In 2015, the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”) in response to a requirement of Executive Order 13636, Improving Critical Infrastructure Cybersecurity.
The order also called on sector-specific agencies like the Department of Health and Human Services (HHS) to “coordinate with the Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.”
Toward that end, the Health Sector Coordinating Council public-private partnership and HHS recently released the Health Care and Public Health Sector Cybersecurity Framework Implementation Guide to help health care organizations align their cybersecurity practices with NIST’s cybersecurity framework to better protect the health care and public health (HPH) sector.
According to the guide, “Today’s climate of increasingly sophisticated cyberattacks exploit fragmented hospital infrastructures, an often-unwieldy number of applications and legacy, and network-connected medical devices, which can negatively impact patient care, cripple business operations, expose sensitive health data, and negatively impact a company’s reputation and market value. Additionally, lack of attention to regulatory compliance increases the risk to care delivery in addition to fines and other penalties, these risks drive corporate boards and executive management teams to adapt to this ever-changing threat landscape and improve their overall approach to cyber governance and security.”
While the American Society for Health Care Engineering’s “Best Practices Framework for Health Care Cyber Protection of MEP Systems” monograph, on which the accompanying article is based, focuses on best practices to mitigate cyber-risk for mechanical, electrical and plumbing (MEP) systems, it is important that health care facilities professionals are not only aware of but actively participate in the health care organization’s overall cybersecurity framework. Ensuring that the cybersecurity framework is integrated across all aspects of the health care organization’s cyber profile will ultimately provide the greatest security across the entire system.
Per the HPH sector framework guide, “Today’s climate of increasingly sophisticated cyberattacks exploit fragmented hospital infrastructures, an often-unwieldy number of applications and legacy and network-connected medical devices, which can negatively impact patient care, cripple business operations, expose sensitive health data, and negatively impact a company’s reputation and market value.”
Additionally, MEP systems can, and do, provide access to vital networks within an organization’s cyber platform. Ensuring that these access points are included within the organization’s overall cybersecurity framework is vital.