Proactive Cybersecurity is Integral to Patient Centricity; NIST's CSF 2.0 has a Role

Thoughts on cybersecurity and how NIST's latest release can help better serve patients.

It's time the healthcare industry looks at Cybersecurity beyond a cost center to being an integral component of Patient Centricity. While the focus is often on the damage to organizations, the reality is that patients suffer the most. Identity Theft has long-term consequences.

The recent release of NIST's new Cybersecurity Framework 2.0 has made it exponentially easier for healthcare organizations of all sizes to set up cybersecurity standards and best practices for themselves. Smaller companies without dedicated cybersecurity departments can benefit greatly from CSF 2.0's accompanying resources like the Small Business Quick Start Guide and Implementation Examples.

While this addresses the lack of resources, however, oversight and complacency are factors that seem to play a big role in threats of cyber-attacks. In a recent benchmarking study by KLAS Research involving 58 healthcare organizations, reports showed that 71% of them were using NIST’s CSF, however, on average, the highest focus was on the “Respond” function and the least on the “Identify” function. This points to a reactive approach focusing on recovery rather than prevention, which can lead to a larger impact in terms of resources.

The ransomware attack on Minnesota’s United Health Group in February is a major example of the risk involved with cyber-attacks beyond the initial impact. With the outage of the Change Health platform, a number of hospitals and small healthcare businesses in the state faced issues with claims and payments for weeks. While it may not be possible to prevent every attack, being prepared to handle the impact and containing it is can often save considerable resources in the long run.

NIST’s statement on considering cybersecurity risks to be at the same level as Financial or Reputational risks highlights the importance of not only setting up a cybersecurity policy but also enforcing, updating, and maintaining it. While CSF 2.0’s supporting resources help with the former, it is the new “Govern” function that helps address the latter. While still intrinsically present in CSF 1.1, the explicit addition of the function makes it so that the maintenance of a cybersecurity policy can be prioritized. With this new function, the framework allows for a real time evaluation of the organization’s policy and its enforcement.

This process of constant reviews, when combined with regular training and assessments, can help establish a cybersecurity culture with employees being better informed and educated against cyber threats. Seminars, table-top exercises, and other such training activities can help develop a “cybersecurity first” mindset. Not only does this help reduce the accidental threats due to oversight, it also helps create a collaborative environment which is just as important when it comes to tackling cyber threats.

Useful Links:

• NIST’s CSF 2.0 Quick Start Guide - https://www.nist.gov/quick-start-guides

• Implementation Examples & Similar Resources - https://www.nist.gov/informative-references