Skip to main content

HIMSS presses NIST to keep cybersecurity framework voluntary for organizations

As HIMSS sees it, the framework could be used as a tool to develop a common set of processes in relation to privacy and information security risk management.
By Bernie Monegain

HIMSS is pushing the National Institute of Standards and Technology to keep its Framework for Improving Critical Infrastructure Cybersecurity voluntary.

HIMSS, which represents more than 52,000 health IT professionals, wrote to NIST on Monday in response to its request for information. NIST has extended the original Tuesday comment deadline to Feb. 23.

NIST noted it was looking for ways in which the framework is being used to improve cybersecurity risk management; how best practices for using the framework are being shared; the relative value of different parts of the framework; the possible need for an update of the framework, and options for long-term governance of the framework.

[Also: Cybersecurity strategies evolving in face of big risk]

As HIMSS sees it, the framework could be used as a tool to develop a common set of consensus-based, private sector-led guidelines, best practices, methodologies, procedures and processes in relation to privacy and information security risk management.

Since many healthcare organizations could benefit from improving their risk management process and better address cybersecurity risks, HIMSS supports the idea that the Framework could be useful in helping healthcare organizations improve their security posture, wrote HIMSS President and CEO H. Stephen Lieber and and HIMSS Board Chair Dana Alexander in their response.

They also discussed how NIST’s Cybersecurity Framework serves to inform organizations that are in need of either creating or updating their own risk management program. Whether an organization is standing up a new cybersecurity program or has a sophisticated program already in place, the Framework has the potential to serve organizations well in advancing the capabilities of organizations in addressing cybersecurity risk.

[Like Healthcare IT News on Facebook]

NIST first released Version 1.0 of the framework in February 2014. It is among a handful of security best practices and guidance standards gaining purchase in healthcare, including HITRUST Common Security Framework, ISO/IEC 27002 and Control Objectives for Information Technology, or COBIT.

Responses will contribute to shaping NIST's decision-making about how to strengthen the framework and, ideally, the nation's critical infrastructure.

Twitter: @HealthITNews