Groups Say NIST Must Better Address Healthcare's Cyber NeedsHIMSS, CHIME, AMA Submit Comments on Framework Update
The National Institute for Standards and Technology's proposed update to its cybersecurity framework needs to better address specific concerns of the healthcare sector, ranging from medical device risks to strained resources at smaller care providers.
That's some of the feedback from healthcare industry groups in their submissions to NIST in response to the agency's request for public comment on the latest proposed draft of the NIST framework, which was unveiled in January.
The Framework for Improving Critical Infrastructure Cybersecurity, Draft Version is described by NIST as an "update" rather than a major overhaul of its cybersecurity framework that was released in 2014. Public comments on the proposed framework update were due on April 10.
Among the proposed new features of the framework is a section on cybersecurity measurements to gauge security status and trends over time, as well as an expanded section on supply chain relationship management, which includes revised language in the access control category to account for authentication, authorization and identity proofing by adding a subcategory.
In comments submitted to NIST, the Healthcare Information and Management Systems Society suggests NIST in the framework's supply chain section to address issues related to medical device supply chain risks.
HIMSS notes that "some computer hardware, mobile devices, and other types of computing devices have been sold with embedded malware. While the insertion of such malware may have been unintentional by the manufacturer ... the very fact that this has occurred highlights the dangers of insider threat."
HIMSS stresses that healthcare providers and public health leaders "have great concerns with respect to the medical device supply chain, given the potentially significant risk to patient safety. Accordingly, HIMSS recommends that the Framework provide more granular detail on the 'how' and 'why' of supply chain risk management to include a relevant context of insider threat detection and management."
Meanwhile, in their joint comments, the College of Healthcare Information Management Executives - which represents 2,300 CIOs - and its subgroup, the Association for Executives in Healthcare Information Security - which represents 600 CISOs - call for NIST to develop industry-specific guidance for using the framework, including in healthcare.
CHIME and AEHI note that a "crosswalk" co-developed and released in 2016 by the Department of Health and Human Services to help healthcare entities bridge the NIST cybersecurity framework to the HIPAA Security Rule "is very helpful."
However, "healthcare users also need guidelines for each function of the Framework - identify, protect, detect, respond, recover - for each of these areas: policy, procedures, testing, and integration," the groups add.
Drilling down to some of the more specific proposals in NIST's updated framework, CHIME and AEHIS note that while they support NIST's added subsection on "identity proofing" to its section covering access control, "we also believe that there needs to be a discussion and guidance on privileged users."
Most healthcare systems have identities spread through an average of 10 to 12 different systems, CHIME and AEHIS note. "Guidance on identity management needs to include the critical need to have a master view of all identities and all the entitlements."
Challenges of Smaller Healthcare Entities
Some of the comments submitted to NIST also touch upon the special challenges that smaller healthcare entities, including clinics and doctor practices, often face.
"While discussions of cybersecurity typically include perspectives of government, health IT vendors, and large health and hospital systems, the physician voice is relatively unheard," notes the American Medical Association in its comments to NIST.
"We recommend that NIST and others in the cybersecurity space contemplate ways to make cybersecurity best practices affordable, attainable, and approachable for physicians without extensive health IT knowledge or experience," writes AMA, a professional organization which represents physicians in the U.S.
"We suggest NIST consider developing a non-technical, plain-language compendium to accompany the Framework to help individuals champion the importance of cybersecurity to their organization and promote a culture of good cyber hygiene," the AMA writes.
Still, the AMA adds that, overall, it supports the framework's "voluntary approach" that offers flexibility allowing entities to customize how they adopt and implement a cybersecurity framework. "This is critical in the healthcare space where a solo practitioner has very different resources than a large health system," AMA says.
Keith Fricke, principle consultant at tw-Security says he thinks the AMA's requests to NIST are reasonable. "It is great knowing [AMA members] want to adopt using [the framework] and have expressed an interest in wanting NIST to develop a compendium to better understand it," he notes.
"I think if NIST can achieve the AMA's request, the AMA would be more likely to endorse its use amongst its members."
Mac McMillan, president of security consulting firm CynergisTek says he supports the idea of a healthcare-specific compendium and the development of other tools to operationalize the framework. However, it's not feasible for NIST to address all of AMA's concerns, he says.
"We have more than 60 percent of healthcare entities using the NIST framework now, so this is absolutely doable, but the AMA's response is a bit frustrating as it is not always possible to make responses to cybersecurity flexible, and secondly NIST is not necessarily in a position to make cybersecurity more affordable."
Tom Walsh, president of tw-Security, says that overall, there are disconnects between NIST in its framework, and the needs and challenges faced by many healthcare entities.
"The mission of NIST is to serve other federal agencies - not healthcare specifically. What works at a federal government agency level does not always translate well into a small or rural healthcare setting."
Additionally, "NIST staff may have little to no experience in actually working in healthcare - hospitals and in particular - critical access hospitals and private physician practices/clinics. IT in small hospitals and clinics is almost always outsourced to a local IT company with little or no understanding of HIPAA, let alone NIST cybersecurity framework," Walsh notes.
Supplemental NIST framework guidance might not even be enough to help some smaller healthcare entities in their cybersecurity stance, he adds. "Practice managers in clinics have at least six different roles - compliance, privacy, and security officers are three of them. Expecting them to comprehend the NIST cybersecurity framework is not likely going to happen - with or without a supplemental document."
Walsh adds that "small and rural providers way outnumber larger healthcare organizations. Most healthcare in the U.S. is delivered in a small and rural setting. The folks in Washington D.C and Gaithersburg, Md. [where NIST is based] tend to forget that."
For instance, clinics and critical access hospitals "in the 'flyover states'... often struggle with guidelines from the beltway. That's due mostly to a lack of resources to implement," he adds. "Not everyone has the deep pockets of the federal government."
Kate Borten, president of privacy and security consulting firm The Marblehead Group, says organizations outside of NIST might be the best bet in helping smaller healthcare entities - and especially physician practices - navigate cybersecurity issues covered by the framework.
"I believe that HHS and professional organizations such as the AMA are better equipped to speak to solo practitioners," Borten says. "They already have the communication links, relationships, and can frame content for that specialized audience, unlike NIST - an organization they are not likely to know."
NIST says it plans to host a workshop in May to discuss the comments from all industries it received on its framework update proposals.
After the May 2017 workshop and analyzing the 130 comments received, NIST intends to issue a final version of the updated framework, along with an updated "roadmap" document that describes recommended activities in work areas that are related and complimentary to the framework.