Security threats in healthcare keep growing. It can be difficult to keep up with how to respond to constantly changing tactics used by sophisticated hackers.
New help has arrived from HHS, through the Administration for Strategic Preparedness and Response (ASPR), and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group. They have just issued the Cybersecurity Framework Implementation Guide to help the healthcare and public health sectors manage increasing cybersecurity risks.
The National Institute of Standards and Technology (NIST) is a critical resource for the IT profession, with expert advice and guidance. NISTis a non-regulatory agency of the U.S. Department of Commerce leading innovation in science, engineering and measurements, as well as information technology. This latest cybersecurity framework Guidance can be used by both seasoned IT security professionals, as well as a more general audience of healthcare leadership and compliance managers.
From the Guidance foreword:
“One way organizations can improve their ability to manage cyber-related risk is to adopt a comprehensive cybersecurity framework that can provide a common language and structure for discussions around risk and the methods and tools used to manage risk to a level that is not only acceptable to the organization but to other stakeholders such as business partners, customers, and industry and governmental regulators.”
The Guidance is voluntary and is not meant to replace other cybersecurity programs or provide a roadmap to compliance. Rather, it can help healthcare organizations bolster their existing programs and ideally reduce risk by aligning the healthcare sector with NIST’s robust framework.
This Guidance will help an organization’s leadership to:
- Understand NIST Cybersecurity Framework terminology, concepts, and benefits,
- Assess their current and targeted cybersecurity posture,
- Identify gaps in their current programs and workforce,
- Identify current practices that help address recommended NIST Cybersecurity Framework outcomes.
The new guidance can also be used together with other publicly-available cybersecurity guidance, such as the Health Industry Cybersecurity Practices (HICP) guidance, a four-volume publication that was jointly published by HHS and HSCC in 2019 which also aligns with the NIST CSF. The Quick Start Guide to the HICP is here.
The NIST Framework and the HIPAA Security Rule
A full HIPAA Risk Analysis evaluates risks under all the HIPAA rules: Privacy, Security and Breach Notification. The NIST cybersecurity framework (CSF) is an essential support to the Security Rule portion of the Risk Analysis, so the new CSF Guidance can strengthen and support your HIPAA Risk Analysis.
For a full review of how to get started see the HIPAA Risk Analysis Checklist.
If you need to update your Security Risk Assessment, review the new Guidance to ensure you’re using the latest strategies to fight the latest attack tactics.
At The HIPAA E-Tool® we understand how daunting and time consuming it can be to stay up-to-date and keep HIPAA compliance strong. If you need help, we have time and can help you stay current, strengthen your compliance, and keep patient data secure.