By Bryan Cline, Ph.D., Chief Research Officer, HITRUST, and Robert Booker, Chief Strategy Officer, HITRUST

Today, the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group and the U.S. Department of Health and Human Services (HHS) jointly released the Cybersecurity Framework Implementation Guide to help public and private healthcare sectors align their cybersecurity programs with the NIST Cybersecurity Framework (CSF). The guide provides specific steps for health care organizations to manage cyber risks to their information technology systems and reduce the number of cyber incidents affecting the sector. HITRUST is honored to have supported this long-standing partnership with other industry leaders and the government. This new update of the guide reflects over a half decade of maturity since the first version of the guide was published in 2016. Cybersecurity threats have only increased over that time and, as noted by the joint release today, “recent high-profile cyberattacks reinforce the need for health providers and organizations to assess their cyber health and take actions to improve cybersecurity.”

What is the Same?

The first version of the guide was published in 2016, leveraging the use of control framework-based risk analysis, a NIST-based process that allows organizations to take advantage of comprehensive, risk-based Informative References such as NIST SP 800-53 and the HITRUST CSF to simplify the HIPAA risk analysis process. Specifically, organizations use the guide and the provided process and referenced tools to:

• Tailor their control baseline based on specific risks inherent to the sensitive information processed by their organization.
• Specify their Target Profile early in the NIST Cybersecurity Framework implementation process.
• Assess their current cybersecurity program against the Target Profile to create a Current Profile.
• Identify control gaps and risk management activities to treat their identified risks.

What is New?

The new 2023 version of the guide released today retains the original approach and includes additional enhancements, such as updated information on available resources, a discussion of how information risk contributes to organizational risk, and templates for an executive marketing/summary and communications template, among other enhancements.

Risk Analysis as the Foundation

Risk analysis is vital to understanding the risks and vulnerabilities of a system. For healthcare specifically, the HIPAA Security Rule requires “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of [ePHI]” followed by implementation of “security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level,…[and that] protect against any reasonably anticipated threats or hazards to the security and integrity of such information.”

Control Tailoring and Selection Based on Risks

So, risk analysis, synonymous with risk assessment, plays an essential role in specifying practices (controls) that address cybersecurity requirements to address identified risks and resulting outcomes. The use of control framework-based risk analysis, recommended by the published guide, is a NIST-based process that allows organizations to take advantage of comprehensive, risk-based Informative References, such as NIST SP 800-53 and the HITRUST CSF, to simplify the risk analysis process.

In fact, Informative References in the NIST Online Informative Reference (OLIR) catalog include many elements that may be valuable for organizations to consider and that assist in regulatory alignment, including Center for Internet Security Critical Security Controls (CIS CSC), COBIT, HITRUST CSF, ISO/IEC 27001, and NIST SP 800-53.

Which Informative Reference(s) are Appropriate for My Organization?

Because the tailoring of controls to the specific inherent risks of the organization is critical to effective risk management and the achievement of expected cybersecurity outcomes, we recommend use of Informative References that provide a risk-based mechanism for the selection of a reasonable and appropriate set of controls, along with tailoring guidance for their controls, such as NIST SP 800-53 (as outlined in NIST SP 800-53B) and the HITRUST CSF, which is an enhanced overlay of the NIST SP 800-53 moderate impact baseline.

Why use the of NIST CSF?

The NIST CSF provides a number of benefits in addition to control framework-based risk analysis when implemented using the approach in the Cybersecurity Framework Implementation Guide to help organizations specify a comprehensive set of cybersecurity controls. Specifically:

• The NIST CSF provides recognized terminology for the communication of an organization’s cybersecurity program to relying parties and facilitates understanding of an organization’s state of compliance by regulators.
• The outcomes specified by Subcategories in the NIST CSF can help define the breadth of risk analysis.
• And, finally, Implementation Tiers in the NIST CSF can help determine the appropriate depth of cybersecurity protection.

For healthcare, proper use of the guide’s approach to NIST Cybersecurity Framework implementation greatly facilitates an organization’s assertions of compliance with the HIPAA Security Rule and demonstration of Recognized Security Practices (RSPs) as defined in the 2021 HITECH Act and in alignment with recent guidance from the U.S. Department of Health and Human Services Office of Civil Rights (OCR).

Demonstrating Maturity through Assurance

Security leaders, company management, independent directors, and relying parties, including regulators and customers, are all seeking proof that cybersecurity programs are operating as designed. An integrated approach that includes the HITRUST Assurance Program supports these expectations, especially when considering the goals and expectations recently published by the White House in the new National Cybersecurity Strategy. A system with assurance that is transparent, scalable, consistent, and has provable reliability will assist all organizations and their management in demonstrating the maturity of their cybersecurity efforts to regulators, customers, and other stakeholders.

Wrapping Up

The Cybersecurity Framework Implementation Guide is a vital tool to help public and private healthcare companies align their cybersecurity programs with the NIST Cybersecurity Framework (CSF). This approach is anchored in risk analysis, selects and tailors controls using proven and vetted Informative References and supports Recognized Security Practices for Healthcare. Ultimately, the use of such an approach allows all stakeholders in the system to see with confidence that expected cybersecurity outcomes are achieved.

About the Authors

Bryan Cline, Ph.D., Chief Research Officer, HITRUST

Bryan Cline, Ph.D., Chief Research Officer, HITRUST Bryan provides thought leadership on risk management and compliance and develops the methodologies used in various components of the HITRUST Approach. This includes a focus on the design of the HITRUST CSF and the assessment and certification models used in the HITRUST Assurance Program, for which he provides technical direction and oversight. He is also responsible for addressing emerging trends impacting risk management and compliance to ensure the HITRUST Approach sets the bar for organizations seeking the most comprehensive privacy and security frameworks available. Bryan previously served as HITRUST’s Vice President of Standards and Analysis.

Robert Booker, Chief Strategy Officer, HITRUST

Robert Booker serves as the Chief Strategy Officer for HITRUST following his retirement from over 30 years as a cyber security leader and technology professional. Prior to HITRUST, Robert spent 13 years as the Chief Information Security Officer for a Fortune 10 company dedicated to the healthcare industry. Prior to his leadership in healthcare, Robert served as a cyber security leader with a multi-national telecommunications company leading and supporting information security programs and initiatives for numerous global enterprises in the pharmaceutical and consumer products sectors.

Robert’s focus throughout his healthcare tenure has been the application of security principles to clinical care, information, and technology to serve the health care environment and industry, the protection of information entrusted to the companies he has served, and the measurement of sustainable cyber security programs. Robert is passionate about continuously measuring and improving system capabilities given the evolving risk landscape and active cyber threats and has actively represented his programs to executives, directors, regulators, risk underwriters and rating agencies all focused on understanding not only the maturity of the system he has represented but the leadership philosophy and principles needed to continuously invest in a robust cyber security capability at enterprise scale.

Robert’s career has been marked by active collaboration across the companies and industries where he has served. Robert has engaged with other industry leaders and customers all focused on serving healthcare. Robert serves on the Board of Directors of HITRUST where he has been instrumental in establishing a common security framework for the health industry and in supporting the adoption of security principles by companies the health ecosystem and other industries.

Throughout his career, Robert has spoken at multiple venues on topics ranging from cyber security program principles to leadership development for cyber professionals.

Robert is a U.S. Navy veteran and an alumnus of the first FBI CISO Academy (2015 class).