By Joseph E. Fishel, CBET, MBA
Which cyber standard is right for you? There are several standards or frameworks out there from various organizations. This isn’t an exact science and vulnerabilities are coming from many directions so there is no one cure for all. These frameworks are primarily recommendations built on best practices developed in the IT world. They have a generic quality that allows for customization. Because much of our medical equipment has an IT component, we need to look at how to create plans, policies and procedures to protect or recover from an attack.
Winston Churchill is credited with saying “He who fails to plan is planning to fail.” This is true in the biomed world, that is why we do preventive maintenance, to prevent equipment from failing. A cyber plan needs to be looked at in the same way as a Medical Equipment Maintenance Plan (MEMP). This is what we do and how we do things to maintain our medical equipment for the network side of things. This plan needs to be reviewed and be a living and working document.
The standards that I am familiar with are CIS CSC 19, Cobit 5, ISA 62443-2-1:2009, ISO/IEC 27001:2013 and NIST SP 800-53. There could be more. The primary question that should be asked is “Does your institution currently have a cybersecurity standard or framework currently in use and if so what is it?” This can work to your advantage as you will just need to put your information into the plan.
If you don’t have a plan, let’s look at some of your options.
CIS CSC 19
CIS Center for Security Controls (CIS CSC) is an organization that has developed various options for organizations depending on their size and what they want. They have over 20 different products from developing standards to providing monitoring, as well as security controls and testing for potential vulnerabilities. In regards to organizational controls, they have standards or guidelines for best practices.
COBIT 5 DSS03.04
COBIT is a framework created by ISACA for information technology (IT) management and governance. ISACA is an international professional association focused on information technology governance. They have developed a generic framework for the management of IT, with each process defined with process inputs and outputs, key process-activities, process objectives, performance measures and an elementary maturity model.
ISA 62443-2-1:2009 4.3.4.5.2
ISA 62443-2-1:2009 4.3.4.5.2 security for industrial automation and control systems is a spinoff of ANSI standards. This standard describes the elements contained in a cybersecurity management system for use in the industrial automation and control systems environment. It provides guidance on how to meet the requirements described for each element.
ISO/IEC 27001:2013
ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
NIST SP 800-53 Rev. 4
This is put forth by the National Institute of Standards and Technology (NIST) and is a publication with a catalog of security and privacy controls for federal information systems and organizations. As this is a government framework, agencies such as the Food and Drug Administration (FDA) and Centers for Medicare and Medicaid Services (CMS) fall under these guidelines for their applications and network communications.
Homegrown
There is a final one and that is the homegrown program that can be developed when your group pulls the best from each of these different frameworks. Selecting the best, or the most applicable, for your institution’s current practices and creating one document creates a plan. Because there is no lawful standard, and all of these are basically recommended best practices at this time, this is acceptable until a law is passed or a certifying group such as Joint Commission or CMS sets framework requirement.
When selecting a cyber framework, list out the different requirements of each and review them to see what is being recommended compared to what you already are doing and what aligns with your current programs. Once that is done, you can review the other frameworks and create a crosswalk matching up their standards to your program. This way, if you are using COMI and someone wants to see how compliant you are to NIST standards it is easy to see.
Joseph E. Fishel CBET, MBA, is the Healthcare Technology Systems Manager for Sutter Health eQuip Services.
