NIST framework: Assessing an organization’s cybersecurity readiness

The National Institute of Standards and Technology’s (NIST's) voluntary framework for reducing cyber risks to critical infrastructure, released earlier this year, can assist providers in achieving their security goals, according to panelists at the National Institute of Standards and Technology and the Office of Civil Rights’ joint conference, “Safeguarding Health Information: Building Assurance through HIPAA Security,” on Sept. 23.  

The framework offers the following, according to Kevin Stine, manager of security outreach & integration at NIST:

  1. A set of standards, methodologies, processes and procedures that align policy, businesses and technological approaches to address cyber risks.
  2. A prioritized, flexible, repeatable, performance-based and cost-effective approach including information security measures and controls to help owners and operators of critical infrastructure identify, assess and manage cyber risks.
  3. Areas for improvement to be addressed through future collaboration with particular sectors and standards developing organizations.

The framework is flexible for organizations of all sizes. “It had to be broad enough to be responsible to the diversity of needs out there,” Stine said.

Only 8 percent of data breaches involve hacking incidents involving 500 or more patients, but the Department of Health & Human Services “is seeing those rise,” said Linda Sanches, health information privacy senior advisor at the Office of Civil Rights.   

In the future, “we expect greater now that we’ve had [the incident at] Community Health Systems, she said.

Of the 59 providers involved in breaches, she said 58 had at least one security rule finding or observation and two-thirds had no complete or accurate risk assessment. “Most covered entities have not identified key vulnerabilities,” she said.

Sanches encourages providers to utilize the framework to identify weaknesses around infrastructure and learn the essentials of response activities. “It emphasizes the critical nature of having response and recovery capabilities in place so when you are faced with threats, you have the ability to respond to that accordingly,” she said. Also, it outlines five security functions, mapped to activities, to help bolster security.

Also, the framework helps organizations provide a ranking system so organizations can understand what tier they are on according to their security practices and environment. “Entities can look where they are on at spectrum,” she said. Also, it helps organizations plan for where they want to be in the future.

Privacy and security are one of the five building blocks of the Office of the National Coordinator for Health IT’s interoperability vision paper, said Julie Chua, information security specialist in the Office of the Chief Privacy Officer.

The agency is working on technical assistance and user education on protecting health information. “The framework fits that exactly.” Also, ONC offers best practices, tips and guidelines—as well as training video games—to help organizations improve their security practices and cybersecurity awareness, she said.

Around the web

The tirzepatide shortage that first began in 2022 has been resolved. Drug companies distributing compounded versions of the popular drug now have two to three more months to distribute their remaining supply.

The 24 members of the House Task Force on AI—12 reps from each party—have posted a 253-page report detailing their bipartisan vision for encouraging innovation while minimizing risks. 

Merck sent Hansoh Pharma, a Chinese biopharmaceutical company, an upfront payment of $112 million to license a new investigational GLP-1 receptor agonist. There could be many more payments to come if certain milestones are met.