Today’s threat landscape is driven by digital transformation and the outsourcing of critical operations to third-party vendors. Cybercriminals’ high demand for sensitive data paired with a historical lack of cybersecurity investment across the industry is cause for concern. Healthcare organizations recognize they have the choice to either increase their cyber spending or inevitably fall victim to a costly data breach.
However, investing in cybersecurity solutions alone isn’t enough. Organizations must commit to implementing a robust information security policy bolstered by frameworks that help identify and manage cybersecurity risks consistently and effectively.
One such framework is the National Institute of Standards and Technology Cybersecurity Framework for Improving Critical Infrastructure (NIST CSF), adopted by many healthcare organizations to combat the challenges of upholding high security standards in an industry facing extreme cyber risk.
This article addresses how the NIST CSF applies to healthcare organizations and how they can leverage it to achieve security posture maturity.
What is the NIST CSF?
The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is an adaptable set of fundamental guidelines designed to mitigate organizational risks and strengthen overall organizational security.
The NIST Cybersecurity Framework consists of three main components:
1. The Framework Core
The Core consists of three parts:
- Functions: Identify, Detect, Protect, Respond and Recover. These five Functions apply to cyber risk management and, more broadly, risk management.
- Categories: There are 23 categories split across the five functions, covering the breadth of cybersecurity objectives (cyber, physical, personnel, and business outcomes).
- Subcategories: There are 108 subcategories split across the 23 categories. These outcome-driven statements provide considerations for creating or improving a cybersecurity program.
2. The Framework Profile
The Framework Profile is the unique way an organization aligns its business requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core. Profiles are primarily used to identify and prioritize opportunities to improve security standards and mitigate risk in an organization.
3. The Framework Implementation Tiers
The Framework Implementation Tiers provide context on how an organization views cybersecurity risk management and is often used as a communication tool to discuss risk appetite, mission priority, and budget.
Learn more about the NIST CSF >
Other NIST Publications
NIST has released over 200 cybersecurity publications, including NIST 800-53.
NIST 800-53 initially established security controls and privacy controls that were only applicable to federal and government entities.
The security framework's latest revision (Revision 5) has broadened its focus to apply to non-government entities, including healthcare organizations. Revision 5 integrates privacy controls into security controls, creating a unified set of controls for systems and organizations.
In July 2022, NIST announced a draft publication, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (NIST Special Publication 800-66, Revision 2). NIST cybersecurity specialist, Jeff Marron, describes the publication as a “resource guide” that health care organizations can use “to improve their cybersecurity posture and comply with the [HIPAA] Security Rule.”
Learn more about NIST 800-53 >
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law that mandates the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. HIPAA compliance with the Security Rule requires that any Covered Entity that creates, receives, maintains, or transmits electronic protected health information (ePHI) must safeguard that data sufficiently.
Covered entities include:
- Health plans
- Health care providers
- Health care clearinghouses
- Business associates
Why Should the Healthcare Sector Comply With NIST CSF?
Healthcare services are prime targets for cyber attacks, facing a sharp increase in ransomware and supply chain attacks. The valuable data they store includes electronic protected health information (ePHI), containing names, addresses, financial details, and other personal data. Hackers sell this information on the dark web for top dollar, allowing other cybercriminals to commit lucrative crimes, such as identity theft and insurance fraud.
According to IBM Security research, the healthcare industry’s data breach costs have risen to US$10.10 million in 2022. Organizations must enhance their information technology protection strategies to avoid the sting of harsh legal action and regulatory fines.
While NIST compliance is only mandatory for federal entities and their contractors, it’s highly recommended that private healthcare organizations also achieve compliance. Healthcare organizations can realize the following benefits through the NIST CSF:
- Cost reductions: NIST CSF is a free resource that organizations can use as a foundation to underpin and guide their cybersecurity program. An established framework allows organizations to dedicate their time and resources to higher-level risk management activities.
- Adaptability: The NIST framework is suitable for all organizations, including healthcare. Its flexibility allows healthcare organizations to continue to adapt the framework as their security posture evolves and their cybersecurity programs scale.
- Improved compliance: Healthcare cybersecurity is highly regulated and achieving and managing compliance requires organizations to invest heavily into rigid governance, risk, and compliance (GRC) strategies. NIST provides a simplified approach to upholding regulatory compliance through its integration with meeting mandatory requirements, such as HIPAA and ISO 27001.
How Does the NIST CSF Map to Other Healthcare Regulations?
NIST offers several resources for healthcare organizations to optimize their implementation of the Cybersecurity Framework, enabling interoperability with mandatory industry requirements. One of the most well-known publications is the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, authored by The Department of Health and Human Services (HHS).
The Crosswalk details how healthcare organizations can devise a security program that aligns with the HIPAA Security Rule and NIST CSF.
The document enables organizations to improve their cybersecurity programs through the following initiatives:
- Helps identify vital cybersecurity gaps and prioritize remediation by highlighting missing areas of overlap.
- Provides a common language for organizations to communicate their cybersecurity programs’ activities and outcomes.
- Enables mapping to other compliance requirements, such as ISO 27001, COBIT, HITRUST, and NIST SP 800-53.
View the complete list of NIST resources for healthcare >
How Can Healthcare Organizations Successfully Implement NIST CSF?
NIST CSF provides healthcare organizations with a holistic approach to improving their cybersecurity postures. It can help identify security gaps and create a baseline standard for cybersecurity programs. It cannot, however, defend against the ever-growing list of cyber threats and vulnerabilities on its own. Organizations must instead view NIST CSF as a guide for identifying the right technologies to drive their defensive efforts.
Combined with a complete defense-in-depth strategy, the framework can help organizations achieve the coverage required to combat malicious cyber activity against healthcare systems.
A comprehensive attack surface management platform can help health IT teams cover the following cybersecurity best practices:
Assessing Third-Party Compliance
Healthcare organizations must perform due diligence on their third-party vendors. Any data breached by a vendor remains the organization's responsibility, along with the reputational, legal, and financial consequences. If a third party doesn’t comply with the organization's requirements, they are also at risk of non-compliance.
A fully automated vendor risk management solution, like UpGuard Vendor Risk, can help organizations gain better visibility over third-party compliance, including NIST compliance.
Vendor Risk fully automates the risk assessment processes through pre-built NIST questionnaires and automated remediation workflows for identified risks.
Learn how to comply with the third-party risk management requirements of NIST CSF >
Data Breach Prevention
Data breaches are rampant in the healthcare industry. Health data is a high-value commodity on the dark web, encouraging cybercriminals to focus their malicious activity on the sector. Healthcare organizations must remain one step ahead of attackers by protecting their exposed assets. Continuous attack surface monitoring is the most effective and efficient way of identifying and remediating cyber risks before they escalate into security breaches.
An automated attack surface monitoring platform, like UpGuard BreachSight, provides real-time insights into an organization’s security posture and can instantly discover cyber threats and vulnerabilities.
- Leverage lessons learned from the biggest healthcare data breaches.
- Learn how UpGuard helps healthcare organizations protect patient data.
Data Leak Detection
Data leaks are an easy attack vector for cybercriminals seeking a direct path into healthcare organizations’ systems. These accidental exposures can have devastating effects when left in the wrong hands. Fast detection and remediation are crucial to stopping data leaks in their tracks before they lead to breaches.
Learn how to implement a cybersecurity program for the healthcare industry >