According to an article published in HealthITSecurity this week, the healthcare industry is one that has been identified for improvement on threat detection methods. According to the data gathered and presented in the article, healthcare organizations have the people, processes, and many times the technology in place in their respective organizations, however, they don't have the detection mechanisms in place to recover effectively from a healthcare cyber attack.
The recent CynergisTek report showed that these healthcare entities ranked highest in response and recovery in the Core Elements of the NIST Cybersecurity Framework. Aside from more standard healthcare IT compliance frameworks such as HIPAA and HITRUST, the NIST CSF is voluntary and has brought more visibiltiy to assessing baseline cyber strength then ever before.
Battling Cyber Security Threats in Heathcare is No Easy Task
The third annual HIMSS and Symantec risk management study showed that there was a high priority on healthcare risk assessments than previously. Healthcare organizations are especially vulnerable and having their data in the hands of those who wish to exploit it would be disasterous. Health plans, research institutions, and hospitals handle assets that digitization has made more vulnerable as its evolved.
In order to assess the healthcare industry's cyber risks, it's important to understand the systems that should be protected as well as the data that lies inside those systems. It's also important to know what effects a cyber attack would have on these systems and institutions. Impact has to be minimal in order for the insitution to stay functioning and providing care for those in need. The overall process of assessing risk and complying to industry and national cybersecurity best practices is no easy task. Security assessments are necessary to understanding where your organization stands on compliance.
Cybersecurity Frameworks of Choice for the Healthcare Industry
According to another recent article on cyber risk management in the healthcare secctor, "The HIMSS and Symantec study showed that 62.5 percent of healthcare organizations adopted the NIST Cybersecurity Framework to help with HIPAA risk assessments, while 36.5 percent said they use HITRUST." According to the HITRUST Alliance, "a growing number of healthcare organizations, including Anthem, Health Care Services Corp., Highmark, Humana, and UnitedHealth Group will now require their business associates to obtain HITRUST CSF Certification as a means of demonstrating effective security and privacy practices aligned with the requirements of the healthcare industry."
HIPAA is of course the standard regulatory framework for the industry, but more experts are saying that all things are pointing towards NIST. The National Law Review predicts that HIPAA may merge with the NIST Cybersecurity Framework. "The Task Force recommends the establishment of a consistent, consensus-based health care specific Cybersecurity Framework, and points to the NIST Cybersecurity Framework and the HIPAA Security Rule as a foundation on which this new framework could be built."
More and more healthcare organizations are adopting the NIST Cybersecurity Framework. It is imperative to test, manage, and mitigate your cyber posture internally in order to understand your vulnerabilities and know where to allocate resources for the highest impact on cyber strength. Prioritize your cybersecurity budget and team as so many of these healthcare organizations have already done. In addition, you should be keeping track of cyber attacks and how to eradicate your vulnerabilities.
All-In-One Solution: Streamline NIST Cybersecurity Framework, HIPAA and HITRUST Compliance
Unfortunately, compliance is never a small feat, and it can be complex to implement these best practices. CyberStrong streamlines the NIST Cybersecurity Framework as well as any other frameworks including HITRUST and HIPAA, so that Healthcare organizations can assess themselves with agility against these frameworks or even a hybrid combination of many.