The federal government has published an initial framework for improving cybersecurity throughout the nation and across industries.
The Cybersecurity Framework Version 1.0 comes from the National Institute of Standards and Technology, which has worked for the past year with stakeholders across the country, following an executive order from President Obama for development of such a framework.
The framework is in the nature of guidance, based on the level of cyber risk that an industry or entity faces, and voluntary. It includes three main components: Core, Tiers and Profiles. “The core presents five functions--identify, protect, detect, respond and recover--that taken together allow any organization to understand and shape its cybersecurity program,” according to a NIST explanation. “The tiers describe the degree to which an organization’s cybersecurity risk management meets goals set out in the framework and range from informal, reactive responses to agile and risk-informed. The profiles help organizations progress from a current level of cybersecurity sophistication to a target improved state that meets business needs.”
NIST also released a “Roadmap” of major areas for cybersecurity development, alignment and collaboration in future versions of the framework. The agency sees the framework as a living document updated as threats, technologies and business factors change.
In the health care industry, stakeholders in recent years have developed a more comprehensive prescriptive and voluntary Common Security Framework (CSF) to assess and enhance an organization’s cybersecurity preparedness with industry-specific requirements. Stakeholders came together under an alliance called HITRUST to build the CSF, along with supporting tests and a certification program. Providers, payers and vendors are among the organizations that can implement the CSF and a growing number of insurance companies require their business associates to comply with the CSF and submit assessments of compliance.
A dozen organizations comprising providers and insurers expect in March to conduct a cyber attack exercise under the HITRUST umbrella. These will be real but harmless attacks on the organizations’ networks to assess their capability to detect and respond.
Daniel Nutkis, CEO at HITRUST says that while the new federal guidance has value, the Common Security Framework is one area where health care is ahead of other industries. HITRUST soon will incorporate the federal framework into the CSF.
Originally published by Health Data Management. Published with permission.