AHA Urges NIST To Make Cybersecurity Rules Flexible, Voluntary


Last week, the American Hospital Association sent a letter to the National Institute of Standards and Technology urging the agency to ensure that its cybersecurity framework remains flexible and voluntary within the health care industry's private sector, FierceHealthIT reports.

On Oct. 29, NIST opened a comment period on a proposed cybersecurity framework (Hall, FierceHealthIT, 12/13).

Background on NIST Data Encryption Standards

In September, former NSA employee Edward Snowden leaked private government documents that stated NIST's encryption standards contain a "back door," which allows NSA to decipher encrypted messages.

NIST's data encryption standards are used in electronic health care data security and exchange.

In November, NIST announced its processes for developing data encryption standards would undergo internal and independent formal reviews (iHealthBeat, 11/6).

Details of AHA Letter

The AHA letter was sent to Patrick Gallagher, under secretary of commerce for standards and technology at NIST (FierceHealthIT, 12/13).

According to the letter, AHA agrees with the five core functions of the proposed framework:

However, Linda Fishman -- senior vice president of public policy analysis and development at AHA -- wrote that the framework also should:

  • Consider how to reconcile disparate cybersecurity implementation standards;
  • Provide ample time for implementing changes; and
  • Include existing data security rules that are applicable to health care groups, such as HIPAA and the HITECH Act (AHA News, 12/11).

AHA also wrote that several entities that interact with hospitals should be involved in cybersecurity risk assessment and reduction activities, including:

  • Medical device companies;
  • Physician offices;
  • Insurers; and
  • Individual patients (FierceHealthIT, 12/13).
Mark Underwood
This was a helpful post. I volunteer in a different, public NIST-coordinated working subgroup for Big Data privacy and security. It's not part of the framework mentioned in this story, but it is helpful to have these AHA concerns highlighted as they also affect Big Data. (Disclaimer: I'm neither a NIST employee nor contractor, nor is this a statement of NIST official views in any way). More on the working group here: http://1.usa.gov/16kosCL.

to share your thoughts on this article.