Skip to content

Healthcare IT Security Best Practices: Adopting NIST's Cybersecurity Framework


Ransomware and other forms of digital extortion continue their unprecedented march, attacking computers, stealing the private data of millions of individuals, and forcing IT managers to play whack-a-mole in order to stem the tide of new threats entering network servers every year.

The problem is particularly acute in the healthcare industry, which racked up 750 known breaches last year―20 percent more than the customary targets in the financial sector.

The numbers don’t paint a rosy picture. The U.S., in general, accounts for one-third of the ransomware variants detected in 2016 and the first half of 2017, according to a recent Internet Security Threat Report commissioned by Symantec.

These statistics beg the question of what the healthcare industry should do to defend against bad actors who are intent on pilfering private data. What IT security best practices should the industry adopt that are most effective at lessening the severity of these breaches or preventing them from happening at all?

One idea is to adopt NIST’s Cybersecurity Framework.

What is the NIST Cybersecurity Framework (CSF)?

The NIST Framework is guidance on how to better manage, mitigate, and reduce cybersecurity risks. It’s based on existing standards, guidelines, and IT security best practices for organizations to enable risk and cybersecurity management communications among internal and external organizational stakeholders.

CSF guidelines were issued as an Executive Order back in 2013, due to recognized threats to the national and economic security of the United States and for the purpose of protecting critical infrastructure. The guidelines were further updated and clarified in 2014.

The CSF consists of three components―core, implementation tiers, and profiles―that are designed to provide information on how organizations view cybersecurity risk management and how their existing processes complement existing policies and procedures.

These are the basics:

  1. Core: guides cybersecurity activities and outcomes by assisting with managing risks.
  2. Implementation tiers: guide organizations on how rigorous their cybersecurity programs are.
  3. Profiles: identify opportunities for improving existing cybersecurity programs.

What are the pressing concerns for healthcare right now?

Healthcare is the only industry where the cybersecurity threat tends to be greater from the inside than from the outside.

There are several reasons for this aberration from other industrial sectors, and human error is a major contributor. Employees are also abusing their access to systems or data. Surprisingly, in 13 percent of cases, security risks are motivated by fun or curiosity—for example, when a celebrity has recently been a patient.

Additionally, since the American Recovery and Reinvestment Act of 2009 provided financial incentives to come up with ways to strengthen and improve the industry, the healthcare sector has gone through monumental changes to move from outdated paper records to electronic health records (EHR). A total of $25.8 billion was allocated toward improving health information technology investments. However, the move to digital health records created more opportunity for hackers and other nefarious actors to pilfer health records, which contain a treasure trove of personal data that can be used for financial gain.

How does the CSF help address these issues?

The current version of CSF―issued in February 2014―is fairly rigorous and designed to identify, protect, detect, respond, and recover from the impacts of a cybersecurity incident. The CSF is not a set of rigid instructions for healthcare organizations to adhere to, but rather a guideline of IT security best practices that can be adopted to complement or reinforce existing cybersecurity policies.

CSF delivers security through a series of core elements, four implementation tiers, and a framework profile that aligns all of these elements via business requirements, risk tolerance, and financial resources of the organization.

The framework provides common language for internal and external stakeholders to understand and manage cybersecurity risks as a team. It is a useful tool that can help your organization align business and technological policies in order to better manage cybersecurity risks across the board and achieve better outcomes as you deliver critical healthcare services to your patients and improved operational efficiency to your colleagues and key stakeholders.