The National Institute of Standards and Technology (NIST) announced on August 8, 2023, that its cybersecurity guidance was getting its first complete makeover since its release nearly a decade ago. After considering more than a year’s worth of community feedback, NIST released a draft version of the Cybersecurity Framework (CSF) 2.0, a new version of a tool it first released in 2014 to help organizations understand, reduce, and communicate about cybersecurity risk. The draft update, which NIST has released for public comment, reflects changes in the cybersecurity landscape and makes it easier to put the CSF into practice — for all organizations.
NIST is accepting public comment on the draft framework until Nov. 4, 2023. NIST does not plan to release another draft. A workshop planned for the fall will be announced shortly and will serve as another opportunity for the public to provide feedback and comments on the draft. The developers plan to publish the final version of CSF 2.0 in early 2024.
According to the release, the CSF provides high-level guidance, including a common language and a systematic methodology for managing cybersecurity risk across sectors and aiding communication between technical and nontechnical staff. It includes activities that can be incorporated into cybersecurity programs and tailored to meet an organization’s particular needs. In the decade since it was first published, the CSF has been downloaded more than two million times by users across more than 185 countries and has been translated into at least nine languages.
“Many commenters said that we should maintain and build on the key attributes of the CSF, including its flexible and voluntary nature,” said NIST’s Cherilyn Pascoe, the framework’s lead developer. “At the same time, a lot of them requested more guidance on implementing the CSF and making sure it could address emerging cybersecurity issues, such as supply chain risks and the widespread threat of ransomware. Because these issues affect lots of organizations, including small businesses, we realized we had to up our game.”
A major goal of CSF 2.0 is to explain how organizations can leverage other technology frameworks, standards, and guidelines, from NIST and elsewhere, to implement the CSF. Bolstering this last effort will be the launch of a CSF 2.0 reference tool, which NIST plans to release in a few weeks. This online resource will allow users to browse, search, and export the CSF Core data in human-consumable and machine-readable formats. In the future, this tool will provide “Informative References” to show the relationships between the CSF and other resources to make it easier to use the framework together with other guidance to manage cybersecurity risk.
Pascoe said the development team is encouraging anyone with recommendations about the updated CSF to respond with comments by the Nov. 4 deadline.
“This is an opportunity for users to weigh in on the draft of CSF 2.0,” she said. “Now is the time to get involved if you’re not already.”
You can read the press release here.
Compliance Perspective
Issue
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. Hackers seek to compromise digital devices, including computers, smartphones, tablets, and even entire networks. Nursing facility leaders and the Privacy Officer must collaborate with their IT department to ensure that the sensitive data that is housed within their computer systems is protected. All staff who have access to the computer network should be trained on best practices in preventing data breaches and what they must do to assist in the prevention of these breaches. All staff must fully understand how they can help safeguard protected PHI.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, and the Privacy Rule. Ensure that they address how to secure PHI and how to avoid falling prey to security breach efforts by unauthorized individuals. Update these documents as new information becomes available.
- Train all staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, and unauthorized release of PHI. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and Privacy are being followed by all staff, and that each person demonstrates understanding and competency.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
