NIST Framework: Healthcare HurdlesInsights from HIMSS on Boosting Adoption
More healthcare organizations might implement the National Institute of Standards and Technology's cybersecurity framework if NIST issued healthcare-specific guidance about putting it to use, says Lee Kim of the Healthcare Information and Management Systems Society.
In its comments submitted to NIST about the framework, Kim says, HIMSS notes "that essentially we think the framework would be more usable and prescriptive if it gave guidance in terms of how we actually do this [implementation] in the healthcare sector."
"Fortunately NIST is working with us and others in terms of hearing our voice and hearing how the framework can be optimized to achieve more uptake and usefulness by those who chose to implement it in our industry and other sectors," says Kim, who is HIMSS' director of privacy and security. "...We're hopeful that perhaps the framework could be more useful so more stakeholders can consider adopting it."
Kim says so far the framework appears to have received a somewhat lukewarm reception from healthcare providers, based on feedback from some HIMSS members.
The voluntary NIST cybersecurity framework, released on Feb. 12, is designed to provide guidance for organizations that work in various sectors, including healthcare, that are part of the nation's critical infrastructure.
In an interview with Information Security Media Group, Kim acknowledges that many other critical infrastructure sectors have more mature information security risk management programs than the healthcare sector.
"We are in the new reality where there are sophisticated cyberthreats," she notes. "Information security is certainly at the forefront of other sectors such as financial, chemical, manufacturing, water. All those other critical infrastructure sectors have had information security at the forefront for many, many years. In healthcare we are getting there."
Although Kim says some healthcare organizations "have an absolutely robust information security program," many are still moving from compliance-based data security and privacy strategies to risk-based strategies, she says.
In the interview, Kim also discusses:
- Awareness of the cybersecurity framework in the healthcare sector;
- How the cybersecurity framework could be helpful for healthcare organizations evolving their security focus from compliance-based to risk-based programs;
- How the medical device cybersecurity workshop that's being hosted by the Food and Drug Administration, might potentially lead to a better understanding of the NIST cybersecurity framework in the healthcare sector.
HIMSS is a global, not-for-profit association for those involved in healthcare information technology. Before joining HIMSS last fall, Kim practiced law in the areas of IT, healthcare technology, intellectual property, and privacy and security. She also previously worked in the healthcare technology field. She is a licensed attorney in the District of Columbia and Pennsylvania and is admitted to practice before the Federal Circuit and the United States Patent and Trademark Office as a registered patent attorney.