they leverage the NIST CSF to improve cybersecurity and ensure that their data, especially PHI, remains protected, but also that they maintain the ability to serve their community and deliver care.
If you found this information helpful, you may also enjoy:
We encourage you to share your thoughts on your favorite social platform.