The “Identify” function of the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) lays the groundwork for all cybersecurity actions that will follow. After all, it’s only possible to protect what you know exists.
In the second part of Symantec’s webinar series demystifying the NIST CSF for Healthcare, Symantec’s Axel Wirth and Vishal Gupta highlighted the key components of what really is the foundation of the framework.
More than anything the “Identify” function calls on healthcare organizations to look at every component of their cybersecurity enterprise. That not only includes hard security assets such as servers and networks, soft assets such as software, data and people but also concerns like governance, risk management approach and business use.
In order to be successful in protecting their assets, healthcare organizations must first identify every component of their enterprise. By looking at every aspect to make sure it meets a certain standard – and fixing those that do not – healthcare organizations gain a complete picture of every asset under their watch and assure the best possible security posture.
Too often, Wirth and Gupta explain, it is assets that healthcare organizations do not know they have – or do not understand the accompanying risk – that lead to breaches. The results have been largely disastrous.
Nearly 90 percent of all healthcare organizations have suffered at least one data breach in the past two years, with the average cost per hack totaling more than $2.2 million for the industry, according to a 2016 study from the Ponemon Institute. And things are apparently getting worse.
Last year saw a 20 percent increase in the number of breaches with 16 million records exposed, leading to a record year for payments of HIPAA penalties, according to HIPAA Journal. Cybersecurity breaches are not only dangerous – causing PHI and sensitive information to be exposed, damaging the hospital’s reputation, and potentially putting patient safety at risk - but as the numbers show, incredibly expensive.
To combat this, the healthcare industry will turn to the National Institute of Standards and Technology’s Cybersecurity Framework, a tool that is expected to be used by 50 percent of all organizations by 2020.
Gupta said that healthcare organizations need to look for solutions that can help them gain end-to-end visibility across their enterprise. That is especially true in systems that use a wide variety of platforms, software applications and different resource locations (a combination of on premise technologies and in the cloud.)
A successful implementation of the ”Identify” function enables an organization to:
- Define the current state of their enterprise, identify gaps and a define path forward to address them
- Define mitigation priorities
- Define processes that are reliable and reproducible
- Meet the needs of all stakeholders
- Make managing complex systems easier
- Have methods for communicating with all critical parties
The “Identify” function of the NIST CSF is one of the foundational pieces of guidance and lays the basis for healthcare organizations. Implementing the recommendations is a complex task, but without proper execution, healthcare organizations will be nullifying the results of the other parts of the framework. For the healthcare industry to reduce the rate of cyber breaches and other cyber events, and in turn avoid the impact and cost of breaches, it should turn to the NIST CSF and make completing the “Identify” function a top priority.
Join Symantec on July 13 for the next part of our ongoing series on the NIST CSF. Our experts will explore the “Protect” function of the CSF, highlighting the elements that healthcare officials need to know before adopting the CSF. You can also view previous webinars and more information from Symantec on the CSF at our resource page.