What’s Keeping You From Using The NIST Cybersecurity Framework

May 14, 2018   |   Ken Reiher

Recommendations For Adopting A Framework That Works For You

Authors: Gerry Blass, President & CEO, ComplyAssistant; John Gomez, CEO, Sensato

The use of cybersecurity frameworks is becoming more prevalent due to pervasive threats and attacks across the healthcare industry. Large organizations are now especially motivated to adopt a framework and implement tighter, more consistent controls.

The NIST Cybersecurity Framework is designed to help organizations establish the minimum viable policies, procedures and practices to safeguard against theft of data or attacks on their systems. And, while organizations are not required to use the NIST Cybersecurity Framework, or report on the type of framework in place, they must at the very least comply with the HIPAA Security Rule, which has been crosswalked to the NIST Cybersecurity Framework.

Here we outline some fundamental questions and recommendations for instituting a cybersecurity framework.

Challenges with administering the NIST Cybersecurity Framework

If you haven’t started down the path of using the NIST Framework, here are five questions you should be asking:

  1. Do you know it is free? Though it’s been four years since NIST issued the first version of its Cybersecurity Framework, many organizations still don’t know it exists. Unlike the HITRUST CSF®—which is proprietary and can be very expensive—the NIST Framework is available at no cost to any organization regardless of size.
  2. Do you know what it takes to implement? We find that many compliance and IT leaders have not taken the time to truly understand the Framework. Once you dive in, it’s really not that complicated. The Framework consists of five functions—Identify, Protect, Detect, Respond and Recover. The design is flexible enough for organizations to implement sections at a time, based on their level of sophistication and resources. We typically experience a three-month implementation, but that can differ depending on the type of organization. And then, you must plan to fill gaps and maintain the Framework.
  3. Are you properly resourced for implementation and ongoing maintenance? Healthcare organizations previously have not invested enough to properly analyze their systems, manage change and focus on long-term controls. While this status quo is changing due to the rise in healthcare data breaches, securing funds is a slow-moving ship. And, for smaller organizations with more restricted budgets, resource allocation will continue to be an issue.
  4. Is security a foundational requirement, or still seen as a cost center? In today’s environment, security should be the foundation for everything else occurring at the hospital. In our opinion, it’s even more important than implementing an EMR. But traditionally, security is considered a cost center, without a return on investment. Now, instituting frameworks such as NIST’s can be perceived as preventing potential expenses due to a breach—which could be tied to a positive ROI. In addition, organizations need to invest in technical solutions that prove ROI, including the ability to report breach prevention.
  5. Where does your CISO sit? There are often internal political struggles that prevent a cohesive strategy and implementation. The CISO should always be an unbiased party separate from the IT team, with the freedom to report accurately on issues without undue influence. This will result in the best recommendations and security practices for your organization.

How to overcome those challenges

Here’s a brief checklist to optimize the NIST Cybersecurity Framework for your organization:

  • Review the NIST Framework. Decide if it works for you. If it doesn’t, choose a cybersecurity framework that makes better sense for your organization.
  • Hire or designate a CISO who is independent from the IT team.
  • Secure immediate and ongoing funding for security resources.
  • Fund the purchase and maintenance of technical equipment.
  • Institute and enforce proper governance over your Framework.
  • Ensure visibility and accountability from the C-suite.
  • Contact a cybersecurity expert who can guide you through the process. You don’t have to be alone.

As you’ve undoubtedly heard, if not said yourself—it’s not a matter of if, but when, an attack will occur. Our recommendation? Adopt a framework that suits your organization and stick to it. You can always evolve your framework over time. The key is to get started and keep it going.