HIMSS24 Cyber Forum keynote stresses collaboration on standards
Photo: HIMSS Media
ORLANDO – "We think a lot about trust, how to build trust into technology so that we can realize its potential to serve our society and the public good," said Cherilyn Pascoe, Director of the National Cybersecurity Center of Excellence at the National Institute of Standards and Technology, as she opened the preconference Healthcare Cybersecurity Forum at HIMSS24 on Monday.
"Our mission dates all the way back to the U.S. Constitution as one of the original agencies," she told top healthcare cybersecurity leaders there to discuss the best cybersecurity practices and strategies to secure data and ultimately protect healthcare delivery.
She noted that the establishment of NIST was recently included in a recent Saturday Night Live sketch featuring George Washington, choosing the U.S. system of weights and measures.
"NIST, in particular, has filled General Washington's dream by doing some really great work in the standardization space, including the development of the advanced encryption standard, which has now provided hundreds of millions of dollars of economic value to the United States, and enhanced security for all."
Pascoe's keynote at the Mitigating Cyber Threat Risks Across the Healthcare Enterprise: Strategies that Protect, forum stressed the importance of collaboration and she shared details about NIST's ongoing cybersecurity work and its impacts.
Collaboration in action
While NIST has expanded its work into all areas of cybersecurity as a nonregulatory agency, its success depends on collaboration with each sector it focuses on, she explained.
"Work that we really excel at is on working with communities, identifying kind of the significant challenges that the community is facing and then working with that community," Pascoe said, noting that NCCoE is working with "some of the best minds around the world to help identify solutions," to address the cyber risks they face.
In February, NIST updated its Cybersecurity Framework with Version 2.0 – a major overhaul.
"The framework has existed for the past decade, which is really remarkable when you think about how much the cybersecurity landscape has changed in the past 10 years, the changes in technology and risk – and it really has endured."
Key to that update was a collaboration with an international community of experts, said Pascoe.
"We worked with thousands of people that are using the framework – told us how they're using it, how it should be updated," she said.
"And all of that is reflected in the newest version that we just released."
Pascoe also shared a slide showing the names of 34 healthcare organizations that signed cooperative research and development agreements with the agency.
In addition to developing NIST's newest framework – the AI risk management framework – over the next one to two years, the agency will be working to update its privacy framework and update to version 1.1, and she encouraged attendees to engage, since it is "meant to be stapled" to CSF and "used together."
Working to implement frameworks
The NCCoE is a collaboration center, so "the goal is for NIST to not be the one to identify what's important, but for all of you to tell us what are the areas where there are still significant cybersecurity challenges that one company or one vendor alone cannot solve," said Pascoe.
To showcase how to secure a telehealth remote patient ecosystem – the total security architecture across healthcare delivery organizations, telehealth providers and patients – using NIST cybersecurity, privacy and risk management frameworks, the agency worked with the University of Mississippi Medical Center and Inova Health System.
"Both are now using the work that we've developed at the center," said Pascoe.
"And not only are they using it internally within their own organizations, but they've also now developed guidance on how to provide additional tools for their patients to protect their security as well," she said.
The latest project NCCoE is taking up looks at both the security and privacy of genomic data.
"It's one that has attracted attention from both Congress, as well as the White House, as well as many within the industry," she said.
Since there is not a lot of guidance on genomic cybersecurity, "it's a real gap that we hope to be able to fill with our work at the center," she said.
Working with the cybersecurity and privacy frameworks, the center will develop guidance specifically for genomic cybersecurity data.
"We're actually in a lab, working with equipment, working with standards, really trying to make this real so that the guidance that we create can be practical and actionable for the community to leverage," she said.
Advice to HIMSS24 attendees
NIST frameworks are a really powerful tool that can be leveraged by organizations to help reduce service, Pascoe said.
"It's also very clear that business leaders need to be responsible for cybersecurity," she said.
"We love it when we see CEOs of organizations publicly talking about how they're using the NIST cybersecurity framework, how they have empowered their cybersecurity teams."
"It's also really clear that improving the security of technology products increases the security of healthcare."
When thinking about cybersecurity, organizations must look at it from a mission-specific risk – a business-specific risk – "especially because today, cybersecurity is something that affects every organization's mission," Pascoe said.
She also reminded attendees that while NIST frameworks are sector-neutral, tailored resources are available. Chief among them is the Healthcare Sector Coordinating Council's NIST cybersecurity framework implementation guide unveiled at HIMSS23 and updated last month, NIST's HIPAA cybersecurity resource guide.
Finally, she advised cyber forum attendees that, as they walk through the exhibitor hall at HIMSS24, to remember NIST's secure software development framework.
"As you walk around the vendor floor this week and see all of the different technologies that are available to you, I really want you to consider asking different companies, are you using the NIST secure software development framework?"
"If not, walk away," and "If they say, hey, we're using NIST standards, ask them which one," she said.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.