By: Patrick Martin on May 19, 2023
5 Key NIST-Related Cybersecurity Functions For The Healthcare Industry
Healthcare organizations are subject to all kinds of regulatory requirements designed to protect private patient information also known as personally identifiable information (PII).
With the increasing popularity of virtual visits, patient portals, and electronic patient records, securing information at doctor offices, rehab centers, and other medical facilities is more important than ever.
And, with the constantly changing nature of cyber threats, keeping up can be a daunting task.
Kelser provides comprehensive managed IT support services for organizations in the healthcare industry as part of its managed IT support services.
But, we know that managed IT isn’t the right solution for everyone, so rather than convince you to work with us, we publish informative articles that help healthcare leaders like you understand technical topics.
I serve as a virtual chief information officer (vCIO) for many of our healthcare partners. In this article I’ll walk you through 5 important NIST-related cybersecurity functions that are important for every healthcare organization.
After reading this article, you’ll be able to make informed technology decisions that will keep sensitive information about your patients and your practice secure.
What Is NIST?
The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce, founded in 1901. The organization’s mission is to promote American innovation and industrial competitiveness.
Why Is NIST Important For Healthcare Organizations?
Shortly after the Federal Information Security Management Act (FISMA) was enacted in 2003, NIST created Special Publication 800-171.
NIST 800-171 provides a framework for protecting controlled unclassified information (CUI) that is created or possessed by the U.S. government or an entity working on its behalf.
Since then, NIST 800-171 has become a best practices framework for many organizations and healthcare organizations can benefit substantially from the five clearly defined and manageable functions outlined in it.
What 5 Essential Cybersecurity Functions Need To Be Addressed By Healthcare Organizations?
The five key cybersecurity functions I’ll outline in this article come from the National Institute of Standards And Technology (NIST) Cybersecurity Framework (CSF). They represent one way to look at the individual controls put forth by the Center for Internet Security (CIS).
The 5 functions are a good place to start for any healthcare organization, a good basis for any cybersecurity plan, and a good tool to measure against regularly. They are:
You can’t protect what you don’t know you have. You must be able to identify:
- your assets (hardware and software)
- your users (and their accounts)
- your suppliers
- your data (and how critical it is or isn’t)
- your business risks
Let’s explore each of these items one at a time:
- Without knowing what assets you have, you can’t protect them appropriately.
- Without a full understanding of your users, you can’t look for unauthorized access.
- Without knowing your suppliers, you can’t ensure that they are following the security protocols required by your contracts.
- Without understanding your data and how sensitive it is, you may not have the right protections in place and you may be subject to contractual or regulatory penalties.
- Without a true understanding of the risks your business faces (and a constant reassessment of emerging cyber threats), your protections can’t keep your organization's information secure.
Cybersecurity requires ongoing vigilance and an understanding of what you need to protect to keep your organization safe.
The best cybersecurity protections take into account what needs protecting today and they evolve over time to reflect (and thwart) newly evolving threats.
Once you understand your assets, you are ready to put in place the proper protections.
Protections must be effective at keeping your systems and data from being negatively impacted without hindering the ability of your team, whether centrally located or distributed in multiple remote locations, to perform daily tasks.
These protections could be physical protections which may include locks, armed security (depending on the risk and sensitivity of data), and badge-only access to certain areas or information (i.e. badge access to your systems and applications that contain PII).
There are also digital protections including firewalls, anti-malware software, email spam & malware protections, secure configurations of servers and workstations, patch updates/management, and vulnerability scanning.
Another key digital protection is a separate guest Wi-Fi network.
Related article: What Is A Business, Commercial, Or Enterprise Firewall? Do I Need One?
In most cases, a combination of physical and digital protections offers the most comprehensive solution.
And, don’t overlook the importance of employee security training. It is one of the most cost-effective (and most frequently overlooked) deterrents.
Related article: What’s The Most Frequently Overlooked Cybersecurity Tool?
If you aren’t monitoring your infrastructure, you can’t detect unusual events that could indicate security incidents in your environment.
One of the tools that can be used to detect potential incidents is a security information and event management (SIEM) solution.
SIEM solutions provide centralized monitoring and analysis capability and specialized services that can correlate events from different data sources.
They also can generate reports that track contractual compliance metrics and they can even be used for large-scale Security Operations Centers.
Security audit log management and monitoring can also help detect questionable activities.
How will you respond when a cyber event (or potential event) happens?
Do you have a business continuity and disaster recovery plan? Is it in writing? Are all of your key stakeholders aware that it exists? Has it been vetted? Do you know that it will work? What will trigger the implementation of this plan?
Does your plan include an alternate business location? Does it include communications with appropriate third parties like legal counsel, insurance providers, law enforcement, employees, and patients?
One of the most important factors in your ability to recover from a cyber incident is the preparation you do ahead of time. Specifically, I’m talking about backing up your data.
Do you perform and test backups of your data? How confident are you that you can recover from an incident (whether security-relevant or a natural disaster) that may affect data integrity or availability?
Is your data backed up regularly? Do you conduct dry runs to ensure that all of the information you think is being backed up is, in fact, being backed up? Is the information easily accessible? Do multiple people know how to access it? Are you sure?
If a natural disaster occurs in your part of the country, is there a backup stored in another geographic region that you can easily access?
How Can Your Healthcare Organization Address These Five Essential Cybersecurity Functions?
Now that you’ve read this article, you know the five cybersecurity functions you need to address: identify, protect, detect, respond, and recover. You understand the importance of each function and steps you can take to implement them.
Depending on your current state of cyber readiness and the size and skills of your internal IT staff, you may be able to implement everything you need internally to secure the information of your organization and your patients.
Or, you may want to explore a partnership with an external IT support services team that has the depth and breadth of expertise to support your preparation.
Either way can provide the protection you need. The important thing is to take the action required to keep your data and infrastructure safe.
If you decide to explore external IT support, we encourage you to check out several providers to find the best fit for you. We take this advice so seriously that we’ve even done some of the legwork for you. Read this article for an unbiased comparison of The Walker Group and Kelser.
It may seem counterintuitive that we publish information about our competitors, but the way we see it, the first step most consumers take is to do an internet search and explore their options.
We just save you a step by comparing publicly available information about both companies direct from the respective websites.
Feel free to visit our learning center to read other comparison articles.
Looking to put together a cybersecurity policy? Learn 7 characteristics that effective cybersecurity policies share.