Cyberattacks targeting organizations continue to escalate in frequency and sophistication. Recent cyber breaches and events have significantly increased the attention and focus on cyber risk management, and compelled more organizations to understand their current level of cybersecurity preparedness and the level of effort required to satisfactorily address current and emerging cyber threats.
To help all industries address these rising threats, the National Institute of Standards and Technology (NIST) issued the Framework for Improving Critical Infrastructure Cyber Security, also referred to as the NIST Cyber Security Framework. The intent of the NIST Cyber Security Framework, created through collaboration between industry and government, is to provide high-level guidance around information protection standards and best practices to help critical infrastructure, including the Healthcare and Public Health Sector, manage cybersecurity risk consistently and effectively. NIST recommends organizations evaluate and incorporate the requirements and guidance outlined in the NIST Cyber Security Framework in the context of their overall information protection requirements. Organizations should add those necessary industry or sector-specific requirements (e.g., regulations, policies, best practices) to ensure information is adequately protected and cyber risk is properly controlled. This is an important element, as the NIST Cyber Security Framework was not intended to be implemented without development of appropriate industry and organization specific requirements.
The HITRUST Risk Management Framework (RMF)—consisting of the HITRUST CSF, HITRUST CSF Assurance and supporting methods and tools—provides a harmonized set of reasonable and appropriate safeguards specifically designed to address healthcare-related information security and privacy threats, satisfy due diligence and due care requirements for the adequate protection of sensitive information. The HITRUST RMF also provides a standard, consistent means of sharing information security and privacy risk information with internal and external stakeholders, such as executive management, regulators and business partners. It also ensures compliance with relevant regulatory and other best practice requirements, such as HIPAA, CMS, PCI-DSS, various ISO and NIST standards including the Cyber Security Framework.
The Risk Management Framework (RMF) is the “common information security framework” for the federal government and its contractors. The stated goals of RMF are:
RMF effectively transforms traditional Certification and Accreditation (C&A) programs into a six-step life cycle process consisting of:
The NYSA team has experience with implementing cybersecurity process based on the new Risk Managment Framework for the DoD, Federal Agencies, Commercial and healthcare industries. Members of the NYSA team are certified Healthcare CISSP (HCISSP) and full trained in the HiTrust Risk Management Framework.