TRIMEDX Senior Vice President of Cybersecurity Scott Trevino recently contributed an article to Healthcare IT Today and Healthcare Business Today about NIST 2.0 and how health systems should adapt to the changes. The full article, as it appeared Nov. 20, 2024, is below.
Cybersecurity programs around the world are working to implement the National Institute of Standards and Technology’s Cybersecurity Framework (CSF) 2.0. NIST 2.0 has significant enhancements, including the addition of the ‘govern’ function. By aligning their cyber programs with NIST 2.0, health systems can better safeguard against emerging threats and ensure compliance with regulatory requirements, ultimately improving patient safety and trust.
The new ‘Govern’ function
NIST 2.0 instructs organizations to incorporate cybersecurity into their broader risk management strategy. The new ‘govern’ function informs how organizations achieve the other five original functions in the framework: identify, protect, detect, respond, and recover. It highlights the fact that organizations shouldn’t view these functions individually, but rather as pieces of a unified, comprehensive cybersecurity strategy.
The govern function encourages leadership to take an active role in guarding against cyber threats, by making sure their organization’s cyber strategy, expectations, and policies are established, communicated, and monitored. The new function bridges the gap between cybersecurity operations and executive decision-making, ensuring the entire organization is aligned in its approach.
Unique challenges for healthcare organizations
Integrating the ‘govern’ function into healthcare organizations presents unique challenges, though it will ultimately allow health systems to have more resilient and proactive cybersecurity programs.
To establish a clear governance structure, a health system must have an accurate view of its medical device inventory. Even though this is a foundational element of a robust cybersecurity program, many organizations struggle to accurately keep track of their connected and connectable clinical assets. TRIMEDX has found inventory inaccuracies may be as high as 40%. This can substantially damage a cybersecurity program’s effectiveness when more and more devices are becoming network-connected.
Health systems must first address this challenge by gaining full visibility of what devices they have and the risks associated with them. Once health systems gain this understanding, they can be confident in understanding their risk and putting the people, processes, and technologies in place to mitigate it.
Establish a mission, strategy, and clear responsibilities
To adapt to the new function, health systems should evaluate their cybersecurity policies, supporting processes, technologies, and associate training and competency and make sure they’re aligned with the overall goals of excellent patient care, data protection, regulatory compliance, and system resilience. Health system leaders should consider their organization’s unique mission, stakeholder expectations, and risk appetite when building their governance framework.
System leaders need to include defined roles, responsibilities, decision-making processes, and reporting structures within the framework. They should also provide clear, consistent guidance to ensure organizational buy-in and resource allocation.
Once health systems establish a governance framework, it can inform how they structure teams and resources. This structured approach makes cross-departmental coordination clearer, more efficient, and more effective–ensuring incident response is not isolated, but rather integrated into the organization’s structure.
The ‘govern’ function also requires clear communication protocols. Health systems must establish effective communication before, during, and after cybersecurity incidents. This will expedite the work of incident response teams and make them more collaborative and effective.
Measure effectiveness and prepare for growth
The ‘govern’ function places high importance on measuring the effectiveness of cybersecurity programs. Health systems should develop metrics and key performance indicators (KPIs) that allow them to confidently see what’s working and what needs improvement. These metrics should be reported to senior leadership on a regular basis. Health systems with strong governance efforts will also conduct regular risk assessments and adjust as needed.
A key component of a successful cybersecurity program is scalability. When a cybersecurity program is aligned with the health system’s broader goals, priorities, and risk tolerance, health systems can better prepare for organizational growth and the increased cyber incident volumes that follow. A unified team will be able to expand their response teams and allocate resources effectively.
The introduction of the ‘govern’ function is a significant shift in how cybersecurity programs should be structured and managed. Health systems should seize this opportunity to enhance their cybersecurity risk posture by uniting people, processes, and technology toward a common cybersecurity goal.
This type of approach allows health systems to comply with the new standards while also building a more resilient and strategic cybersecurity program to better protect patients, data, operations, and organizational reputation.