NIST urged to help small healthcare providers, add ransomware to framework

As malware- and ransomware-based intrusions will continue to plague healthcare into the foreseeable future, the Workgroup for Electronic Data Interchange (WEDI) is urging NIST to combine its ransomware guide to its flagship cybersecurity framework to provide the sector with much-needed support.

WEDI is a formal advisor for the Department of Health and Human Services Secretary, with a keen focus on advancing standards for data exchange and promoting data privacy and security. The group leveraged their experience to provide healthcare-specific recommendations to NIST in its request for information on the cybersecurity framework.

In mid-February, NIST issued an RFI seeking industry feedback on its flagship cybersecurity framework and supply chain risk management guidance. WEDI issued comments based on its insights from the healthcare sector, noting the NIST resources could be modified to better address some of the most pressing issues facing the sector.

In light of the persistent risk and threats posed by third-party apps, medical devices, and a lack of awareness and access to model cybersecurity policies in healthcare, NIST can assist providers by providing further resources and updating its cybersecurity framework, WEDI officials explained.

Although the NIST cybersecurity standard “represents the benchmark for those seeking to develop a comprehensive cybersecurity program” in healthcare, WEDI believes there should be a stronger focus on ransomware.

NIST issued a ransomware-specific guide in February, but WEDI believes it would best serve providers if it could be incorporated directly into the cybersecurity framework to address the current, persistent state of ransomware threats, which “is driving a lot of resource allocation on the part of healthcare entities.” By merging the two resources, WEDI believes it would better serve the healthcare sector.

The guides could also be improved with the addition of specific case studies of healthcare ransomware victims of varying organizational size, along with the addition of ransomware-focused insights on contingency planning, execution and recovery.

Ransomware attacks against healthcare organizations pose severe risks not faced by other sectors, as disruptions to operations can impact patient care and morbidity. Adding contingency planning strategies to its flagship guide, specific to healthcare, would greatly benefit the sector, as well.

The framework should also include examples of how vendors, providers and health plans have mitigated these attacks and deployed contingency plans to minimize impact on patient care.

Risks from APIs and apps not addressed by NIST

WEDI also urged NIST to address the risk of Application Programming Interfaces (APIs) and applications to address risks posed by the HHS interoperability push. As previously reported, data shows there’s a need for an API standard to ensure the privacy and security of data in transit and at rest.

A number of industry stakeholder groups have raised concerns that the apps designed to support interoperability “lack the robust privacy standards applicable to the large percentage of third-party app developers not directly associated with covered entities, and therefore not covered under the Health Insurance Portability and Accountability Act.”

Further, there’s no federally recognized certification or accreditation for these apps, which means there’s an increased risk for inappropriate disclosure of protected health information. Congress has been working on the effort in recent years, but stakeholders have warned a federal standard is likely a long way off.

In light of these risks and roadblocks, WEDI mused that NIST could develop the framework “required to ensure that healthcare data obtained by third-party apps is held to appropriate privacy and security standards.”

WEDI also recommended the addition of security standards to address portable and implantable medical devices and malicious and accidental insiders threats to the cybersecurity framework, which can address Bluetooth connectivity, Windows, cloud; and even wireless keyboards.

The risks posed by insiders and these technologies are expected to “exponentially increase in the coming years,” with the continued expansion of medical devices to address common health issues. WEDI added “the need for proper device management and monitoring, as well as the protection of sensitive information is equally important to providing medical care for patients.”

The framework should also include insights around phishing-related threats.

Lastly, NIST should also develop a framework tailored to smaller organizations, which may not have the resources needed to apply the best practice measures outlined in the NIST framework. It should be noted the HHS issued a five-volume guidance in 2019, broken down by entity size and type.

In addition to these recommendations, WEDI urged NIST to break down existing government cybersecurity silos that could impede progress on critical infrastructure cybersecurity. NIST should also bolster its educational partnerships to support the sector with needed steps to improve overall cyber hygiene and partner with provider entities on cyber education.

For example, NIST could reach out to The Health Sector Coordinating Council (HSCC), made up of hundreds of private and public sector organizations, which could support the dissemination of the cybersecurity guidance and resources to a wide healthcare audience. WEDI also offered to leverage its educational sessions to promote the use of the guidance.

WEDI’s comments support an ongoing push to shift healthcare from its use of HIPAA as the security standard, to NIST’s framework. For comparison, HIPAA has just 42 controls to adhere to, compared with hundreds of constantly evolving standards from NIST.

“Allocating sufficient resources to address security issues is often a significant challenge,” WEDI officials wrote. “Recognizing this, the role of the federal government is to identify and make available to the industry the best possible protocols, policies, and procedures.”

“We urge NIST to promote cyber hygiene tactics through every available communication channel, with an emphasis on smaller healthcare organizations,” they added.