Cyber Risk Assessments in Healthcare

Cyberattacks targeting healthcare organizations continue to escalate in frequency and sophistication. Recent cyber breaches and events within the healthcare industry have significantly increased the attention and focus on cyber risk management, and compelled more organizations to understand their current level of cybersecurity preparedness and the level of effort required to satisfactorily address current and emerging cyber threats.

To help all industries address these rising threats, the National Institute of Standards and Technology (NIST) issued the Framework for Improving Critical Infrastructure Cyber Security, also referred to as the NIST Cyber Security Framework. The intent of the NIST Cyber Security Framework, created through collaboration between industry and government, is to provide high-level guidance around information protection standards and best practices to help critical infrastructure, including the Healthcare and Public Health Sector, manage cybersecurity risk consistently and effectively. NIST recommends organizations evaluate and incorporate the requirements and guidance outlined in the NIST Cyber Security Framework in the context of their overall information protection requirements. Organizations are to then add those necessary industry or sector-specific requirements (e.g., regulations, policies, best practices) to ensure information is adequately protected and cyber risk is properly controlled. This is an important element, as the NIST Cyber Security Framework was not intended to be implemented without development of appropriate industry and organization specific requirements.

In this respect, the healthcare industry is years ahead of other sectors, like banking and retail, in taking an industrywide approach to information security and privacy. The HITRUST Risk Management Framework (RMF)—consisting of the HITRUST CSF, HITRUST CSF Assurance and supporting methods and tools—provides a harmonized set of reasonable and appropriate safeguards specifically designed to address healthcare-related information security and privacy threats, satisfy due diligence and due care requirements for the adequate protection of sensitive information. The HITRUST RMF also provides a standard, consistent means of sharing information security and privacy risk information with internal and external stakeholders, such as executive management, regulators and business partners. It also ensures compliance with relevant regulatory and other best practice requirements, such as HIPAA, CMS, PCI-DSS, various ISO and NIST standards including the Cyber Security Framework.

HITRUST provides a specific and model implementation of the NIST Cyber Security Framework for the healthcare industry by fully incorporating the NIST Cybersecurity Framework’s requirements into the HITRUST CSF. Healthcare organizations can now address cybersecurity and other industry-relevant standards and regulations incorporated in the HITRUST CSF through a single, harmonized set of control requirements that provides the necessary context, prescription and guidance for effective cybersecurity.

To further simplify the process, HITRUST has enhanced the MyCSF tool to enable healthcare organizations to obtain a NIST Cyber Security Framework Scorecard based on new or existing HITRUST CSF assessments, which are completed to satisfy their various security and privacy risk management obligations. Alternatively, organizations may also obtain a Scorecard by conducting a NIST Cyber Security Framework assessment of the HITRUST CSF controls mapped to the 95 functional sub-categories in the NIST Cyber Security Framework. The resulting Scorecard will help organizations fully evaluate their level of cyber readiness based on the NIST Cyber Security Framework and support remediation planning for control gaps that present an excessive level of residual cyber-related risk. In addition, this streamlines the assessment process by leveraging already collected information and repurposing it for whatever interpretation is required, such as the NIST Cyber Security Framework, HITRUST CSF or HIPAA.

The following reference documents provide additional guidance:

  • HITRUST CSF Version 7
    NIST Cybersecurity Framework is included in version 7 of the HITRUST CSF.
  • Risk Management Framework FAQ
    Addresses common questions and misconceptions about the HITRUST CSF, CSF Assurance Program and supporting methods and tools, and their value to industry.
  • Healthcare’s Model Approach to Critical Infrastructure Cybersecurity
    How the Industry is leading the way with its Information Security Risk Management Framework.
  • NIST Cyber Security Scorecard (available in MyCSF on May 15, 2015)
    This feature is free of charge to professional level or higher subscribers.
  • CyberRX: Health Industry Cyber Threat Exercise
    CyberRX is a series of no cost, industrywide exercises coordinated by HITRUST in conjunction with the Department of Health and Human Services, with the mission to mobilize healthcare organizations and explore innovative ways of improving preparedness and response against cyber attacks intended to disrupt the nation’s healthcare operations.