NIST Standards , Standards, Regulations & Compliance
Why Health Entities Need to Implement NIST Cyber FrameworkBob Bastani of HHS ASPR Describes Perks of a Strategic Approach to Managing Risk
Healthcare entities need to think more strategically about managing risk by implementing a robust cybersecurity framework such as the National Institute of Standards and Technology's CSF, said Bob Bastani, cybersecurity adviser at the Department of Health and Human Services.
Acknowledging that many entities struggle with security frameworks, in March, the HHS office of the Assistant Secretary for Preparedness and Response released an updated guide to help healthcare and public healthcare sector entities implement the NIST cybersecurity framework, he said.
"We are trying more and more to encourage the healthcare sector to use the CSF framework," Bastani said in an interview with Information Security Media Group during the 2023 Healthcare Information Management and Systems Society Global Health Conference and Exhibition in Chicago.
The framework generally helps organizations create a strategic approach for managing risk to identify areas that need to be strengthened or new processes that can be implemented, he said. "Frameworks provide a context to organizations on how to view risk, and that contextual view is important."
An update to the HITECH Act in 2021 also provides an added incentive for HIPAA-regulated entities to implement the NIST CSF, Bastani said (see: Bill Spells Out New Factors to Weigh in Setting HIPAA Fines).
The amendment requires HHS' Office for Civil Rights to review whether a covered entity or business associate has adequately demonstrated that "recognized security practices" were in place during the prior 12 months before the agency determines a potential enforcement action against organizations in HIPAA violation or breach cases.
"This makes it even more attractive to use the CSF," he said.
In this interview with Information Security Media Group (click audio link below photo), Bastani also discusses:
- Other important aspects for healthcare sector entities implementing a cybersecurity framework;
- Evolving cyberthreat and data breach trends in the healthcare and public health sector, including nation-state, ransomware and distributed denial-of-service attacks;
- What the healthcare sector needs to know about the Biden administration's national cybersecurity strategy.
Bastani, senior cybersecurity adviser for critical infrastructure in the office of the Assistant Secretary for Preparedness and Response at the Department of Health and Human Services, also co-leads the governmentwide cybersecurity coordinating council for the health sector and the joint healthcare and public health sector cybersecurity working group. Prior to joining HHS, Bastani worked for IBM in various cybersecurity leadership and advisory roles.