Improving the cybersecurity of medical systems by applying the NIST framework
Adriana-Meda Udroiu, Mihail Dumitrache, Ionut Sandu
Abstract
The paper tries to present how NIST Cybersecurity Framework (CsF) and HITRUST Model can be adapted and used to assess and improve the security of health care organizations, hard-pressed by the pandemic period. It also describes the application developed for helping health care organizations in the process of implementation of a cybersecurity program. Knowing that in the last two years there have been numerous cyber-attacks targeting both patients' personal data and scientific data on certain treatments, which has exposed medical systems to a wide range of risks regarding the theft, exploitation, unavailability or destruction of this sensitive information, we have chosen the development of a solution that will help improve cybersecurity in one of the critical sectors, namely the health sector. Therefore, we chose the NIST framework on cybersecurity (NIST CsF) to carry out an implementation aimed at improving the security of the critically chosen sector, the medical field and public health. For the evaluation (self-evaluation) of the organization, we chose a questionnaire also conducted by NIST, Baldrige Cybersecurity Excellence Builder (BCEB), which is compatible with the cybersecurity framework. Because NIST CsF is a universal and flexible cybersecurity guide for all critical sectors, in order to facilitate the modeling process for the medical field, we have also chosen to use the mapping of HITRUST (The Health Information Trust Alliance) frameworks (RMF - Risk Management and CsF - information security control measures) that are intended exclusively for the medical field.