Heightened Cybersecurity Focus Amid Banking Uncertainty

As if health care and life science companies weren’t already a target for cybercrime, cyber criminals are always looking for opportunity to exploit uncertainty, including recent banking failures. Our recent CLA article provides a high-level look at this topic and the importance of cybersecurity vigilance, which reminded me of another recent resource specific to health care that was released by the Department of Health and Human Services (HHS).

HHS through the Administration for Strategic Preparedness and Response (ASPR) and working jointly with the Health Sector Coordinating Council’s Cybersecurity Working Group, a public-private partnership for critical infrastructure protection, released a revised Cybersecurity Implementation Framework Guide. The guide can be used by public and private health care to understand and align to the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

That’s a lot of acronyms and info to unpack, which can seem a bit daunting. We break it down into understandable bites through a following questions and answers.

Q: What is the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework is the result of collaboration between industry and government to develop a general framework for use in protecting critical U.S. infrastructure, one of which is health care. The Framework was first released in 2014. It was updated in 2018 with another update being worked on right now.

The Framework is voluntary and consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk. The Framework is designed to:

• Provide guidance on risk management principles and best practices,
• Provide common language to address and manage cybersecurity risk,
• Outline a structure for organizations to understand and apply cybersecurity risk management, and
• Identify effective standards, guidelines, and practices to manage cybersecurity risk in a cost-effective manner based on business needs.

Q: What does the NIST Framework help organizations do?

At a very high level, the Framework is designed to:

• Ensure people, process and technology elements completely and comprehensively address information and cybersecurity risks consistent with business objectives. This includes legislative, regulatory, and best practice requirements.
• Identify risks from the use of information by the organization’s business units and facilitate the avoidance, transfer, reduction, or acceptance of risk.
• Support policy definition, enforcement, measurement, monitoring, and reporting for each component of the security program and ensure these components are adequately addressed.

Q: What does the new health care implementation guide do then?

Because the Framework was industry agnostic, there are ways to work through the Framework that better reflect health care organizations specifically.

How CLA can help

Health care and life sciences need to have cybersecurity risks top of mind. Top cybersecurity risks continue to be e-mail phishing attacks, ransomware attacks, theft/loss of data or equipment, accidental or intentional data loss, and attacks on connected devices. Beyond the block and tackling of these risks, deploying a robust cybersecurity framework can help. Doing so can also further align with how cybersecurity (and not just IT) play into governance and enterprise risk management.

You don’t have to go it alone. Whether you’re a single physician practice, a regional nursing home provider, a medical device company or health care system, CLA’s firm-wide cybersecurity practice and health care specific cyber practice can help.