The U.S. Department of Health and Human Services and the Health Sector Coordinating Council Cybersecurity Working Group released a new guide Wednesday to help the public and private sectors in healthcare better align their information security programs with the National Institute for Standards and Technology’s Cybersecurity Framework.
WHY IT MATTERS
Helping the public and private healthcare sectors prevent cybersecurity incidents has become an issue of national concern for critical infrastructure protection.
In that spirit, NIST and other federal agencies contributed substantially to the content of the new Cybersecurity Framework Implementation Guide, according to the HSCC announcement.
The guide supplements an earlier joint publication of the HHS/HSCC 405(d) Program, the Health Industry Cybersecurity Practices, said Erik Decker, HSCC Cybersecurity Working Group Chair and chief information security officer at Intermountain Healthcare, in the council’s statement.
“With this toolkit, organizations of all sizes can implement cybersecurity best practices, protect their patients and make the sector more resilient,” said Decker.
The new guide is timely, following the release of the White House National Cybersecurity Strategy calling for a coordinated approach between the government and private sector to help defend critical infrastructure, according to John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk.
“Adherence to the framework might be used to demonstrate implementation of recognized cybersecurity practices to qualify for regulatory relief for cyberattack victims provided under Public Law 116-321,” Riggi noted in a statement about the new cybersecurity framework guide posted to the AHA website.
Robert Booker, chief strategy officer at HITRUST, echoed the timeliness and value of the guide with respect to providing cybersecurity program validation in an email to Healthcare IT News yesterday.
“Healthcare-regulated entities like all critical infrastructure industries may anticipate requests from regulators to further demonstrate mature cybersecurity,” Booker said.
“The use of this implementation guide and the NIST Cybersecurity Framework can serve as the basis for assessing and demonstrating the presence of controls across the enterprise and evidence of active and consistent control maturity as the NIST Cybersecurity Framework is acknowledged as Recognized Security Practices, along with Health Industry Cybersecurity Practices, by the HHS Office of Civil Rights guidance in response to the 2021 HITECH Act,” he said.
Bryan Cline, chief research officer at HITRUST and co-chair of the HSCC Cybersecurity Working Group’s Risk Assessment Task Group, added that the updates in the new implementation guide support control framework-based risk analysis, which allows organizations to use references like NIST SP 800-53 and the HITRUST CSF “to greatly simplify the HIPAA risk analysis requirement.”
“The ongoing and sustained leadership across the private and public sector on this important work is critically important to healthcare organizations seeking to manage cyber risk, identify opportunities for improvement and leverage risk analysis principles critical to the HIPAA Security Rule alongside the NIST Cybersecurity Framework,” he said.
THE LARGER TREND
HICP, which followed the Cybersecurity Act of 2015, and aligned with the NIST framework, has served as a cyber preparedness “cookbook” with recipes for readiness and was expected to evolve with more recent legislation impacting the 405(d) program.
“It gets you out into the deep details pretty quickly and succinctly, to get tactical and do some blocking and tackling,” Decker told Healthcare IT News in 2019.
While HICP and its supplemental materials have been the cornerstone publication of 405(d), in the foreword of the new implementation guide, the HHS Administration for Strategic Preparedness & Response cites a “lack of attention to regulatory compliance increases the risk of delivery of care, in addition to fines and other penalties.”
“Many, if not most, healthcare organizations struggle with managing cybersecurity effectively. The [OCR] HIPAA Audits Industry Report found that 86% of covered entities and 83% of business associates (85% collectively) did not meet expectations for a risk assessment,” ASPR said.
“For risk management, 94% of CEs and 88% of BAs (91% collectively) did not meet expectations.”
In December, Greg Garcia, HSCC executive director, told attendees of the HIMSS Healthcare Cybersecurity Forum that the protection of healthcare as critical infrastructure is a collective responsibility and noted that more than 700 members of the council have created a number of free resources to defend against sector-wide problems like cyberattacks.
“These need to be implemented. They are not shelfware,” he said.
ON THE RECORD
“As cyber criminals continue to target health systems in order to steal or hold for ransom the sensitive medical data of American patients and jeopardize the daily operations of healthcare providers, I am pleased to see [HHS] issue new voluntary guidance to bolster healthcare cybersecurity,” said Sen. Mark Warner, D-Virginia, in a statement.
“I applaud the [HSCC] Cybersecurity Working Group for working to translate cyber practices into appropriate standards for providers in the healthcare space. I look forward to continuing to work with cyber experts, health stakeholders and officials in the Biden Administration to determine which voluntary measures we need to start requiring to ensure patient safety.”
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.
Source : Healthcare IT News