To stop ransomware terrorists from locking up our Nation’s hospitals, the Federal Government is pushing patient-focused entities to align with a standard. It means more work for hospitals, but it’s necessary. Hospitals are regulated by HIPAA through the Department of Health and Human Services (HHS), which now requires the use of the NIST Cybersecurity Framework (CSF) as the basis for cyber risk assessment. The Feds issued the new requirement because of the need to standardize critical infrastructure and increase resiliency in all areas, but especially in rural healthcare.
The problem is clear, of course: Ransomware terrorists know that hospitals, especially small and rural ones, are good attack targets.
- They cannot afford downtime, as that would lead to bad patient outcomes.
- Negative publicity matters, significantly.
- They typically have good insurance policies.
- Either through insurance or not, they are known to pay ransoms.
- They are understaffed and under-resourced to fight the attackers.
But, even for smaller organizations, the NIST CSF allows them to build a security program that better protects them. For organizations not familiar with the CSF, here’s how it works: The CSF is an outcome-based framework, meaning that it is not prescriptive with respect to specific controls. Instead, it defines outcomes to be achieved, and the specific organization determines how to accomplish them. For example, the CSF says, “Remote access is managed,” but doesn’t say how to do it. Instead, the covered entity is responsible for determining the approach, which may differ for small and rural hospitals and critical access facilities compared to larger institutions.
Another cause for this shift can be traced back to the Colonial Pipeline cyberattack. Two years ago, the Colonial Pipeline fell victim to a ransomware attack. It became evident that the Transportation Security Administration (TSA), the sector-specific agency responsible for setting security requirements for pipelines, failed to provide the necessary guidance. Since the NIST CSF was designed precisely for this purpose, it was readily available to gather and organize information on security controls and processes in an organization. Consequently, it became the basis for the guidance from the Environmental Protection Agency (EPA) for the water sector, TSA for pipelines, HHS for the healthcare sector, and others.
While convenience and expediency are the primary motivations, there are other benefits to the federal government advocating for using the CSF in its efforts to secure critical sectors. By requiring these sectors to adopt a standard methodology, we can achieve consistent application of security outcomes across sectors in a well-defined manner. This consistency also facilitates analysis, which can assist in risk assessment. Insurance companies have faced challenges in accurately pricing cyberattack risks since they need decades-old actuarial tables. As a result, they have suffered financially. Aggregating information across critical sectors, where the US Government has oversight, can serve as the basis for risk pricing and determining whether and how the government may intervene as a reinsurer.
The NIST CSF can evolve from a tool for aligning with standards of practice to one for risk management and budgeting. By categorizing undesired outcomes (theft, extortion, records disclosure, disruption) and assessing their impact on patient care, fields can be added for estimating likelihood and impact. These terms can help estimate the likelihood of such outcomes occurring due to the failure to meet control objectives and the potential impact of such events. The product of these two terms yields a semi-quantitative risk assessment. Identified risks are then assigned a disposition (accept, avoid, mitigate using controls, or transfer through insurance).
Each risk to be mitigated can be categorized based on how the mitigation will be addressed, such as using internal resources, hiring professional or managed services, or making a capital purchase for a tool. When properly utilized, this process results in a formal risk assessment using the preferred tool, a corrective action roadmap, and budget estimates for implementing those corrective actions.
The shift towards the NIST CSF is a strategic response to growing cyber threats, particularly ransomware attacks, targeting America’s healthcare system. Despite the added workload for healthcare entities, the standardized application of security outcomes promises to build resilience across the sector. Moreover, the framework enables accurate risk assessments, paving the way for effective risk management and budgeting strategies.
It becomes crucial, therefore, for hospitals and healthcare institutions – both urban and rural – to understand and embrace the NIST CSF, using it to build and budget for a robust security program. Through such collective action, we can enhance the cybersecurity posture of our healthcare infrastructure and ensure the seamless delivery of healthcare services, protecting them from the crippling effects of cyber threats. As we continue navigating an increasingly interconnected digital landscape, it’s clear that our nation’s healthcare strength hinges on our collective commitment to cybersecurity.
About Mike Hamilton
Mike Hamilton, Founder and CISO of Critical Insight and formerly Vice-Chair for the DHS State, Local, Tribal, and Territorial Government Coordinating Council for critical infrastructure protection, works directly with hospitals and local governments in rural areas, providing security guidance and methodologies.