NIST Poised To Release Cyber Security Guidelines To Help Hospitals
By Christine Kern, contributing writer
New best practices are “imminent” according to one official.
The National Institute of Standards and Technology is poised to release new best practices guidelines for cybersecurity to help hospitals cope with threats, according to Ronald Ross, NIST fellow, SecureWorld reported.
NIST currently offers a cybersecurity framework developed for the federal government to help understand, select, and then implement security controls. Ross compared the framework to a massive catalog of privacy and security controls that can help safeguard an organization from hostile cyber attacks.
The forthcoming guidance will seek to help healthcare organizations address security even while certain things remain outside of their control, like operating systems or data bases.Ross told Healthcare IT, “The best way to describe the concept is like this: when you fly on an airplane or cross a bridge, you do so because you trust the airplanes we fly and the bridges we cross, you have confidence in the people who designed and built them.” The guidance thus also will provide best practices for building software and systems that are secure and trustworthy.
“We can build and deploy systems that we can trust, too, in a hospital environment, so the systems can better withstand cyber attacks, are more penetration-resistant, and limit the damage an adversary can do if an attack comes through the perimeter,” Ross explained.
Last December, NIST opened a comment period on its cybersecurity framework. In response,a joint letter from HIMSS and the College of Healthcare Information Management Executives (CHIME) said that the framework should be more detailed and regularly updated. In February, HIMSS wrote a second letter to NIST urging the organization to keep the Framework for Improving Critical Infrastructure voluntary for healthcare organizations.
Greater clarity and simplicity in the guidance could not come at a better time, as the recent headline attacks at Hollywood Presbyterian Hospital and others demonstrate. Data breaches and other large scale hacking attacks dominated the healthcare cyber security scene in 2015 according to a Redspin. In Breach Report 2015: Protected Health Information (PHI) , the sixth annual analysis of the causes of PHI breaches reported to the Department of Health and Human Services (HSS), Redspin found the PHI breach landscape saw some startling changes.
“2015 was a watershed (or perhaps a ‘washout’) year in healthcare IT security,” notes the report. “In previous reports we warned that ‘the threat from malicious outsiders — hackers — has the potential to wreak havoc on the healthcare industry.’ In 2015, havoc was wrought.”
Healthcare organizations need help unravelling the layers of threat to appropriately respond to potential cyber attacks and protect their patients’ data.