Sector Specificity: The AHA and its Recommendations on the NIST Cybersecurity Framework

The American Hospital Association (AHA) has offered a number of recommendations to help improve the preliminary cybersecurity framework developed by the National Institute of Standards and Technology (NIST).

The framework, which can be found here, was published back in February of 2013.  It is voluntary in nature and aims to provide both private- and public-sector organizations with a common language and shared understanding of the cybersecurity threat landscape.  The framework does this by advancing five key cyber capabilities:  identify, protect, detect, respond, and recover.

The AHA’s recommendations are as follows.  First, it suggests that the NIST consider how different sectors have to negotiate variable implementation mechanisms in order to adopt the new cybersecurity standards.  Second, the AHA then asks the federal government to appreciate how much time it would take for it to comply with the new framework.  And finally, it requests that an effort be made to bridge the new framework with both the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), which protect patients’ personal information using electronic records.

NISTTaken together, these recommendations present a challenge to NIST’s framework in that they question whether different sectors can reasonably be expected to operate according to the same cybersecurity standards.

But this is not the only problem associated with NIST.  Some cyber experts criticize the framework for failing to address, among other things, how businesses can work to reduce cybersecurity risks.  Too much emphasis is put on response, according to these individuals, and not enough on prevention.

Others believe that the significant costs of adopting the framework, which would require companies to draft a new cyber policy, establish procedures to strengthen the five cyber capabilities mentioned above, and encourage senior management to constantly work on a cybersecurity strategy, potentially deter businesses who might otherwise want to incorporate NIST’s standards into their company policy.

Finally, and perhaps most worrisome, companies are still confused about exactly what constitutes adoption of the framework.  This is a significant problem, especially for a voluntary framework which will struggle to enforce compliance in any event.

Ultimately, what AHA’s recommendations mean is that NIST’s framework may be well-intentioned, but it still has a ways to go before organizations can realistically hope to adopt it into their day-to-day functions.

In addition to the AHA, various other IT professionals and organizations have offered up comments so far.  These will be incorporated into a final draft, which is slated to be released in February 2014.

Dave BissonName: David Bisson

Twitter Handle: @DMBisson

Area of Expertise:

David specializes in cyber security as it relates to U.S. national security and to American military and strategic culture.

Professional Biography:

David is currently a senior at Bard College, where he is studying Political Studies and writing his senior thesis on cyberwar and cross-domain escalation.  He also works at the Hannah Arendt Center for Politics and Humanities at Bard College as an Outreach intern.  Post-graduation, David would like to leverage his extensive journalism experience as well as his interest in computer coding and social media to pursue a career in cyber security, both its practice and policy.

ISBuzz Staff
Expert Comments : 0
Security Articles : 2532

ISBuzz staff provides a brief synopsis and summary of the breaking information security news and topics to allow information security experts to provide their expert commentary on the breaking news or the topics.