A Guide To The NIST Cybersecurity Framework

Posted by Ken Reiher

4 Key Points To Consider When Adopting A Cybersecurity Framework At Your Organization

ComplyAssistant and Sensato recently contributed an article on the NIST Cybersecurity Framework to Health Data Management. The following blog post covers some of the key points.

Cyberattacks. It’s rare to turn on the news without hearing about a major organization that has become the victim of an online assault. Unfortunately, much more cybercrime is taking place under the media’s radar, and large corporations and national governments aren’t the only targets. Local governments, small business and healthcare organizations are prime targets for attackers.

The National Institute of Standards and Technology (NIST) issued its Cybersecurity Framework in 2014 to help any organization safeguard its data against cyberattacks. The 2014 guidelines were recently updated in 2018 to include a focus on third party vendor security controls. The framework includes standards and guidelines for protecting sensitive data, and best practices to manage cybersecurity risk. This post explains the basics of the framework and offers a short list of its advantages.

Benefits of the NIST Cybersecurity Framework

  • NIST offers the framework for use by any organization free of charge.
  • The framework can help healthcare organizations maintain compliance with the HIPAA Security Rule.
  • The flexible design allows healthcare organizations to customize components to best serve their needs.

The Fundamentals of the NIST Cybersecurity Framework

The framework consists of five core functions:

  • Identify—Develop an organizational understanding of risks to cybersecurity
  • Protect—Develop and implement safeguards for critical data
  • Detect—Implement practices to identify cybersecurity threats
  • Respond—Establish appropriate action in the event of a cybersecurity breach
  • Recover—Develop plans for restoration of any capabilities or services impaired due to a cyberattack

These elements provide a basic guideline for cybersecurity. Organizations can make the most of the framework by customizing the design to fit their specific objectives.

How to Effectively Implement the Cybersecurity Framework

Implementation of NIST’s framework is relatively simple once an understanding of its core elements has been reached. Here are a few points to keep in mind:

  • Time—Healthcare organizations that move to implement the framework must consider the time required for adoption. Though implementation can be achieved within three months, the time frame will vary by organization.
  • Resources and Maintenance—Many healthcare organizations lack sufficient resources to properly analyze their systems and maintain the framework. In this case, healthcare providers interested in the framework must allocate the appropriate resources to protect their data.
  • Security Viewpoint—Due to the nature of cybersecurity in the modern world, security must be a fundamental priority of every healthcare organization. Organizations need to invest in technical solutions that prove ROI, including the ability to report breach prevention.
  • Organizational Politics—Healthcare organizations should have a CISO independent from the IT team. This supports unbiased reports on cybersecurity issues.

To learn more about managing your organization’s cybersecurity program, contact ComplyAssistant.