More on Risk Management

NIST to release new guidance for strengthening hospital cybersecurity

The imminent set of best practices will help healthcare organizations become more penetration-resistant, effective at limiting damage from attackers.

Bill Siwicki, Managing Editor, Healthcare IT News

NIST fellow Ronald Ross said the agency is gearing up to publish new best practices that help hospitals avoid and withstand cyberattacks. NIST fellow Ronald Ross said the agency is gearing up to publish new best practices that help hospitals avoid and withstand cyberattacks.

The National Institute of Standards and Technology is poised to deliver new cybersecurty guidance, according to NIST fellow Ronald Ross.

NIST offers a security framework that was developed for the federal government that helps organizations understand, select and implement security controls.

Ross likened the NIST framework, developed for the federal government under the Federal Information Security Modernization Act, to a very large catalog of privacy and security controls to safeguard the enterprise form hostile cyberattacks.

[Also: FTC, others call for action on ransomware in healthcare, improved cybersecurity preparedness]

And the latest iteration comes as the proliferation of advanced technologies is rapidly exceeding healthcare executives' ability to protect their organizations from cyberthreats, Ross added, because every new system or device expands an organization's attack surface.

"Organizations are buying as much IT as fast as they can to obtain greater capabilities," Ross explained.

With that mad rush to embrace new technologies, however, there are certain things that healthcare organizations cannot control, such as operating systems or databases, for which the best they can really do is keep pace with the patches vendors like Microsoft and Oracle distribute.

[Also: Experts: Data, devices, employees pose biggest challenges to hospital cybersecurity]

In the forthcoming guidance he said that NIST is working to reduce complexity of systems security engineering.

"The best way to describe the concept is like this: When you fly on an airplane or cross a bridge, you do so because you trust the airplanes we fly and the bridges we cross, you have confidence in the people who designed and built them," he said.

[Also: Cyberattacks could cost healthcare providers $305 billion in next 5 years, report says]

To that end, the guidance will include best practices for buidling software and systems that are both secure and trustworthy. 

"We can build and deploy systems that we can trust, too, in a hospital environment, so the systems can better withstand cyberattacks, are more penetration-resistant, and limit the damage an adversary can do if an attack comes through the perimeter," Ross said.

Twitter: @SiwickiHealthIT