Dedicated to providing the latest
HIPAA compliance news

NIST Small Business Cybersecurity Act of 2017 Approved by SST Committee

Share this article on:

Cybercriminals may not be targeting small healthcare practices to the same extent as large health systems, but as the OCR’s data breach portal shows, cyberattacks on small healthcare organizations occur frequently.

When cyberattacks occur they can be catastrophic for small businesses. Figures from the National Cybersecurity Alliance suggest 60% of small businesses cease trading within 6 months of experiencing a cyberattack. Faced with the financial burden of resolving a data breach, it is no surprise that so many businesses fail to make it through the next six months.

In order to prevent cyberattacks and keep sensitive health data secure, small healthcare organizations must effectively manage cybersecurity risks. However, many cybersecurity resources and security frameworks have been developed for medium to large sized businesses. Smaller organizations typically lack the necessary resources to be able to implement highly effective cybersecurity defenses and few have skilled cybersecurity staff to monitor and manage cybersecurity risks.

NIST has developed a cybersecurity framework to help organizations protect critical infrastructure, and while adoption of the framework can be advantageous for many businesses, for smaller organizations the demands are too great.

Late last year, NIST released a new guide specifically to help small businesses improve their cybersecurity posture. The guide was based on the NIST Framework for Improving Critical Infrastructure Cybersecurity and outlined best practices and standards and explained how an information security program can be implemented that balanced security with the capabilities of small businesses. Now further guidance for small businesses will be issued, following the approval of new legislation by the U.S. House Committee on Science, Space, and Technology last week.

The NIST Small Business Cybersecurity Act of 2017 calls for the National Institute of Standards and Technology to provide small to medium sized businesses with new guidance to allow them to reduce cybersecurity risk.

The NIST Small Business Cybersecurity Act requires NIST to develop clear and concise guidelines and make available appropriate tools, best practices, standards and methodologies to help small businesses identify, assess, manage and reduce cybersecurity risks. Those tools and guidelines will be based on the NIST Framework for Improving Critical Infrastructure Cybersecurity.

The new act does not make it mandatory for small businesses to access and follow the new guidance and best practices, although using the new resources will help small businesses effectively manage risk and prevent data breaches. The guidance and best practices, when completed, will be made available through the NIST website.

According to Chairman Lamar Smith (R-Texas), “The NIST Small Business Cybersecurity Act will help ensure that our small businesses have the information they need to protect themselves from cyber-attacks.”

Due to a squeeze on spending at NIST, the costs of developing the new resources and guidelines will have to be found from its existing budget. NIST has been given a year to develop and release the new guidance and resources.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On