As cybersecurity threats continue to rise, healthcare organizations are under increasing pressure to prove they’re taking proactive steps to protect sensitive data. In this video, we explore the growing importance of the NIST Cybersecurity Framework and how it’s becoming a recognized standard not just for government agencies, but for any organization handling regulated health information.
You’ll learn why aligning with NIST is more than a best practice – it’s becoming a critical compliance measure tied to broader regulatory frameworks like HIPAA and FSMA. Whether you’re managing technology, compliance, or operations, understanding how to utilize NIST can help reduce risk, strengthen your security posture, and provide a clear path forward in an increasingly complex digital landscape.
Understanding NIST Compliance for Mid-Enterprise Medical Practices
Video Transcript
[0:00]
hey guys uh back again at a new coffee
[0:04]
shop this one’s called uh Moonflower
[0:09]
and uh they just opened up I think a
[0:12]
week or two ago
[0:15]
uh today I wanted to talk about uh NIST
[0:19]
uh as you can see on the screen here
[0:21]
NIST is a cyber security framework
[0:25]
um or NIST has a cyber security
[0:28]
framework uh NIST stands for the
[0:31]
National Institute of Standards and
[0:33]
Technology
[0:34]
um and it’s a government agency that was
[0:39]
uh had an act of Congress committed to
[0:42]
creating them uh what’s interesting
[0:45]
about NIST is that uh
[0:50]
all government agencies are are required
[0:53]
to actually be compliant to NIST and if
[0:58]
you’re a mid-enterprise specialty
[1:00]
practice or any kind of mid-enterprise
[1:04]
um practice delivering delivering
[1:07]
medical services that is uh taking uh
[1:10]
Medicare
[1:12]
payments from CMS then you are now also
[1:19]
uh in this same space
[1:23]
uh as a government agency because you’re
[1:27]
bound by HIPPA and HIPPA um is bound by
[1:31]
FSMA
[1:33]
um which is a act from the early 2000s
[1:37]
uh which is basically saying you if you
[1:41]
want to get government money uh then you
[1:46]
can potentially
[1:48]
uh be have a civil suit uh from OCR
[1:51]
which is a division of um CMS which as
[1:55]
part of HHS uh if you do not comply with
[1:59]
HIPPA
[2:01]
and um and so what’s interesting about
[2:04]
this is the there’s been a lot of debate
[2:07]
about whether or not um this is true
[2:10]
meaning do we need to be compliant with
[2:15]
um NIST CSF and unfortunately there is
[2:19]
an executive order 13,800 you can see it
[2:22]
on the screen um that particular order
[2:26]
uh here we are at cisa.gov which again
[2:29]
FBI website which basically talks about
[2:34]
um what you have to do uh to avoid a
[2:38]
civil penalty uh from the OCR uh and
[2:42]
basically this whole uh executive order
[2:46]
is just simply stating that you need to
[2:49]
be compliant to NIST CSF 2.0 so why is
[2:54]
this a big deal well it’s a big deal
[2:57]
because when when C CMS via OCR comes
[3:02]
calling
[3:04]
uh to talk to you about a potential
[3:07]
breach to HIPPA if your NIST cert if
[3:12]
your NIST compliant already
[3:15]
they’re basically just going to go away
[3:17]
they they being OCR knows that there’s
[3:20]
no such thing as 100% foolproof
[3:24]
uh you know way to uh protect yourself
[3:27]
against hackers but if you’re following
[3:30]
NIST uh then that’s good enough for them
[3:34]
uh and and
[3:36]
so I just wanted to bring up you that
[3:39]
hey look um indeed
[3:43]
CMS is talking about NIST uh on their
[3:47]
website they want you to know what it is
[3:50]
and oh by the way uh they are when they
[3:54]
come calling they are going to ask you
[3:57]
if you have um if you actually have
[4:02]
your NIST missed compliance in place so
[4:06]
here here’s question number 23 from a uh
[4:11]
OCR audit that we were uh helping a
[4:15]
company get through and uh if you you
[4:18]
can see here in 23 it’s asking for
[4:21]
recognized security practices and if you
[4:23]
go down to F uh I it says um section
[4:27]
2C15 is National Institute of Standards
[4:30]
and Technology Act well that’s they’re
[4:33]
basically just saying uh uh in this
[4:35]
question do you have any documentation
[4:37]
that says you’re following NIST CSF 2.0
[4:41]
um we’ve seen this now twice in the last
[4:44]
6 months uh in different audits uh and
[4:48]
so
[4:50]
I guess my advice to to you as a as a
[4:54]
medical practice would be to get
[4:57]
compliant with Nest CSF 2.0 and and the
[5:01]
key points of NIST CSF 2.0 are um uh all
[5:08]
around security and there’s a a ton of a
[5:13]
ton of documentation on their website
[5:16]
which is nist.gov.gov
[5:19]
um and these are the the major pillars
[5:22]
categories and and then there’s
[5:24]
subcategories of these um but if you
[5:27]
align your security
[5:30]
um process around NIST and you do a
[5:34]
proactive job of um documenting how
[5:38]
you’re compliant month by month um when
[5:42]
OCR comes a call in you can you can give
[5:45]
them the the big old Heisman with your
[5:47]
NIST documentation and uh you’re off and
[5:50]
running the other thing that’s
[5:51]
interesting here is uh the cyber sec
[5:55]
cyber insurance policies are now asking
[5:57]
for NIST um and so if you’re an owner uh
[6:02]
um of a a medical practice and you’re
[6:05]
worried about you know your insurance uh
[6:08]
in case of a breach NIST is going to is
[6:11]
going to get you through or get you the
[6:12]
best levels of insurance at the cheapest
[6:16]
cost um a and it’s also going to protect
[6:20]
you against civil suits so really
[6:22]
aligning your practice with NIST is the
[6:24]
way to go peace out
