Securing health IT infrastructure from cyberattacks


Donna Dodson, Deputy Cyber Security Advisor at the National Institute of Science and Technology speaks at CyberCon 2015 Conference at the Ritz-Carlton Pentagon City in Arlington, Va., on Wednesday, November 18, 2015. (Mike Morones/Staff)

With cybersecurity continuing to be a pressing issue to the future of health IT, the National Institute of Standards and Technology has been looking at how its critical infrastructure research can best serve the health care sector.

Speaking at the HIMSS conference on Feb. 19, NIST Associate Director and Chief Cyber Security Adviser Donna Dodson outlined how ongoing research in the agency’s National Cybersecurity Center of Excellence is examining cyber issues in the health care sector and beyond.

“One of our major business sectors that we work with today is in health care. So how do you take [NIST tools] into the world of health care?” she said.

“What we do at the center is we take the business challenge: How do you bring business and cybersecurity technology together, what are those business challenges and, then, what does — based on a business management approach — does a cybersecurity architecture look like and, equally importantly, what products and services are out there based on standards that we can demonstrate back to you to show it really works?”

The center provides frameworks, implementation strategies and other services to federal agencies, state and local government and non-profits to strengthen their cybersecurity.

NCCoE released its first cybersecurity practice guide on securing electronic health records for mobile in 2015 and NIST has rolled out an updated version of its Cybersecurity Framework, a multi-tiered assessment structure for different organizations to determine their cybersecurity posture.

The center also partnered with the private sector to craft a cybersecurity guide to safeguard wireless infusion pumps in 2015.

For the future, Dodson said NCCoE is also looking at research into data integrity as it relates to ransomware.

“We have a number of capabilities we are looking at in the center that are core to the business challenges you are facing,” she said. “We are very interested in additional kinds of things that as the health care community you all feel challenged on,” she said.

But she added that the research and guides that NCCoE publishes should not be seen as a cybersecurity silver bullet, since every industry and business is different. Rather, they act as a resource to consider when evaluating risk management.

“We are not saying, by any means, that anyone needs to use these products and these services,” Dodson said. “What we are saying is if you using this kind of capability, think about these kinds of configuration settings. Think about these kinds of security controls.”

Find more information on the NCCoE and its projects on its website.