Skip to main content
Skip to footer
    cybersecurity
    Health system operations

    Strengthening Health Care Cybersecurity with the National Institute of Standards and Technology Framework

    by Cerner Corporation

    Published on 5/13/2019

    Estimated read time: 4 minutes

    Insider threats, the cloud, ransomware, cyberattacks and security breaches: These phrases put many on edge, especially those working in health care. In fact, health care organizations experience an average of nearly 32,000 intrusion attacks per day – twice as much as any other industry. As security threats continue to rise, health care organizations are taking extra steps to ensure all critical information is being protected. Now, more than ever, there is a need for systems to adhere to security standards and guidelines that are applicable across multiple sectors of critical infrastructure.

    Some organizations, like Cerner, have leveraged the recommendations established by the National Institute of Standards and Technology’s cybersecurity framework to align with top security measures. NIST – a federal agency within the United States Department of Commerce – provides a set of best practices, standards and recommendations to aid in improving cybersecurity measures that underpin a formalized framework. The first version of the NIST cybersecurity framework was published in 2014, updated and publicly circulated in 2017 and made publicly available on April 16, 2018.

    The framework includes five major components – Identify, Protect, Detect, Respond and Recover.

    Building a sustainable, repeatable health care security program

    Despite the dire need for pervasive information security, many organizations don’t know where to start when it comes to cybersecurity and/or controls testing. Fortunately, the NIST framework provides a foundation on which organizations can build a customized and effective security program. As every organization has unique risks, threats and vulnerabilities, it is important to recognize that the NIST framework isn’t a one-size-fits-all approach. It is best used as guidance that can be adjusted based on an organization’s situations and needs.

    Before an organization makes any determinations, it is wise to complete an annual security risk assessment to establish a baseline. Here are five more practical steps to consider:

    1. Coordinate with all stakeholders first, specifically emergency management, to establish a security program aligned with the NIST Cybersecurity Framework 1.1.

    2. Confirm that your security program expands and supports your business objectives, strategic plans, mission and high-level priorities.

    3. Facilitate and encourage a culture of learning and continual improvement around security. Spread the message that security impacts everyone.

    4. Conduct a business impact analysis to guide decision-making based on business value and critical services and applications that elevate the organization. Use the analysis to determine the organization’s ability to handle risk.

    5. Identify assets, including data, and build a program around policies and processes to support standard work for asset intake, cataloging, maintenance and disposal.

    Organizations should also examine data classification, protection and retention; developing data flows for critical applications that handle Protected Health Information; setting future-state goals for addressing and mitigating risks; and creating policies and procedures that cover topics such as HR corrective action, appropriate system usage, sanctions and information security/encryption.

    Enhancing your security posture and reducing risk

    At Cerner, we aim to set the pace of health care’s transformation. We continue to align with the NIST framework as we have since its initial public release in 2014. Providing a dedicated focus to identify any gaps in the framework ensures that our services and solutions are parallel to the specific needs of our customers.

    By aligning to these standards, Cerner is addressing our clients’ issues and demands and relentlessly advancing their successes, while establishing our own security posture. At the same time, we are taking into consideration geography, regulatory and privacy demands and technologies being delivered in on-premise, private/public cloud or hybrid-based environments. With the goal in mind to ignite the next era of health care breakthroughs, Cerner transports solutions to market with a holistic approach by aligning its security solutions to the NIST model.

    To learn more about Cerner’s approach to cybersecurity solutions or to request your cybersecurity risk assessment, visit our website at https://www.cerner.com/pages/security.

    What-does-it-take-to-be-a-RTHS image
    Ep. 225: Addressing healthcare workforce challenges
    Multiple Authors | 11/19/2021
    In this episode, Dick Flanigan, senior vice president, Cerner, is joined by Nate Shinagawa, FACHE, chief operating officer, Banner Ocotillo Medical Center. They discuss healthcare workforce trends and how organizations can implement strategies around retention, clinician burnout and more.
    PODCAST-What-does-it-take-to-be-a-RTHS image
    Ep. 224: What does it take to be a real-time health system?
    Lisa Gulker | 11/17/2021
    In this episode, Bob Robke, vice president, real-time health system and clinical products, Cerner, is joined by Lisa Gulker, senior director, health system operations and clinical surveillance, Cerner. They discuss COVID-19’s impact on how health system leaders use real-time and predictive data and the challenges of managing scarce and expensive resources to address growing health needs. 
    BLOG_listicle_LearningStrategy image
    5 elements of a successful learning strategy
    Darren Nipper | 10/20/2021
    Prioritizing a robust learning strategy is essential to ensure end users are comfortable with the electronic health record (EHR), efficient in their workflows and spending as much time as possible caring for patients. In this blog, we’ll share five elements to consider as you work to develop a data-driven, end-to-end learning approach for your organization.