NIST to release new guidance for strengthening hospital cybersecurity
The National Institute of Standards and Technology is poised to deliver new cybersecurty guidance, according to NIST fellow Ronald Ross.
NIST offers a security framework that was developed for the federal government that helps organizations understand, select and implement security controls.
Ross likened the NIST framework, developed for the federal government under the Federal Information Security Modernization Act, to a very large catalog of privacy and security controls to safeguard the enterprise form hostile cyberattacks.
And the latest iteration comes as the proliferation of advanced technologies is rapidly exceeding healthcare executives’ ability to protect their organizations from cyberthreats, Ross added, because every new system or device expands an organization’s attack surface.
“Organizations are buying as much IT as fast as they can to obtain greater capabilities,” Ross explained.
With that mad rush to embrace new technologies, however, there are certain things that healthcare organizations cannot control, such as operating systems or databases, for which the best they can really do is keep pace with the patches vendors like Microsoft and Oracle distribute.
In the forthcoming guidance he said that NIST is working to reduce complexity of systems security engineering.
“The best way to describe the concept is like this: When you fly on an airplane or cross a bridge, you do so because you trust the airplanes we fly and the bridges we cross, you have confidence in the people who designed and built them,” he said.
To that end, the guidance will include best practices for buidling software and systems that are both secure and trustworthy.
“We can build and deploy systems that we can trust, too, in a hospital environment, so the systems can better withstand cyberattacks, are more penetration-resistant, and limit the damage an adversary can do if an attack comes through the perimeter,” Ross said.
Sign up for the Healthcare IT News Privacy & Security Update newsletter.