Healthcare Online User Group

 View Only

Demystifying the NIST Cybersecurity Framework for Healthcare 

May 12, 2017 02:04 PM

The Presidential Policy Directive/PPD 21 of February 12, 2013 on Critical Infrastructure Security and Resilience identified 16 sectors as critical infrastructure, including Healthcare and Public Health. Yet, healthcare has been the only one that has not adopted a formal cybersecurity framework. With recent developments in Congress and the Department of Health and Human Services, that could change. Adoption of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) in healthcare is becoming more of a potential reality.

The first question many healthcare organizations will likely ask is why the NIST CSF? For us at Symantec the answer is pretty straightforward: It is an excellent cybersecurity framework for organizations in any sector. We thought so much of it that we adopted it for our own company while it was still in draft form.

The NIST CSF is a voluntary framework for organizations to use that includes a common, flexible and adaptable structure that can be used by a wide-variety of organizations. The creation of the CSF was a collaborative process between government and the private sector (full disclosure: Symantec played a key role through the development of the framework).

What is it though that makes the CSF so valuable? More than anything, it provides a way for organizations to regularly evaluate their current cybersecurity risk posture and offers guidance on how to remedy those issues to a level that the system owner can accept.

The framework focuses on five core functions: Identify, Protect, Detect, Respond and Recover. All of these are crucial parts of a cybersecurity ecosystem, but they all follow the same basic premises: Cyber professionals can only protect what they know they have. Offering a way for organizations to improve visibility into their networks and identify potential blind spots, the CSF serves as a basis to build out a robust cybersecurity system to detect and mitigate the most critical threats on an ongoing basis.

The CSF can become the de-facto gold standard for healthcare organizations that want to show cybersecurity due diligence and are looking for a security framework to comply with industry requirements, like HIPAA. The federal government, for example, has already mapped FISMA Metric Reporting to the CSF and federal regulatory bodies are incorporating it into assessments. There is a reason we are seeing more and more healthcare organizations embracing this framework. It was created to provide a widely adopted and standardized approach to continually improve and assess an organization’s security posture. Over time it has provided sectors with a straight-forward way to determine risk and improve their overall cybersecurity policies, procedures and operations.

So where do healthcare organizations start with the NIST CSF? What do you monitor? And how do you define and prioritize a path forward? Symantec has built out this blog and webinar series to discuss the benefits of adopting the NIST CSF, identifying gaps in your security program based on the framework, and taking a practical approach to addressing the core functions to achieve automated risk management. 

Future blogs and webinars will dig deeper into its different functions, but to kick-off the series we wanted to take a little of the mystery out of it. Our recent webinar looked further into the CSF with an eye towards the healthcare market, providing an overarching view of what the framework included. To listen to the first webinar in the series, “Demystifying the NIST Cybersecurity Framework for Healthcare” click here.

And we hope you can join us for the June 1st webinar, Using the NIST Cybersecurity Framework to Identify Protected Health Information, as we look at the Identify function, knowing that you can’t protect what you don’t know you have, and why it must be the first step in protecting your sensitive data and patient information.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.