This week’s NH-ISAC Hacking Healthcare:
Hot Links –
- New NIST Draft – NIST published a “second draft of the proposed update” to its Cybersecurity Framework last week. Your comments are due to NIST by January 19, 2018.
A quick history lesson — the original Framework was released in February 2014. In winter 2015 and spring of 2016, NIST solicited feedback on the original version. In January of this year, they released a “first draft” of version 1.1.
This “second draft” incorporates comments submitted over the last year to that first draft.
The big changes are:
- The inclusion of a robust new category in the “Identify” function around Supply Chain Risk Management.
- New subcategories in Prevent-Access Control (PR.AC-6, 7) related to identity proofing and credential management, as well as device authentication.
- A new subcategory (PR.DS-8) in Prevent-Data Security for verifying hardware integrity.
- A new subcategory (PR.PT-5) in Prevent-Protective Technology that focuses on increasing system availability.
- A new subcategory (RS.AN-5) in Respond-Analysis that addresses vulnerability disclosure and management.
- A number of new reference standards, primarily from CIS and COBIT.
- A refocusing of section 4 as “Self-Assessing Cybersecurity Risk with the Framework” which “better emphasize[s] how organizations might use the Framework to measure their risk”, as Mike Barret of NIST has put it.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of NH-ISAC.
Read full blog below:Newsletter_NH-ISAC_Public_121217