HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

WEDI Makes Healthcare-Specific Recommendations for Improving the NIST Cybersecurity Framework

The Workgroup for Electronic Data Interchange (WEDI) has responded to the request for information from the National Institute of Standards and Technology (NIST) and has made several recommendations for improving the NIST cybersecurity framework and supply chain risk management guidance to help healthcare organizations deal with some of the most pressing threats facing the sector.

Ransomware is one of the main threats facing the healthcare industry, and that is unlikely to change in the short to medium term.  To help healthcare organizations deal with the threat, WEDI has suggested NIST increase its focus on ransomware and address the issue of ransomware directly in the cybersecurity framework. NIST published a new ransomware resource in February 2022, which contains valuable information on protecting against, detecting, responding to, and recovering from ransomware attacks. WEDI feels the inclusion of ransomware within the cybersecurity framework will expand the reach and impact of the resource.

WEDI has also recommended the inclusion of specific case studies of healthcare organizations that have experienced a ransomware attack, updating the framework to define contingency planning strategies based on the type of healthcare organization and issue guidance with a focus on contingency planning, execution, and recovery. Ransomware attacks on healthcare providers carry risks that are not applicable to other entities. Further guidance in this area would be of great benefit to healthcare providers and could help to minimize disruption and patient safety issues.

Healthcare organizations have been developing patient access Application Programming Interfaces (APIs) and applications (apps) which are covered by HIPAA, and are therefore required to incorporate safeguards to ensure the privacy and security of any healthcare data they contain, but WEDI has drawn attention to the lack of robust privacy standards that are applicable to third party health apps that are not covered by HIPAA. WEDI says there is a need for a national security framework to ensure that health care data obtained by third-party apps are held to appropriate privacy and security standards.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The number of risks and vulnerabilities to portable and implantable medical devices has grown at an incredible rate in recent years and those risks are likely to grow exponentially in the years to come. WEDI has recommended NIST address cybersecurity issues related to these devices directly in the cybersecurity framework, and also address the issue of insider threats. Many healthcare data breaches are caused by insider threats such as lost electronic devices, phishing and social engineering attacks. WEDI suggests these issues and security awareness training should be addressed in the cybersecurity framework.

WEDI has also recommended NIST develop a version of its cybersecurity framework that is targeted at smaller healthcare organizations, which do not have the resources available to stay informed about the latest security developments and implement the latest security measures and protocols. A version of the framework that is more focused on the threats faced by smaller organizations would be of great benefit and should include realistic proactive steps that can be taken by small healthcare organizations to mitigate risks.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.