Introduction

Health Care and Public Health Sector Cybersecurity Framework Implementation Guide

The United States has seen a marked increase in the use of digital technologies and cyber-physical systems (CPS), which in health care are critical integration of a network of medical devices. These systems are progressively used in hospitals to achieve continuous high-quality health care, resulting in an increase in the level of exposures to cyber-attacks, which target an organization's use of cyberspace for the purpose of stealing information or disrupting, disabling, or destroying related information resources. As a result of these ever-increasing cyber threats, President Barack Obama directed the National Insitute of Standards and Technology (NIST) to work with the private sector to develop the Framework for Improving Critical Infrastructure Cybersecurity,^[12] also known as the Cybersecurity Framework. The NIST Cybersecurity Framework provides an organizational cybersecurity risk management model that industries, industry sectors, or organizations can leverage to identify opportunities for improving their management of cybersecurity risk.

Security controls are the safeguards or countermeasures employed within a system or an organization to protect the confidentiality, integrity, and availability of the system and its information and to manage information security risks. Privacy controls are the administrative, technical, and physical safeguards employed within a system or an organization to manage privacy risks and to ensure compliance with applicable privacy requirements. Security and privacy controls are selected and implemented to satisfy security and privacy requirements levied on a system or organization. Security and privacy requirements are derived from applicable laws, executive orders, directives, regulations, policies, standards, and mission needs to ensure the confidentiality, integrity, and availability of information processed, stored, or transmitted and to manage risks to individual privacy. This document seeks to help Health Care and Public Health (HPH) Sector organizations understand and use NIST Cybersecurity Framework's Informative References to achieve the goals of the NIST Cybersecurity Framework. To help further this aim, the document presents an implementation approach that leverages these Informative References, explains the relationship between these Informative References and the NIST Cybersecurity Framework, and provides additional implementation guidance.

Executive Orders and Mandates

The following sections discuss the history of the various mandates and executive orders pertaining to the use of a voluntary Cybersecurity Framework in securing the critical infrastructures.

Executive Order 13636: Improving Critical Infrastructure Cybersecurity

In its December 2011 report, “Critical Infrastructure Protection: Cybersecurity Guidance is Available, but More Can Be Done to Promote Its Use"^[13], the Government Accountability Office (GAO) found similarities in cybersecurity guidance and practices across multiple sectors. Much of the guidance is tailored to business needs or to address unique risks and operations and recommends promoting existing guidance to assist individual entities within a sector to identify “the guidance that is most applicable and effective in improving their security posture."^[14]

Less than a year later, President Obama issued Executive Order (EO) 13636,^[15] “Improving Critical Infrastructure^[16] Cybersecurity," which called for the development of a voluntary Cybersecurity Framework to provide a “prioritized, flexible, repeatable, performance-based, and cost-effective approach" for the management of cybersecurity risks to critical infrastructure.

The Executive Order directed NIST to develop the Cybersecurity Framework and to incorporate industry best practices “to the fullest extent possible." The Department of Homeland Security (DHS) was tasked with establishing performance goals and, in collaboration with sector-specific agencies, supporting the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and other interested entities through a voluntary program.

After three cybersecurity framework workshops, NIST published its August 28, 2013 discussion draft of the Preliminary Cybersecurity Framework. The draft, which was also made available to the public for review, was published in advance of its Fourth Cybersecurity Framework workshop in September 2013. NIST released a 'final' public draft of the Preliminary Cybersecurity Framework in October of 2013, and the final Framework for Improving Critical Infrastructure Cybersecurity, Version 1 was released in February of 2014.^[17]^,^[18] The Framework has been updated by NIST with extensive private sector input since it was issued in February 2014. An updated version of the Framework, Version 1.1, was released in 2018.

EO 13636 also directed development of a program to serve as a central repository for government and private sector tools and resources. This Critical Infrastructure Cyber Community (C³) Voluntary Program^[19] was intended to provide critical infrastructure sectors, academia, state, local, tribal, and territorial governments with business' tools and resources to use the NIST Cybersecurity Framework and enhance their cyber risk management practices.^[20]

Public Law 113-274: Cybersecurity Enhancement Act of 2014

NIST's future Framework role is reinforced by the Cybersecurity Enhancement Act of 2014 (Public Law 113-274)^[21], which calls on NIST to facilitate and support the development of voluntary, industry-led cybersecurity standards and best practices for critical infrastructure. This collaboration continues as NIST works with stakeholders from across the country and around the world to raise awareness and encourage use of the Framework.

Executive Order 13800: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

In May 2017, President Trump issued EO 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which was intended to focus Federal efforts on supporting “the cybersecurity risk management efforts of the owners and operators of the Nation's critical infrastructure"^[22] by securing Federal networks, encouraging collaboration with industry, strengthening the deterrence posture of the United States, and building a stronger cybersecurity workforce.^[23] One of the actions taken by Federal agencies in response to this EO was to develop implementation plans for using the NIST Cybersecurity Framework.

Public Law 116-321: Amending the Health Information Technology for Economic and Clinical Health Act

Signed into law by President Trump in January of 2021, Public Law (PL) 116-321^[24] amended the Health Information Technology for Economic and Clinical Health Act.^[25] This law requires HHS to consider a health care entity's adoption of recognized security practices, as defined by PL 116-321, when determining the length and outcome of audits or the amount of fines or extent of penalties. It is important to note that this law does not help health care covered entities or business associates avoid liability for HIPAA violations as it clearly states that "Nothing in this section shall be construed to limit the Secretary's authority to enforce the HIPAA Security rule (part 160 of title 45 Code of Federal Regulations and subparts A and C of part 164 of such title), or to supersede or conflict with an entity or business associate's obligations under the HIPAA Security Rule." Instead, it requires the HHS Office for Civil Rights (OCR) to consider if the covered entity or business associate adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place. If so, OCR should consider this when determining the length and outcome of the audit, fines, or resolution agreement terms.

Per PL 116-321, the term “recognized security practices" means “the standards, guidelines, best practices, methodologies, procedures, and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities."

Executive Order 14028: Improving the Nation's Cybersecurity

President Biden's 2021 EO 14028, Improving the Nation's Cybersecurity, requires the Federal Government to “improve its efforts to identify, deter, protect against, detect, and respond to [increasingly sophisticated malicious cyber campaigns… and asks the Private Sector to] adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace."^[26] While the EO does not specifically mention the NIST Cybersecurity Framework, the EO further highlights the need for effective cybersecurity across the Federal Government and the private sector.

Potential Benefits of Health Care's Implementation of the NIST Cybersecurity Framework

The many cybersecurity-focused executive orders and laws that have been developed in the last 10 years show the importance of strong cybersecurity in protecting critical infrastructure. The NIST Cybersecurity Framework is a powerful tool to help achieve this goal. Since it is based on a collection of cybersecurity standards and industry best practices, the Cybersecurity broadly applies across all organizations, regardless of size, industry, or cybersecurity sophistication. Whether an organization has a mature risk management program and processes, is developing a program or processes, or has no program or processes, the Framework can help guide an organization in improving cybersecurity and thereby improve the security and resilience of critical infrastructure.

Specifically, the NIST Cybersecurity Framework:

Provides guidance on risk management principles and best practices
Provides common language to address and manage cybersecurity risk
Outlines a structure for organizations to understand and apply cybersecurity risk management, and
Identifies effective standards, guidelines, and practices to manage cybersecurity risk in a cost-effective manner based on business needs.

Beyond the stated goals and benefits of the NIST Cybersecurity Framework, there are additional potential benefits to organizations that implement information protection programs in alignment with the NIST Cybersecurity Framework, such as those obtained from leveraging a NIST Cybersecurity Framework Informative Reference.

In addition to federal provisions, states such as Ohio^[27]and Connecticut^[28]also offer various forms of 'safe harbor' for organizations that implement various public and private sector cybersecurity frameworks, including the NIST Cybersecurity Framework.^[29]

Further benefits for implementing the NIST Cybersecurity Framework follow.

Potential Reductions in Cybersecurity Insurance Premiums

Reductions in cybersecurity insurance premiums are a potential incentive for using the framework. Organizations should consider the impact on their insurance premiums if they do or do not follow sound cybersecurity practices.^[30] Furthermore, as cybersecurity continues to grow on the national and international security agenda, insurance underwriters are strongly considering evaluating their client's premiums based on standards, procedures, and other measures consistent with the NIST Cybersecurity Framework. The goal would be to build underwriting practices that promote the use of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.

Prioritized Technical Assistance from the Federal Government

The Federal Government can provide prioritized technical assistance for organizations that seek to leverage the Cybersecurity Framework. The Federal Government provides several hands-on tools that will help organizations assess their current state of cybersecurity practices and identify areas to grow their cybersecurity resilience. HPH Sector organizations are encouraged to visit the Cybersecurity & Infrastructure Security Agency (CISA) webpage for additional information related to both facilitated and self-service risk assessment resources. Based off this assessment, the Federal government helps prioritize next steps for organizations, depending on their level of cybersecurity maturity. For example, the government offers preparedness support, assessments, training of employees, and advice on best practices. Under this incentive, the primary criteria for assistance would be criticality, security, and resilience gaps. However, owners and operators in need of incident response support will never be denied assistance based on cybersecurity maturity and/or level of prior engagement with the use of the NIST Cybersecurity Framework.

Uniformity of Efforts Across the Sector

There are significant potential benefits that could be derived from uniformity of efforts, including conducting national/sector-level cybersecurity activities in parallel with organizational level activities. If an organization conducts cybersecurity activities based on the NIST Cybersecurity Framework, that organization will have a road map for reducing cybersecurity risks that is well aligned with HPH sector goals, considers legal/regulatory requirements and industry best practices, and reflects risk management priorities. Sector efforts can manage these systemic risks that cut across many organizations and also lead to research and development efforts to create new security solutions, policy or legal solutions, and national-level programs. Additionally, HPH sector organizations that adopt the NIST Cybersecurity Framework will be able to take advantage of numerous measurement tools developed and made available by NIST for the generation of metrics, measures, and performance reports facilitating performance improvements in their information security programs and the HPH sector. NIST provides extensive guidance on how an organization, through the use of metrics, identifies the adequacy of in-place security controls, policies, and procedures.^[31] It provides an approach to help management decide where to invest in additional security protection resources or identify and evaluate nonproductive controls. It explains the metric development and implementation process and how it can also be used to adequately justify security control investments. The results of an effective metric program can provide useful data for directing the allocation of information security resources and should simplify the preparation of performance-related reports.

Key Elements of a Cybersecurity Program

The NIST Cybersecurity Framework helps organizations:

Ensure people, process and technology elements completely and comprehensively address information and cybersecurity risks consistent with their business objectives, including legislative, regulatory, and best practice requirements;
Identify risks from the use of information by the organization's business units and facilitate the avoidance, transfer, reduction, or acceptance of risk; and
Support policy definition, enforcement, measurement, monitoring, and reporting for each component of the security program and ensure these components are adequately addressed.

For more information on the NIST Cybersecurity Framework, see Appendix C – NIST Cybersecurity Framework Basics.

The NIST Cybersecurity Framework also provides the structure needed to ensure industry sectors and organizations address three additional key elements of a robust and comprehensive cybersecurity program: threat modeling, threat intelligence, and collaboration.

Threat modeling may be accomplished either through a traditional risk analysis or the selection of a control baseline from an appropriate security framework. Threat intelligence is essential for an organization to understand and proactively address active and emerging cyber threats, and collaboration with other public and private sector entities allows an organization to address cyber threats more efficiently and effectively than it otherwise could.

Organizations have unique cybersecurity risks, including different threats, vulnerabilities, and tolerances, all of which affect benefits from investing in cybersecurity risk management, and they must apply the principles, best practices, standards, and guidelines provided in the NIST Cybersecurity Framework to their specific context and implement practices based on their own needs.

The HPH Sector embraces the flexibility the NIST Cybersecurity Framework offers but recognizes organizations' potential need for more guidance on how to specifically apply the framework to their particular situation. In addition, the HPH Sector recognizes the potential of the NIST Cybersecurity Framework to improve cybersecurity risk management efforts across all critical infrastructure industry sectors.

Ability to Incorporate Cyber-Physical Aspects of Cybersecurity

Cyber Physical Systems Security (CPSSEC) “addresses cybersecurity concerns for cyber-physical systems and internet of things (IoT) devices… [that] play an increasingly important role in critical infrastructure… and everyday life." ^[32]

One of the examples of CPS in the HPH sector is medical devices, which “are increasingly connected to the Internet, hospital networks, and other medical devices to provide features that improve health care and increase the ability of health care providers to treat patients. These same features also increase the risk of potential cybersecurity threats. Medical devices, like other computer systems, can be vulnerable to security breaches, potentially impacting the safety and effectiveness of the device."^[33]

The NIST Cybersecurity Framework, when applied through the lens of a comprehensive risk analysis that specifically includes CPS-related threats, will help further ensure patient safety in addition to protecting sensitive health information and individual privacy.

<< Back Next >>

¹² NIST (2018, Aug 16).

¹³ GAO (2011). Critical Infrastructure Protection: Cybersecurity Guidance is Available, but More Can Be Done to Promote Its Use, Wash., DC: Author.

¹⁴ Ibid., p. i.

¹⁵ Exec. Order No. 13636, 3 C.F.R. 11739-11744 (2013).

¹⁶ Critical infrastructure is defined in the EO as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

¹⁷ NIST (2014). NIST Releases Cybersecurity Framework Version 1.0.

¹⁸ NIST (2014, Feb 12). Framework for Improving Critical Infrastructure Cybersecurity, Version 1. (Updated 2018, Jan 8). Wash., DC: Author.

¹⁹ CISA (2021b). Critical Infrastructure Cyber Community C3 Protection Program.

²⁰ To access resources related to the former C3 Voluntary Program and the Framework.

²¹ Cybersecurity Enhancement Act of 2014. Public Law 113-274.

²² Exec. Order No. 13800, 3 C.F.R. 22391-22397 (2017).

²³ CISA (2017, 7 Jul). Executive Order 13800 Update Issue 1.

²⁴ Public Law 116-321.

²⁵ HHS (2017). HITECH Act Enforcement Interim Final Rule.

²⁶ Exec. Order No. 14028, 3 C.F.R. 26633-26647 (2021).

²⁷ Ohio Data Protection Act, Senate Bill 220 (2018)

²⁸ An Act Incentivizing the Adoption of Cybersecurity Standards for Business, Connecticut Public Act No. 21-119 (2021).

²⁹ See Appendix K – Frequently Asked Questions.

³⁰ DOE (n.d.), p. 3.

³¹ Chew, E., Swanson, M., Stine, K., Barol, N., Brown, A., and Robinson, W. (2008, July). Performance Measurement Guide for Information Security (NIST SP 800-55 Revision 1). Gaithersburg, MD: NIST.

³² DHS (n.d.). Cybersecurity: Cyber Physical Systems Security.

³³ FDA (n.d.). Medical Devices: Digital Health Center of Excellence: Cybersecurity.