It was announced last week that NIST (National Institute of Standards and Technology) will be releasing new guidelines for hospital cybersecurity. NIST offers a security framework that was developed for the federal government that helps organizations understand, select and implement security controls. The imminent set of best practices will help healthcare organizations become more penetration-resistant, more effective at limiting damage attackers can inflict and ultimately better able to withstand cyberattacks.
NIST Fellow Ronald Ross has likened the NIST framework to a very large catalog of privacy and security controls to safeguard the enterprise from hostile cyberattacks. And the latest iteration comes as the proliferation of advanced technologies is rapidly exceeding healthcare executives’ ability to protect their organizations from cyberthreats, Ross added, because every new system or device expands an organization’s attack surface. “Organizations are buying as much IT as fast as they can to obtain greater capabilities,” Ross explained.
With that mad rush to embrace new technologies, however, there are certain things that healthcare organizations cannot control, such as operating systems or databases, for which the best they can really do is keep pace with the patches vendors like Microsoft and Oracle distribute.
In the forthcoming guidance he said that NIST is working to reduce complexity of systems security engineering. “The best way to describe the concept is like this: When you fly on an airplane or cross a bridge, you do so because you trust the airplanes we fly and the bridges we cross, you have confidence in the people who designed and built them,” he said. To that end, the guidance will include best practices for buidling software and systems that are both secure and trustworthy. “We can build and deploy systems that we can trust, too, in a hospital environment, so the systems can better withstand cyberattacks, are more penetration-resistant, and limit the damage an adversary can do if an attack comes through the perimeter,” Ross said.
As an IT professional protecting medical practices, I am anxious to see these new guidelines, and will be implementing them throughout our client base.