Since 2003, healthcare organizations have been facing compliance requirements as outlined in the Health Insurance Portability and Accountability Act, specifically the HIPAA Security and Privacy Rules, or face large fines and damage to their reputation.
But as the healthcare industry now looks to adopt the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF), there is likely some thought among healthcare providers about why they must adopt this new framework with HIPAA already in place, said Ken Durbin, Compliance, Risk Management and Threat Intel Strategist at Symantec during a July 13th webinar that looked at the PROTECT function of the CSF.
“There is a difference between compliance and security,” Durbin added. “HIPAA puts requirements in place to protect data, but it is not aimed at helping organization’s keep their entire enterprise secure.”
That said, the NIST CSF, especially the PROTECT function, does align with HIPAA to:
- Safeguard data
- Mitigate malicious software; and
- Maintain data integrity
As its name suggests, this area looks at what organizations need to do to protect patient information, but goes beyond what many may think. The PROTECT function includes employee cybersecurity training and ensuring that administrators know their larger roles in cybersecurity protection.
“With an emphasis on training, the NIST cybersecurity framework makes employees part of the overall protection of data opposed to a problem,” Jeff Marron, an IT Security Specialist at NIST said. “The CSF looks at each part of an enterprise that has a role in data protection, not just the technology.”
That includes things such as physical security and governance.
That is not to say that technology is not a part of the equation as well. For instance, the PROTECT function aims to help healthcare organizations establish baseline configurations. Enterprises can open up security gaps if employees or other unauthorized individuals begin changing security configurations, perhaps seeking better performance. By establishing certain baselines healthcare organizations can ensure data remains protected.
Durbin said the NIST CSF PROTECT function aims to make compliance and security work together. The NIST CSF will help healthcare organizations:
- Define current state, gaps and goals
- Make security manageable, based on priorities
- Define process, make it reliable and reproducible
- Meet multiple security objectives and the needs of stakeholders
- Measure and communicate
The PROTECT function of the NIST CSF features many more aspects that our speakers dove into during the webinar. Watch it again here along with the other webinars in this series. We will hold the next webinar, Detecting a Healthcare Breach with the NIST Cybersecurity Framework, on August 17, as we explore the DETECT function.