Health Sector Coordinating Council Cybersecurity Working Group Asks NIST for Guidance Specific to Small and Lesser-Resourced Entities

The Health Sector Coordinating Council Cybersecurity Working Group has asked the US National Institute of Standards and Technology (NIST) to provide guidance for small and lesser-sourced healthcare organizations. The request comes in response to NIST’s request for comment on SP 800-66r2 initial public draft; it asks NIST to “create an entirely separate document specifically for small and mid-sized entities that expresses in plain English why practicing good cyber hygiene is imperative for compliance, business operations and, ultimately care delivery and patient safety.”

Note

• The HSCC’s comments mainly focus on NIST making sure that, to aid smaller healthcare organizations, SP 800-66 reference the resources produced by the 405(d) program that is a collaboration between HHS and private industry. Good idea – many of these are aimed at getting the basics across to smaller businesses impacted by HIPAA. On the security controls side, the Center for Internet Security Critical Security Controls has resources for smaller entities and how Implementation Group 1 of the Controls reaches the essential security hygiene level including mapping to the NIST Cybersecurity Framework.
• The risk is having too many guidance documents. It’s better to include a tailored approach for controls, such as with SP 800-53, with appropriate guidance on how different factors, such as size, are to do that. Then you’re more likely to be on the same page with regulators about the path you followed to implement needed controls.

Read more in

• Response to NIST Request for Comment on SP 800-66r2 initial public draft (PDF)
• Healthcare industry group asks NIST for security guidance for small, low-resourced providers