In February, National Institute of Standards and Technology (NIST) released its updated Cybersecurity Framework (CSF 2.0), which included a newly added Govern function, as well as target profiles to help companies better evaluate and improve their cybersecurity strategies. We spoke with Dave Bailey, VP of Consulting Services at Clearwater Security, about how these updates can enhance cybersecurity in healthcare and MedTech organizations.

How does the Govern function in the NIST CSF 2.0 help healthcare organizations better understand their cybersecurity risks?

Bailey: Adding the Govern function into NIST CSF 2.0 underscores the need for leadership in healthcare organizations to play an active role in cybersecurity. Governance enables effective and proper risk management, including the determination of risk tolerance and establishing a risk threshold. This includes building executive-level support to achieve your cybersecurity goals.

Leadership sets the tone in an organization on the importance of cybersecurity and addressing cyber risks. It has the power to remove roadblocks and allocate resources for cybersecurity investments. This is critical to an organization’s ability to dedicate time, people, and financial resources to continually assess risk and implement reasonable and appropriate controls to safeguard data. Organizations are at greater risk when they don’t understand their risks and don’t lean forward in addressing the threats from today’s adversary.

What is a “target profile” under CSF 2.0, and how do these help companies evaluate and improve their security strategies?

Bailey: A target profile under NIST CSF 2.0 represents the priority and desired future state of the organization’s security program. Alignment of security strategy to the organization’s strategic plan is critical to overall mission success. Establishing a security profile under NIST and conducting continual evaluation will demonstrate growth of the program and alignment to the strategic plan.

As the healthcare industry continues to be a prime target for cybercriminals, what can healthcare organizations learn from this new framework?

Bailey: There are many lessons to learn from the release of version 2.0. The framework is adding and emphasizing critical categories and sub-categories to enhance the ability of the healthcare industry to understand its current security posture, understand and manage its cybersecurity risks, and demonstrate alignment to strategic initiatives and mission success. In addition to the focus on governance, two sub-categories to call out include platform security and technology infrastructure resilience. Platform security is key to ensure assets that store and process protected information have reasonable and appropriate controls in place to protect data and minimize the impacts to today’s cyber threat actors.

A key goal of the healthcare and public health industry is to achieve cyber resiliency, and the new technology infrastructure resiliency sub-category is intended to ensure security architectures are managed to protect asset confidentiality, integrity, and availability. This is key to ensure organizations can effectively operate under duress and return to operations with minimal impacts during disruptive cyberattacks.