• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

Building Cybersecurity Resilience in American Rural Hospitals: Embracing the NIST CSF to Tackle Evolving Threats

by Mike Hamilton, Founder and CISO of Critical Insight 08/09/2023 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print
Mike Hamilton, Founder and CISO of Critical Insight

To stop ransomware terrorists from locking up our Nation’s hospitals, the Federal Government is pushing patient-focused entities to align with a standard. It means more work for hospitals, but it’s necessary. Hospitals are regulated by HIPAA through the Department of Health and Human Services (HHS), which now requires the use of the NIST Cybersecurity Framework (CSF) as the basis for cyber risk assessment. The Feds issued the new requirement because of the need to standardize critical infrastructure and increase resiliency in all areas, but especially in rural healthcare.   

The problem is clear, of course: Ransomware terrorists know that hospitals, especially small and rural ones, are good attack targets.

  • They cannot afford downtime, as that would lead to bad patient outcomes.
  • Negative publicity matters, significantly.
  • They typically have good insurance policies.
  • Either through insurance or not, they are known to pay ransoms.
  • They are understaffed and under-resourced to fight the attackers. 

But, even for smaller organizations, the NIST CSF allows them to build a security program that better protects them. For organizations not familiar with the CSF, here’s how it works: The CSF is an outcome-based framework, meaning that it is not prescriptive with respect to specific controls. Instead, it defines outcomes to be achieved, and the specific organization determines how to accomplish them. For example, the CSF says, “Remote access is managed,” but doesn’t say how to do it. Instead, the covered entity is responsible for determining the approach, which may differ for small and rural hospitals and critical access facilities compared to larger institutions. 

Another cause for this shift can be traced back to the Colonial Pipeline cyberattack. Two years ago, the Colonial Pipeline fell victim to a ransomware attack. It became evident that the Transportation Security Administration (TSA), the sector-specific agency responsible for setting security requirements for pipelines, failed to provide the necessary guidance. Since the NIST CSF was designed precisely for this purpose, it was readily available to gather and organize information on security controls and processes in an organization. Consequently, it became the basis for the guidance from the Environmental Protection Agency (EPA) for the water sector, TSA for pipelines, HHS for the healthcare sector, and others. 

While convenience and expediency are the primary motivations, there are other benefits to the federal government advocating for using the CSF in its efforts to secure critical sectors. By requiring these sectors to adopt a standard methodology, we can achieve consistent application of security outcomes across sectors in a well-defined manner. This consistency also facilitates analysis, which can assist in risk assessment. Insurance companies have faced challenges in accurately pricing cyberattack risks since they need decades-old actuarial tables. As a result, they have suffered financially. Aggregating information across critical sectors, where the US Government has oversight, can serve as the basis for risk pricing and determining whether and how the government may intervene as a reinsurer.

The NIST CSF can evolve from a tool for aligning with standards of practice to one for risk management and budgeting. By categorizing undesired outcomes (theft, extortion, records disclosure, disruption) and assessing their impact on patient care, fields can be added for estimating likelihood and impact. These terms can help estimate the likelihood of such outcomes occurring due to the failure to meet control objectives and the potential impact of such events. The product of these two terms yields a semi-quantitative risk assessment. Identified risks are then assigned a disposition (accept, avoid, mitigate using controls, or transfer through insurance).  

Each risk to be mitigated can be categorized based on how the mitigation will be addressed, such as using internal resources, hiring professional or managed services, or making a capital purchase for a tool. When properly utilized, this process results in a formal risk assessment using the preferred tool, a corrective action roadmap, and budget estimates for implementing those corrective actions. 

The shift towards the NIST CSF is a strategic response to growing cyber threats, particularly ransomware attacks, targeting America’s healthcare system. Despite the added workload for healthcare entities, the standardized application of security outcomes promises to build resilience across the sector. Moreover, the framework enables accurate risk assessments, paving the way for effective risk management and budgeting strategies.

It becomes crucial, therefore, for hospitals and healthcare institutions – both urban and rural – to understand and embrace the NIST CSF, using it to build and budget for a robust security program. Through such collective action, we can enhance the cybersecurity posture of our healthcare infrastructure and ensure the seamless delivery of healthcare services, protecting them from the crippling effects of cyber threats. As we continue navigating an increasingly interconnected digital landscape, it’s clear that our nation’s healthcare strength hinges on our collective commitment to cybersecurity.


About Mike Hamilton

Mike Hamilton, Founder and CISO of Critical Insight and formerly Vice-Chair for the DHS State, Local, Tribal, and Territorial Government Coordinating Council for critical infrastructure protection, works directly with hospitals and local governments in rural areas, providing security guidance and methodologies.  

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Insights

2025 EMR Software Pricing Guide

2025 EMR Software Pricing Guide

Featured Interview

Paradigm Shift in Diabetes Care with Studio Clinics: Q&A with Reach7 Founder Chun Yong

Most-Read

Medtronic to Separate Diabetes Business into New Standalone Company

Medtronic to Separate Diabetes Business into New Standalone Company

White House, IBM Partner to Fight COVID-19 Using Supercomputers

HHS Sets Pricing Targets for Trump’s EO on Most-Favored-Nation Drug Pricing

23andMe to Mine Genetic Data for Drug Discovery

Regeneron to Acquire Key 23andMe Assets for $256M, Pledges Continuity of Consumer Genome Services

CureIS Healthcare Sues Epic: Alleges Anti-Competitive Practices & Trade Secret Theft

The Evolving Role of Physician Advisors: Bridging the Gap Between Clinicians and Administrators

The Evolving Physician Advisor: From UM to Value-Based Care & AI

UnitedHealth Group Names Stephen Hemsley CEO as Andrew Witty Steps Down

UnitedHealth CEO Andrew Witty Steps Down, Stephen Hemsley Returns as CEO

Omada Health Files for IPO

Omada Health Files for IPO

Blue Cross Blue Shield of Massachusetts Launches "CloseKnit" Virtual-First Primary Care Option

Blue Cross Blue Shield of Massachusetts Launches “CloseKnit” Virtual-First Primary Care Option

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

2019 MedTech Breakthrough Award Category Winners Announced

MedTech Breakthrough Announces 2025 MedTech Breakthrough Award Winners

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |