CEO, Clearwater Compliance
Best-of-breed software? Or an integrated, “one-size-fits-all” enterprise suite? It’s a long-running debate in health information technology, and it hasn’t been settled yet. Fortunately, for those who work in information risk management, there is no need to choose between the two approaches. The Cybersecurity Framework (CSF) created by the National Institute of Standards and Technology (NIST) brings the best of both to the task of information risk management. The NIST CSF makes it possible to have the benefits of integration
without sacrificing the efficiency of customization.
NIST CSF Version 1.0 was released in 2014 in response to Executive Order 13636 (EO), “Improving Critical Infrastructure Cybersecurity.” The order called for the development of a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to help organizations manage cybersecurity risk. To that end, NIST gathered stakeholders from 16 critical infrastructure sectors to share cybersecurity knowledge, experience, and best practices.
The critical infrastructure sectors include everything from commercial facilities to communications, and from transportation to nuclear reactors. Practitioners from all 16 sectors, and from the public and private domains, came together to develop an overarching risk management structure that would apply across all sectors. This is possible because at a certain level, cybersecurity is cybersecurity, regardless of which sector you operate in.
Five basic functions
At the highest level, the NIST CSF is structured around five basic functions that apply to cybersecurity, regardless of sector. The five functions are: Identify, protect, detect, respond, and recover. These five functions comprise the “one-size-fits-all” aspect of the NIST CSF. Every organization, regardless of size, industry, sector or domain, must address these five basic functions in their information risk management program.
Part of the beauty of having a high-level, overarching framework is that in reality, no single sector operates independently of the others. The healthcare and public health sector relies on smooth integration with the emergency services sector, the energy sector, the financial services sector, and the information technology sector, among others. Having a common framework at a high level is like deploying an integrated electronic health record (EHR) system in a hospital. It facilitates communication and integration across divisions and departments by standardizing information systems vocabulary and processes.
In the case of the NIST CSF, the integrating effect is even larger than for an EHR, since the NIST CSF facilitates external communication as well. It provides a way for healthcare enterprises to speak a common cybersecurity language with their business associates, third party vendors, and non-healthcare partners. Sharing a common language around cybersecurity facilitates communication about best practices and newly emerging threats.
Customization
But what about customization? The NIST CSF has that covered, too. Because although “cybersecurity is cybersecurity” holds true at the abstract level, it doesn’t necessarily hold true at the tactical level. The NIST CSF addresses this in a couple of ways.
First, the NIST CSF crosswalks, from the highest, most abstract level (identify, protect, detect, respond, recover), through categories and subcategories of the five functions, to a more detailed, tactical level by including “informative references” for each of the five functions. The informative references point to specific sections of established standards, guidelines and practices including the CIS CSC, COBIT 5, ISA 62443, ISO/IEC 27001, and NIST SP 800-53.
Equally important is the fact that the NIST CSF doesn’t prescribe how an organization is going to implement any particular function: Instead, it helps organizations articulate what they are trying to achieve. This is where the customization comes in. For example, the NIST CSF guidance to establish and communicate business objectives may be captured in a one-page document for a small practice, or in a 100-page business plan for a large, well-resourced organization.
It is this flexibility that allows the NIST CSF to facilitate integration at the abstract level, and at the same time support customization at the tactical level. The NIST CSF truly offers the best of both worlds (one-size-fits-all and best-of-breed) to information risk managers.
Revision expected
THE NIST CSF continues to evolve as technologies change and new best practices emerge. Via an ongoing, inclusive dialogue with stakeholders from all sectors, NIST has developed a revised version of the Framework. A revised draft of Version 1.1 is expected to be released before the end of 2017, with a final version of NIST CSF Version 1.1 expected to be published in the first half of 2018.
Bob Chaput is the Chief Executive Officer of Clearwater Compliance, a provider of healthcare cyber risk management solutions, endorsed by the American Hospital Association. He serves on the HealthCare’s Most Wired Survey Advisory Board and is a contributing co-author to the American Society of Healthcare Risk Management academic book on the fundamentals of risk management. Chaput’s company was selected to join the National Institute of Standards and Technology’s (NIST) National Cybersecurity Excellence Partnership (NCEP) at NIST’s National Cybersecurity Center of Excellence (NCCoE).
