Road to HIPAA Compliance: Using the NIST Cybersecurity Framework to Protect PHI

by KirkpatrickPrice / October 27th, 2016

The NIST Cybersecurity Framework: A Common Language for Cybersecurity Issues

The cybersecurity realm is overwhelming – the issues, the regulations, the changes, the threats, the persistence. We’re living in a world where we hear about new breaches every day. None of us can possibly know everything about all cybersecurity issues, and that’s okay. We’re all vulnerable and overwhelmed, but that’s no excuse not to prepare and continually develop your organization’s defenses. We believe that the NIST Cybersecurity Framework is a way to start having a language and a method to understanding what the issues are and how they should be dealt with.

The core of the NIST Cybersecurity Framework includes:

  • Functions – Organization of basic cybersecurity activities at their highest level
  • Categories – Subdivisions of a function into groups of particular activities
  • Subcategories – Subcategorizes further divide a category into specific outcomes of technical and/or management activities
  • Informative References – Specific sections of standards, guidelines, and practices that illustrate a method to achieve the outcome

What is the cybersecurity maturity of your organization? It’s an important question to ask and answer honestly, especially when considering the Framework Implementation Tiers:

  • Partial – Informal, reactive, limited awareness
  • Risk Informed – Approved but not implemented, the staff has adequate resources to perform their cybersecurity duties, not formalized in its capabilities to interact and share information externally
  • Repeatable – Risk management is a formal function and updated regularly, changes in business requirements are reflected in the organization-wide cybersecurity practices, your organization understands its dependencies on partners and interacts accordingly
  • Adaptive – The cybersecurity practices adapt based on lessons learned and predictive indicators which results in continuous improvement, adapts to a changing landscape in a timely manner, cybersecurity risk management is part of the organizational culture, communication, and interaction with partners occurs before a cybersecurity event occurs

Healthcare organizations desperately need individuals who will volunteer to lead the conversation about cybersecurity issues; you don’t have to be a cybersecurity expert, just a good communicator. Our hope? In 5 years, everyone within an organization will understand the language of cybersecurity and will be involved in the cybersecurity conversation. It’s not just IT’s issue, or an executive’s responsibility, or the administration’s problem. Can you be the person at your organization to step up and lead the conversation?

To learn more about our HIPAA compliance services, contact us today.