In the recently released Cynergistek report on the state of healthcare sector cybersecurity framework adoption, I noticed an interesting trend - the rise in NIST CSF adoption and surprising fall in HIPAA security rule compliance. I wanted to dive in and examine what might be causing this shift in healthcare industry framework usage.
The HIPAA Security Rule
I’ll briefly summarize the current standard for healthcare organizations - the HIPAA Security Rule. A supplement of HIPAA (Health Insurance Portability and Accountability Act of 1996), developed by the Department of Health and Human Services, the HIPAA Security Rule emerged as a means to ensure that protect patients’ digital data.
There are six main sections or categories of the Security Rule (from NIST SP 800-66):
- Security standards: General Rules - includes the general requirements all covered entities must meet; establishes flexibility of approach; identifies standards and implementation specifications (both required and addressable); outlines decisions a covered entity must make regarding addressable implementation specifications; and requires maintenance of security measures to continue reasonable and appropriate protection of electronic protected health information.
- Administrative Safeguards - are defined in the Security Rule as the “administrative actions and policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information.”
- Physical Safeguards - are defined as the “physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
- Technical Safeguards - are defined as “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
- Organizational Requirements - includes standards for business associate contracts and other arrangements, including memoranda of understanding between a covered entity and a business associate when both entities are government organizations; and requirements for group health plans.
- Policies and Procedures and Documentation Requirements - requires implementation of reasonable and appropriate policies and procedures to comply with the standards, implementation specifications and other requirements of the Security Rule; maintenance of written (which may be electronic) documentation and/or records that includes policies, procedures, actions, activities, or assessments required by the Security Rule; and retention, availability, and update requirements related to the documentation.
Is The HIPAA Security Rule Enough?
When it comes to patient care, information security leaders in the healthcare sector have an obligation to pursue gold-standard frameworks to ensure that patient information and patient records are secure.
In Cynergistek’s report, the healthcare industry is starting to see a decline in HIPAA Security Rule compliance - declining 2% for the industry as a whole year-over-year. What this says to me is that the industry, as with any highly regulated sector, is facing new regulations from multiple sources.
While HIPAA is the core of patient privacy, more and more standards are emerging that focus on specific subsectors (health insurance, for example, being faced with state-specific regulations built on the Model law). For CISOs working in these sectors, it is no longer enough to take these regulations as they come. Having a cohesive strategy to ensure that critical information stays secure requires using frameworks that leverage first principles that are at the core of these standards and regulations.
Enter the NIST CSF for Healthcare
The National Institute for Standards and Technology’s Cybersecurity Framework is one of the most adopted frameworks regardless of industry. Originally developed under an executive order for improving critical infrastructure cybersecurity, the robust nature of the framework and its five Framework Core functions - identify, protect, detect, respond, recover - has allowed it to scale beyond critical infrastructure.
What struck me from Cynergistek’s report was the Security Rule compliance dropped by 2% year-over-year, NIST Cybersecurity Framework adoption and compliance rose by the same amount - 2%. This speaks volumes about how healthcare organizations are working to manage their cybersecurity and cybersecurity risk. The NIST Framework is the guiding framework that informed the development of the DFARS mandate for the DoD supply chain (NIST Special Publication 800-171), the NYDFS cybersecurity regulation for financial services, and the Model Law for insurance. As the industry is faced with more regulations, checkbox thinking is no longer sufficient. Rather, working to implement the NIST CSF empowers organizations to build on the first principles of these regulations rather than being trapped in a reactionary loop.
Futureproofing Healthcare Cybersecurity With The NIST CSF
Managing cybersecurity risk for any organization is rapidly evolving into a board-level issue. For some industries, it is a matter of remaining competitive and securing business. For healthcare organizations, the importance is much greater. To effectively manage cyber risk, proactiveness is no longer optional. The NIST CSF and its outcomes-based approach helps organizations implement the appropriate activities and controls necessary for their organization specifically while also meeting the necessary compliance requirements.
The NIST CSF has proven to be that gold-standard across industries and with an update time that moves that the pace of technology development rather than regulatory bodies (with version 1.1 being released in 2017). Building a compliance and risk management program around the CSF allows information security teams to integrate new regulations easily, rather than reacting to new checkbox lists whenever a new rule is published.