“We think a lot about trust, how we can build trust into technology so we can realize its potential to serve our society and the public good,” said Cherilyn Pascoe, director of the National Cybersecurity Center of Excellence at the National Institute of Standards and Technology, as she opened the cybersecurity forum ahead of HIMSS24 Monday in Orlando.
“Our mission goes all the way back to the U.S. Constitution as one of the founding agencies,” she told top leaders in healthcare cybersecurity there to discuss best cybersecurity practices and strategies to secure data and ultimately protect healthcare .
She noted that the founding of NIST was recently featured in a recent Saturday Night Live sketch in which General Washington made the choice of the American system of weights and measures.
“NIST in particular has made General Washington’s dream come true by doing truly great work in standardization, including developing the Advanced Encryption Standard, which has now delivered hundreds of millions of dollars in economic value to the United States, and improved security for all .”
Pascoe’s keynote at the Mitigating Cyber Threat Risks Across the Healthcare Enterprise: Strategies that Protect forum emphasized the importance of collaboration and she shared details about NIST’s ongoing cybersecurity work and its implications.
Collaboration in action
While NIST, as a non-regulatory agency, has expanded its work into all areas of cybersecurity, its success depends on working with each sector it focuses on, she explained.
“The work we really excel at is working with communities, identifying the key challenges facing the community and then working with that community,” Pascoe said, noting that NCCoE works with “some of the best minds in the world. to help identify solutions” to address the cyber risks they face.
In February, NIST updated its Cybersecurity Framework with version 2.0 – a major overhaul.
“The framework has been around for the last ten years, which is really remarkable when you think about how much the cybersecurity landscape has changed over the last ten years, the changes in technology and risk – and it has really endured.”
Key to that update was a collaboration with an international community of experts, Pascoe said.
“We’ve worked with thousands of people who use the framework, telling us how they use it and how it needs to be updated,” she said.
“And that’s all reflected in the latest version we just released.”
Pascoe also shared a slide listing the names of 34 healthcare organizations that have signed collaborative research and development agreements with the agency.
In addition to developing NIST’s newest framework – the AI Risk Management Framework – the agency will work to update the privacy framework over the next one to two years and update it to version 1.1. She encouraged attendees to participate because CSF is “meant to be enjoyed” and “used together.”
Collaborate with vendors to implement frameworks
The NCCoE is a collaborative center, so “the goal is for NIST not to be the one to identify what’s important, but for all of you to tell us where there are still significant cybersecurity challenges that one company or one vendor can handle alone.” stands.” can’t fix it,” Pascoe said.
To demonstrate how to secure a remote patient telehealth ecosystem—the total security architecture of healthcare organizations, telehealth providers, and patients—using NIST cybersecurity, privacy, and risk management frameworks, the agency partnered with the University of Mississippi Medical Center and Inova Health System.
“Both are now using the work we have developed at the centre,” says Pascoe.
“And not only are they using it internally within their own organizations, but they have now developed guidance on how to provide their patients with additional tools to help keep them safe,” she said.
The latest project that NCCoE is taking on looks at both the security and privacy of genomic data.
“It’s one that has caught the attention of both Congress and the White House, as well as many within the industry,” she said.
Because there isn’t much guidance on genomic cybersecurity, “it’s a real gap that we hope to fill with our work at the center,” she said.
Working with the cybersecurity and privacy frameworks, the center will develop guidance specifically for genomic cybersecurity data.
“We’re basically sitting in a lab, working with equipment, working with standards, and really trying to make this happen so that the guidance that we create can be practical and actionable for the community,” she said.
Advice to HIMSS24 cyber forum visitors
NIST frameworks are a very powerful tool that can be used by organizations to help reduce service disruptions, Pascoe said.
“It is also very clear that business leaders must be responsible for cybersecurity,” she said.
“We love it when we see CEOs of organizations talking publicly about how they’re using NIST’s cybersecurity framework, how they’ve strengthened their cybersecurity teams.”
“It is also very clear that improving the security of technology products increases the security of healthcare.”
When organizations think about cybersecurity, they need to look at it from a mission-specific risk – a company-specific risk – “especially because cybersecurity today is something that impacts the mission of every organization,” Pascoe said.
She also reminded attendees that while NIST frameworks are industry neutral, there are customized tools available. Chief among these is NIST’s Implementation Guide for the Healthcare Sector Coordinating Council’s Cybersecurity Framework, unveiled at HIMSS23 and updated last month. NIST’s HIPAA Cybersecurity Resource Guide.
Finally, she advised cyber forum participants that as they walk through the exhibitor hall at HIMSS24, they should remember NIST’s secure software development framework.
“As you walk around the vendor floor this week and see all the different technologies that are available to you, I really want you to consider asking different companies: Are you using the NIST framework for secure software development?”
“If not, walk away,” and “If they say, hey, we’re using NIST standards, ask them which ones,” she said.
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.