Does Your Healthcare Organization Need to Level Up Their NIST Security Efforts?

For all its good and ill, meaningful use drove action and adoption of EHR in healthcare.  What made the difference?  Ok, $36 billion in stimulus money helped.  However, the key to change was healthcare organizations having a common goal.  Once health IT professionals are focused on something, it is amazing to see the results they produce.

When I talk to many in healthcare about security, they are often overwhelmed by all the security risks and challenges we face as the risk surface in healthcare keeps expanding.  While many are still unsure where to go, I’ve increasingly seen forward thinking health IT leaders and CISOs using the NIST framework as a common goal for their healthcare organization to improve their security posture.  Much like efforts to achieve meaningful use drove EHR adoption, I see many healthcare organizations using NIST as the guideposts to drive their security efforts.

If you’re not familiar with NIST, go and download this recently released eBook on Proven Strategies to Elevate Your NIST Framework Implementation that Healthcare IT Today created together with Intraprise Health.  It provides a great introduction to NIST including a crosswalk look at how the NIST-CSF and HIPAA security rule overlap.

What’s challenging about NIST is that there’s no formal requirement to do it or specific financial incentives behind it.  Although, there is some leniency that OCR will consider if a covered entity or business associate has implemented a cybersecurity framework and best practices like NIST.  Plus, the framework does provide healthcare organizations a structured way to look at their security efforts and to address their security risks.

The NIST-CSF has four tiers of implementation:

Tier 1 – Partial
Tier 2 – Risk Informed
Tier 3 – Repeatable
Tier 4 – Adaptive

As the eBook mentions, these tiers shouldn’t be used as a pure maturity model and it’s important to set clear and achievable goals for your organization.  It’s easy to set ambitious NIST goals, but being too ambitious for your organization’s size and resources is the easiest way to kill an effort like NIST.  Start with reasonable goals and then expand from there over time.

The eBook also wisely suggests that you align the NIST subcategories to your overall organization goals as a good way to level up your NIST efforts and get buy-in from your organization.  Here’s a sample from the eBook of how this could work:

If you’re organization is feeling stuck with your approach to NIST, aligning organizational goals to NIST may be a good place to start.  The eBook also has a great section on ransomware and NIST which is worth the download since ransomware has become such a challenge for healthcare organizations.  Plus, it looks at what tools you can use to track your NIST efforts so you can better track your gaps, update your progress, and present your efforts to your peers.  The eBook even shares some tips and tricks on how to generate excitement and urgency for these efforts.

The reality is that NIST is quickly becoming the framework that healthcare organizations are using to evaluate their security efforts and risks.  If you haven’t started down this path or your NIST efforts are a bit overwhelming or stuck, take a minute to download the full eBook: Proven Strategies to Elevate Your NIST Framework Implementation where you can find some ideas to take your NIST efforts to the next level.  The more organized you are in your efforts to evaluate your security risk, the stronger security posture you’ll build for your organization.

Intraprise Health is a proud sponsor of Healthcare IT Today.

About the author

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

   

Categories