Voluntary Federal Cybersecurity Framework Released
Key Takeaway: The National Institute of Standards and Technology (NIST) released a final version of a voluntary framework for reducing cybersecurity risks to critical infrastructure, which includes the healthcare sector.
Why it Matters: CIOs should review the framework and understand how it aligns with or distracts from their current strategy. Federal officials will soon begin work on a healthcare-sector-specific instantiation of the framework, and CHIME will play an active role in helping craft the final version with input from member experiences.
Developed in response to an executive order issued by the president last year, the voluntary framework consists of standards, guidelines and practices to promote the protection of critical infrastructure. The framework provides a common taxonomy and mechanism for organizations to:
- Describe their current cybersecurity posture;
- Describe their target state for cybersecurity;
- Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process;
- Assess progress toward the target state;
- Communicate among internal and external stakeholders about cybersecurity risk.
NIST will continue to update the document based on feedback from users, according to agency officials, and they also announced an initiative with the Department of Homeland Security to work with certain sectors, including healthcare, to develop guidance on how to implement the framework.
CHIME submitted comments on the preliminary framework and encourages members to use the final framework in developing their risk reduction and management programs.
On Tuesday, February 18, CHIME and the AHA will host a members-only webinars on cybersecurity issues for hospitals. To register for the webinar, which runs from 1 to 2 p.m. ET, click here.
Legislation & Politics
Bill Would Limit FDA Regulatory Oversight of Mobile Software, Devices
Key Takeaway: Sens. Deb Fischer (R-Neb.) and Angus King (I-Maine) introduced the Preventing Regulatory Overreach to Enhance Care Technology (PROTECT) Act (S. 2007). This bill states that clinical software and health software will not be regulated by FDA and therefore is exempt from the 2.3% device tax.
Why it Matters: The current regulatory approval process for medical devices and software cannot keep up with the rapid innovation cycles of this technology, yet the approval process cannot be changed without legislative action.