That National Institute of Standards and Technology (NIST) released the Cyber Security Framework in final form on February 13, 2014. Changes to the Preliminary Cybersecurity Framework included:

  • removal of the Privacy and Civil Liberties controls from the Framework in favor of more general guidance;
  • clarification and modifications to the implementation tiers and their relationship to the Framework core and profiles;
  • additional emphasis on the voluntary nature of the Framework and selection of control requirements from other sources besides those referenced in the informative references; and
  • possible expansion of the Framework to include information types while maintaining its broad applicability across multiple industries and organizations.

HITRUST believes these changes are consistent with the letter and intent of the President’s Executive Order on Improving Critical Infrastructure Cybersecurity, which is to help ‘raise the bar’ for security and privacy protection in the private sector and improve the Nation’s resilience to ever increasing cybersecurity threats. HITRUST sees this favorably and it is something that HITRUST has been working very diligently toward in the healthcare sector through the development and implementation of the Common Security Framework and CSF Assurance Program.

Healthcare organizations should evaluate and incorporate the requirements and guidance outlined in the NIST Cyber Security Framework in the context of their overall information protection requirements. HITRUST has made this easier by ensuring the NIST Cyber Security Framework requirements are incorporated in the HITRUST CSF and associated methodology. Analysis of the NIST Cybersecurity Framework indicates the HITRUST Risk Management Framework – consisting of the CSF, CSF Assurance Programs and supporting methods and tools – are a comprehensive and specific model implementation of the NIST Cybersecurity Framework for the healthcare industry. In this respect, the healthcare industry is years ahead of some of the other infrastructure sectors in taking an industry-wide approach to the protection of sensitive information. As of April 2014, the CSF incorporated the final NIST Cyber Security Framework so organizations can understand the specific requirements in the context of their entire information protection program and perform an assessment to evaluate their readiness related to these specific controls. Given the various federal and state regulations imposed on healthcare organizations and wide adoption of the CSF many healthcare organizations are already meeting the requirements outlined in the framework.

However, media reports indicate there has been some pushback from some within the private sector on the proposed Cybersecurity Framework. HITRUST experienced similar resistance to the CSF in the early days of its rollout. There was a broad need in the industry for additional clarity and prescription for what the federal government meant by ‘reasonable and appropriate’ safeguards and ‘adequate’ protection of health information. Yet despite this, there were some organizations that didn’t want to be held to a higher standard of due diligence and due care, or any prescriptive standard. Today, the HITRUST CSF is the most widely-adopted healthcare information protection standard in the industry. Covered entities and business associates use the CSF for all sorts of things, whether as a benchmark for generally accepted best practices to a goal for formal certification against the standard.

HITRUST continuously evaluates the privacy and security controls associated with data loss and breach, including cyber, to enhance the requirements and guidance. Including lessons learned from the upcoming HITRUST CyberRX exercises taking place later this year.