The CIO’s Guide to Security Frameworks in Healthcare

Earlier this year I had the pleasure to jump on a call with several CHIME CIOs to discuss security awareness, industry certifications, and what matters most to CIOs, CSOs, and CTOs when it comes to cloud security. As the Chief Technology Officer at Spok, I wanted to better understand the security expectations and requirements that hospital leaders have, especially regarding their HIPAA business associates.

The CIOs I spoke with were most familiar with the National Institute of Standards and Technology’s Cybersecurity Framework, commonly known as NIST CSF and/or HITRUST CSF®, but there was not consensus on which is most widely adopted.

Our discussion came on the heels of the 2018 HIMSS Cybersecurity Survey report, which included some concerning key findings. The report corroborated what I heard from the CIOs: no universally adopted security framework exists among healthcare organizations. What’s more, 17 percent of respondents in the report said no security framework has been implemented at their organization.

If no universal standard exists, what are hospital leaders doing, and what’s considered best practice? The commonly asked questions below shed some light on the state of security frameworks in the industry.

Who’s using which framework?

NIST CSF and HITRUST CSF are the clear security front-runners. CIOs I have spoken with describe NIST CSF as more comprehensive. Yet, several indicate they have not adopted a framework—instead, they’re using a hybrid model of one or more.

Here’s a breakdown of security frameworks that have been adopted by healthcare organizations, according to the HIMSS Cybersecurity Survey. Note that respondents were able to select more than one.

Critical Security Controls25%
No framework17%
Don’t know8%

I recently discovered new data on this topic, released in CHIME Healthcare’s Most Wired National Trends 2018 report. This report shows adoption of security frameworks shifting from entirely self-developed to NIST CSF (78 percent) and HITRUST CSF (40 percent). Although it’s unclear from this report the degree of overlap and whether respondents are completing the framework in its entirety, it does show that only 19 percent are self-developing their program.

The Most Wired Trends 2018 report outlined several additional components of a comprehensive security program. These include having:

  • Dedicated senior security leader (i.e. CISO) and cybersecurity committee
  • Adequate security budget
  • Established governance and board-level oversight committees
  • Regularly reported gaps in security and progress to the board

I was astonished to find that only 29 percent of respondents have what’s considered a comprehensive security program (defined as having all the components listed above). I found these statistics even more alarming:

  • 10 percent of organizations lack mobile device management
  • 12 percent lack unique user identifications or physical device locks
  • 14 percent lack encryptions for removable storage devices
  • 18 percent lack encryptions for backups

Which security framework do hospitals expect their business associates to use?

This was the question I was particularly interested in understanding. As a CTO with a software technology company partnering with more than 1,900 U.S. hospitals and health systems, I want to ensure the Spok security program meets the expectations of our customers. As you’d expect, given the lack of a universally adopted framework among hospitals, CIOs are telling me there isn’t one framework they’d expect their HIPAA business associates to have adopted. Instead, hospitals appear to be taking their own individualized approach. This doesn’t mean they’re lax with their vendors. Some require outside penetration tests conducted by a third party—while others have created extensive and rigorous vendor assessments, usually taking components of NIST CSF and HITRUST CSF. There was agreement that cloud vendors will be scrutinized more closely, with higher expectations around security. In this instance, a security framework is considered a requirement, in addition to seeing the vendor’s testing results.

What’s stopping healthcare from adopting a framework of choice?

The leaders I spoke with told me about numerous challenges and barriers. Several CIOs were very frank, explaining that  it often comes down to what’s realistic. IT departments are trying to do what they can with limited staff and limited resources and funding. I asked what resources these CIOs use to keep up on the changing landscape of security: Many rely on conferences and other opportunities to network with colleagues on this topic—such as those offered through CHIME.

In fact, fewer than one third of respondents in the CHIME Most Wired report say they participate in formal groups such as Cyber Information Sharing and Collaboration Program (CISCP) or the National Cybersecurity & Communication Integration Center (NCCIC).

NIST vs. HITRUST: Which will healthcare choose?

Even though healthcare has yet to nail down their security framework of choice, it appears to be a top-of-mind topic among security leaders, and these two options are the front-runners. Nevertheless, Spok is working diligently today to align our security program closely with the security expectations healthcare IT leaders establish in the coming years.