What is the best approach for implementing the NIST Cybersecurity Framework in the healthcare industry?
The best approach for implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity,or Cybersecurity Framework (CsF), is the approach outlined in the Healthcare Sector Cybersecurity Framework Implementation Guide,2 produced and published under the auspices of the Critical Infrastructure Protection Program’s (CIPP) Public-Private Partnership.
Although the NIST CsF provides an overarching framework for cyber resilience programs that can be adopted by virtually any organization in any industry, this flexibility is obtained through its lack of granularity. By not specifying the cybersecurity controls an organization should implement, organizations must analyze the risk from the use of information and information technology (IT) and design their own controls or select controls from a suitable control-based risk management framework, such as ISO/IEC 27001, NIST SP 800-53, and the HITRUST CSF.
The Healthcare Sector Cybersecurity Framework Implementation Guide describes how organizations can leverage the HITRUST risk management framework (RMF) – consisting of the HITRUST CSF, CSF Assurance Program and supporting methods and tools – to implement resilient cybersecurity programs that are consistent with and achieve the objectives specified by the NIST CsF.
For more information, refer to the NIST Framework for Improving Critical Infrastructure Cybersecurity, Healthcare Sector Cybersecurity Framework Implementation Guide, and webpage on CIPP.