HHS, HSCC publish guidance to assist healthcare sectors align cybersecurity programs with NIST CSF

The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group and the U.S. Department of Health and Human Services (HHS) published Wednesday a new guide to help the public and private healthcare sectors align their cybersecurity programs with the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF). The joint industry-government publication seeks to help health providers and companies implement the NIST CSF, enabling healthcare organizations to assess their current cybersecurity practices and risks, and identify gaps for remediation. 

The guide, titled ‘Health Care and Public Health Sector Cybersecurity Framework Implementation Guide,’ serves as a roadmap for healthcare and private health sector organizations to implement the NIST Cybersecurity Framework. It includes guiding risk management principles and best practices, providing common language to address and manage cybersecurity risk, outlining a structure for organizations to understand and apply cybersecurity risk management and identifying effective standards, guidelines, and practices to manage cybersecurity risk cost-effectively based on business needs.

The document will assist the healthcare and public health (HPH) sector organizations to understand and use the NIST CSF’s informative references to achieve the goals of the NIST CSF. Last week, the HSCC Cybersecurity Working Group published the Health Industry Cybersecurity – Managing Legacy Technology Security (HIC-MaLTS) guide that addresses the management of cyber risk caused by legacy technologies used in healthcare environments.

The guide comes in the wake of the U.S. witnessing a marked increase in the use of digital technologies and cyber-physical systems (CPS), which in healthcare are critical integration of a network of medical devices. These systems are progressively used in hospitals to achieve continuous high-quality health care, resulting in an increase in the level of exposure to cyber-attacks, which target an organization’s use of cyberspace for the purpose of stealing information or disrupting, disabling, or destroying related information resources. 

The guide identified that one of the examples of CPS in the HPH sector is medical devices, which are ‘increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients. These same features also increase the risk of potential cybersecurity threats. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device.’

The NIST CSF, when applied through the lens of a comprehensive risk analysis that specifically includes CPS-related threats, will help further ensure patient safety in addition to protecting sensitive health information and individual privacy.

Security controls are the safeguards or countermeasures employed within a system or an organization to protect the confidentiality, integrity, and availability of the system and its information and to manage information security risks. Privacy controls are the administrative, technical, and physical safeguards employed within a system or an organization to manage privacy risks and to ensure compliance with applicable privacy requirements. 

Security and privacy controls are selected and implemented to satisfy security and privacy requirements levied on a system or organization. Security and privacy requirements are derived from applicable laws, executive orders, directives, regulations, policies, standards, and mission needs to ensure the confidentiality, integrity, and availability of information processed, stored, or transmitted and to manage risks to individual privacy.

The NIST Cybersecurity Framework also provides the structure needed to ensure industry sectors and organizations address three additional key elements of a robust and comprehensive cybersecurity program: threat modeling, threat intelligence, and collaboration. 

Threat modeling may be accomplished either through a traditional risk analysis or the selection of a control baseline from an appropriate security framework. Threat intelligence is essential for an organization to understand and proactively address active and emerging cyber threats, and collaboration with other public and private sector entities allows an organization to address cyber threats more efficiently and effectively than it otherwise could.

Organizations have unique cybersecurity risks, including different threats, vulnerabilities, and tolerances, all of which affect benefits from investing in cybersecurity risk management, and they must apply the principles, best practices, standards, and guidelines provided in the NIST CSF to their specific context and implement practices based on their own needs.

The HPH sector embraces the flexibility the NIST CSF offers but recognizes organizations’ potential need for more guidance on how to specifically apply the framework to their particular situation. In addition, the HPH sector recognizes the potential of the NIST CSF to improve cybersecurity risk management efforts across all critical infrastructure industry sectors.

The guide calls for a generic implementation approach that can be modified to accommodate a controlled framework-based approach to risk analysis and control specification. 

“The primary reason for the modification is that, for those organizations that already leverage or intend to leverage one or more Informative References, Target Profiles are easily obtained once organizations are able to scope their organization and systems and then tailor the Informative Reference(s) to address any unique threats/risks,” the guide said. “There is no need to develop a Current Profile beforehand. Placement of the Current and Target Profiles can subsequently be reversed, although some basic information about the state of the organization’s cybersecurity program will necessarily be ascertained before the Target Profile is complete,” it added.

When it comes to the ‘Implementation Process,’ the CSF can be used to compare an organization’s current cybersecurity activities with those outlined in the Framework Core. Through the creation of a Current Profile, organizations can examine the extent to which they are achieving the outcomes described in the Core Categories and Subcategories, aligned with the five high-level functions – Identify, Protect, Detect, Respond, and Recover. 

“An organization may find that it is already achieving the desired outcomes, thus managing cybersecurity commensurate with the known risk. Alternatively, an organization may determine that it has opportunities to (or needs to) improve,” according to the guide. “The organization can use that information to develop an action plan to strengthen existing cybersecurity practices and reduce cybersecurity risk. An organization may also find that it is overinvesting to achieve certain outcomes and use this information to reprioritize resources.”

The implementation approach can help organizations leverage Informative References to establish a strong cybersecurity program or validate the effectiveness of an existing program. It enables organizations to map their existing program to the NIST Cybersecurity Framework, identify improvements, and communicate results. It can incorporate and align with processes and tools the organization is already using or plans to use.

“The process is intended to be continuous, repeated according to organization-defined criteria (such as a specific period or a specific type of event) to address the evolving risk environment,” the guide said. “Implementation of this process should include a plan to communicate progress to appropriate stakeholders, such as senior management, as part of its overall risk management program. In addition, each step of the process should provide feedback and validation to previous steps.” 

The guide also said that validation and feedback provide a mechanism for process improvement and can increase the overall effectiveness and efficiency of the process. “Comprehensive and well-structured feedback and communication plans are a critical part of any cybersecurity risk management approach,” it added.

In conclusion, the guide serves as a foundation for how HPH sector organizations can leverage the NIST CSF and its supporting Informative References to increase their overall cybersecurity awareness and implement sound cybersecurity programs to protect patient data and other sensitive information. Specifically, the guidance in this document can help an organization determine its cybersecurity goals, assess its current cybersecurity practices, or lack thereof, and help identify gaps for remediation.

The U.S. administration released last week its ‘National Cybersecurity Strategy,’ which envisions an increased emphasis on protecting the nation’s critical infrastructures from cyber threats and incidents. This was followed by the U.S. Environmental Protection Agency (EPA) issuing a memorandum that calls upon states to evaluate the cybersecurity of operational technology (OT) used by a PWS when conducting PWS sanitary surveys or through other state programs.

On Tuesday, the Transportation Security Administration (TSA) issued a cybersecurity amendment on an emergency basis to the security programs of certain TSA-regulated airport and aircraft operators, following similar measures announced last October for passenger and freight railroad carriers.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.