As cybersecurity threats continue to rise, healthcare organizations are under increasing pressure to prove they’re taking proactive steps to protect sensitive data. In this video, we explore the growing importance of the NIST Cybersecurity Framework and how it’s becoming a recognized standard not just for government agencies, but for any organization handling regulated health information. You’ll learn why aligning with NIST is more than a best practice – it’s becoming a critical compliance measure tied to broader regulatory frameworks like HIPAA and FSMA. Whether you’re managing technology, compliance, or operations, understanding how to utilize NIST can help reduce risk, strengthen your security posture, and provide a clear path forward in an increasingly complex digital landscape. Understanding NIST Compliance for Mid-Enterprise Medical Practices Video Transcript [0:00]hey guys uh back again at a new coffee[0:04]shop this one’s called uh Moonflower[0:09]and uh they just opened up I think a[0:12]week or two ago[0:15]uh today I wanted to talk about uh NIST[0:19]uh as you can see on the screen here[0:21]NIST is a cyber security framework[0:25]um or NIST has a cyber security[0:28]framework uh NIST stands for the[0:31]National Institute of Standards and[0:33]Technology[0:34]um and it’s a government agency that was[0:39]uh had an act of Congress committed to[0:42]creating them uh what’s interesting[0:45]about NIST is that uh[0:50]all government agencies are are required[0:53]to actually be compliant to NIST and if[0:58]you’re a mid-enterprise specialty[1:00]practice or any kind of mid-enterprise[1:04]um practice delivering delivering[1:07]medical services that is uh taking uh[1:10]Medicare[1:12]payments from CMS then you are now also[1:19]uh in this same space[1:23]uh as a government agency because you’re[1:27]bound by HIPPA and HIPPA um is bound by[1:31]FSMA[1:33]um which is a act from the early 2000s[1:37]uh which is basically saying you if you[1:41]want to get government money uh then you[1:46]can potentially[1:48]uh be have a civil suit uh from OCR[1:51]which is a division of um CMS which as[1:55]part of HHS uh if you do not comply with[1:59]HIPPA[2:01]and um and so what’s interesting about[2:04]this is the there’s been a lot of debate[2:07]about whether or not um this is true[2:10]meaning do we need to be compliant with[2:15]um NIST CSF and unfortunately there is[2:19]an executive order 13,800 you can see it[2:22]on the screen um that particular order[2:26]uh here we are at cisa.gov which again[2:29]FBI website which basically talks about[2:34]um what you have to do uh to avoid a[2:38]civil penalty uh from the OCR uh and[2:42]basically this whole uh executive order[2:46]is just simply stating that you need to[2:49]be compliant to NIST CSF 2.0 so why is[2:54]this a big deal well it’s a big deal[2:57]because when when C CMS via OCR comes[3:02]calling[3:04]uh to talk to you about a potential[3:07]breach to HIPPA if your NIST cert if[3:12]your NIST compliant already[3:15]they’re basically just going to go away[3:17]they they being OCR knows that there’s[3:20]no such thing as 100% foolproof[3:24]uh you know way to uh protect yourself[3:27]against hackers but if you’re following[3:30]NIST uh then that’s good enough for them[3:34]uh and and[3:36]so I just wanted to bring up you that[3:39]hey look um indeed[3:43]CMS is talking about NIST uh on their[3:47]website they want you to know what it is[3:50]and oh by the way uh they are when they[3:54]come calling they are going to ask you[3:57]if you have um if you actually have[4:02]your NIST missed compliance in place so[4:06]here here’s question number 23 from a uh[4:11]OCR audit that we were uh helping a[4:15]company get through and uh if you you[4:18]can see here in 23 it’s asking for[4:21]recognized security practices and if you[4:23]go down to F uh I it says um section[4:27]2C15 is National Institute of Standards[4:30]and Technology Act well that’s they’re[4:33]basically just saying uh uh in this[4:35]question do you have any documentation[4:37]that says you’re following NIST CSF 2.0[4:41]um we’ve seen this now twice in the last[4:44]6 months uh in different audits uh and[4:48]so[4:50]I guess my advice to to you as a as a[4:54]medical practice would be to get[4:57]compliant with Nest CSF 2.0 and and the[5:01]key points of NIST CSF 2.0 are um uh all[5:08]around security and there’s a a ton of a[5:13]ton of documentation on their website[5:16]which is nist.gov.gov[5:19]um and these are the the major pillars[5:22]categories and and then there’s[5:24]subcategories of these um but if you[5:27]align your security[5:30]um process around NIST and you do a[5:34]proactive job of um documenting how[5:38]you’re compliant month by month um when[5:42]OCR comes a call in you can you can give[5:45]them the the big old Heisman with your[5:47]NIST documentation and uh you’re off and[5:50]running the other thing that’s[5:51]interesting here is uh the cyber sec[5:55]cyber insurance policies are now asking[5:57]for NIST um and so if you’re an owner uh[6:02]um of a a medical practice and you’re[6:05]worried about you know your insurance uh[6:08]in case of a breach NIST is going to is[6:11]going to get you through or get you the[6:12]best levels of insurance at the cheapest[6:16]cost um a and it’s also going to protect[6:20]you against civil suits so really[6:22]aligning your practice with NIST is the[6:24]way to go peace out

Phishing attacks are still one of the biggest threats to mid-size medical practices – and most of the “best practices” just aren’t cutting it. Cybersecurity training, policies, and filters? Everyone’s doing them. So why are we still getting phished? In this video, we explore a bold, practical solution: turning off internal email.Yep – you heard that right. Learn how mid-sized clinics can reduce phishing risk, boost collaboration, and modernize communication by shifting away from Outlook and embracing secure communication platforms. Whether you’re an IT lead or an executive in a mid-size physician practice, this is a must-watch if you’re serious about protecting your staff and systems. The #1 Cybersecurity Flaw in Mid-Size Medical Clinics (And How to Fix It) Video Transcript [0:00]Hi guys, sitting here at my humble abode, sipping an espresso. [0:14]This place is called Convivio. Just wanted to take a little bit of time to talk about phishing today. OK, this is Cicadas. [0:29]This is basically the FBI’s website, uhm, and I just wanted to scroll down a little bit. Just point this out to you here. [0:39]More than 90% of successful cyber attacks start with a phishing email. Hmm. If I was an, uh, owner of a mid-enterprise physician practice, I might be a little concerned about that. [0:54]So what do we do to help protect ourselves against phishing? Well, let’s do what every IT and supposed IT executive leader does and go to AI, right? [1:08]How do I protect myself from phishing? Here’s the classic AI list. [1:29]Employee education. Yep, everybody does their WISER. Everybody does their KnowBe4. You know, everybody does their NINJAIO. They think they’ve got their HRIS, LMS system that’s gonna train them. [1:47]Enterprise does anywhere, period. Uhm, let’s go to technology defenses. Email filtering, anti-phishing software, everybody does it. Multi-factor authentication. [2:00]Not everybody’s doing it, but it’s coming along. A lot more people are starting to get on the bandwagon. [2:06]Uhm, software updates and patching. Everybody says they’re doing it anyway. Uhm, get some link protection, get some, you know, blah blah blah. [2:19]More policy and procedure. Everybody has their policy and procedure, but nobody follows it. Right, so key consideration. Uhm, they’re constantly evolving. [2:30]Stay up to date on the latest threads. So what does that mean? Well that means you probably need to get on a CISA.gov RSS feed so you know what’s going on. [2:42]But who has time for that? Especially if you’re an IT guy in a mid-enterprise practice. You don’t have time for that. [2:49]You’re trying to help some front desk person with their Outlook problem. Same thing if you’re an executive. You got some physician banging down your door. [2:59]You’re not reading some RSS thread of emails coming from CISA.gov. A holistic approach — boy, that sounds like sales if I ever heard of it. That combines technology, education, and policy. [3:19]Yeah, great, mid-enterprise practice. Let’s see how successful we are with that. We don’t have 20 guys in IT and 30 in HR like a large enterprise. [3:29]Regularly reviewing and updating your security measures? Oh yeah, we all say we do that. So, if this is what you’re supposed to be doing, but you’re still getting phished, then why? [3:44]Again, supposedly you’re doing all this. I would argue I haven’t seen a mid-enterprise medical practice doing all this, but let’s say you are and you’re still getting phished — well, why? [4:00]Let’s see. What is Slack? Slack is a built-for-work app where you can instantly reach your team to communicate. [4:14]OK, well, what’s Teams? Teams versus Slack, right? Microsoft Teams and Slack are both collaboration platforms. [4:27]Large adoption of these platforms. Why? Well, the reason you’ve got large adoption is simple: they work. They increase collaboration, they’re easier to communicate, and guess what? [4:44]It’s a closed ecosystem. You’re not getting phishing attempts in Teams or Slack. So, what can we do with a simple technology like this to protect against phishing? [4:58]What if we turned off internal email so that people can’t send emails to each other internally? They can receive emails from the outside, but the front desk person can’t receive an email from the CEO. [5:20]If you’re watching this right now and you’re an executive in a mid-enterprise medical practice, you live in Outlook. [5:28]You couldn’t even imagine not having Outlook. Well, maybe what we should do is get with the times and implement a closed-loop communication platform that you already have in Teams or Slack. [5:51]Train our staff how to use it so they get the benefits of it, which will naturally remove the need for email. So, we can get to a point, maybe a year from now, where we can turn off routing of internal email. [5:58]If we turn off internal email now, phishing attempts can’t happen because if a front desk person gets an email from the CEO, they know immediately it’s phishing. [6:29]Anyway, just wanted to give everybody a quick idea that they could be using to progress their company amid enterprise practice with all of the shortcomings and potential those practices have. [6:35]Get with the times, have some competitive advantages, increase collaboration, and empower your staff while at the same time protecting yourself from phishing.