Skip to main content
Skip to footer

Strengthening Health Care Cybersecurity with the National Institute of Standards and Technology Framework

by Cerner Corporation

Published on 5/13/2019

Estimated read time: 4 minutes

Insider threats, the cloud, ransomware, cyberattacks and security breaches: These phrases put many on edge, especially those working in health care. In fact, health care organizations experience an average of nearly 32,000 intrusion attacks per day – twice as much as any other industry. As security threats continue to rise, health care organizations are taking extra steps to ensure all critical information is being protected. Now, more than ever, there is a need for systems to adhere to security standards and guidelines that are applicable across multiple sectors of critical infrastructure.

Some organizations, like Cerner, have leveraged the recommendations established by the National Institute of Standards and Technology’s cybersecurity framework to align with top security measures. NIST – a federal agency within the United States Department of Commerce – provides a set of best practices, standards and recommendations to aid in improving cybersecurity measures that underpin a formalized framework. The first version of the NIST cybersecurity framework was published in 2014, updated and publicly circulated in 2017 and made publicly available on April 16, 2018.

The framework includes five major components – Identify, Protect, Detect, Respond and Recover.

Building a sustainable, repeatable health care security program

Despite the dire need for pervasive information security, many organizations don’t know where to start when it comes to cybersecurity and/or controls testing. Fortunately, the NIST framework provides a foundation on which organizations can build a customized and effective security program. As every organization has unique risks, threats and vulnerabilities, it is important to recognize that the NIST framework isn’t a one-size-fits-all approach. It is best used as guidance that can be adjusted based on an organization’s situations and needs.

Before an organization makes any determinations, it is wise to complete an annual security risk assessment to establish a baseline. Here are five more practical steps to consider:

  1. Coordinate with all stakeholders first, specifically emergency management, to establish a security program aligned with the NIST Cybersecurity Framework 1.1.

  2. Confirm that your security program expands and supports your business objectives, strategic plans, mission and high-level priorities.

  3. Facilitate and encourage a culture of learning and continual improvement around security. Spread the message that security impacts everyone.

  4. Conduct a business impact analysis to guide decision-making based on business value and critical services and applications that elevate the organization. Use the analysis to determine the organization’s ability to handle risk.

  5. Identify assets, including data, and build a program around policies and processes to support standard work for asset intake, cataloging, maintenance and disposal.

Organizations should also examine data classification, protection and retention; developing data flows for critical applications that handle Protected Health Information; setting future-state goals for addressing and mitigating risks; and creating policies and procedures that cover topics such as HR corrective action, appropriate system usage, sanctions and information security/encryption.

Enhancing your security posture and reducing risk

At Cerner, we aim to set the pace of health care’s transformation. We continue to align with the NIST framework as we have since its initial public release in 2014. Providing a dedicated focus to identify any gaps in the framework ensures that our services and solutions are parallel to the specific needs of our customers.

By aligning to these standards, Cerner is addressing our clients’ issues and demands and relentlessly advancing their successes, while establishing our own security posture. At the same time, we are taking into consideration geography, regulatory and privacy demands and technologies being delivered in on-premise, private/public cloud or hybrid-based environments. With the goal in mind to ignite the next era of health care breakthroughs, Cerner transports solutions to market with a holistic approach by aligning its security solutions to the NIST model.

To learn more about Cerner’s approach to cybersecurity solutions or to request your cybersecurity risk assessment, visit our website at