During a recent panel discussion, I shared that my team is moving toward using the Health Industry Cybersecurity Practices (HICP) as the foundational framework for our program in favor of the NIST Cybersecurity Framework (NIST CSF). I realized after the fact that this statement may have been received as more “edgy” than it was intended — or actually is.
The reality of the various competing cybersecurity frameworks is they all result in very similar outcomes when all is said and done. This is why almost every framework can include a “crosswalk” to all of the other frameworks. There are even frameworks that are intentionally just a collection of other frameworks. When it comes to HICP and NIST CSF, things are even less controversial. HICP is intentionally complementary to, rather than competitive with, NIST CSF.
NIST’s “dinner menu”
Perhaps as a result of being involved in a culinary program during my youth (or perhaps due to an unhealthy love affair with bacon), I tend to make food-based analogies. When I look at the NIST CSF framework, I can’t help but see a dinner menu. It lays out the courses for the meal (Identify, Protect, Detect, Respond, and Recover) and lists the dishes for each course in the form of categories. It goes on to describe the highlights and accoutrements for each dish through the use of sub-categories.
What a dinner menu does not do is tell you how to actually prepare that particular dish. NIST CSF is a framework of objectives more so than practices. This is in some ways the power of the NIST CSF framework. A focus on objectives allows for maximum flexibility. Something that is helpful when attempting to establish a framework that can be universal across a very broad range of critical infrastructure industries.
That flexibility can also introduce some challenges though. A trained chef can look at a description on a menu and approximate their own interpretation of the dish fairly readily, but the home cook may need some additional research and guidance before even knowing how to begin.
HICP: “More like a cookbook”
HICP, as the name would imply, is focused on practices. For me, it is more like a cookbook than a menu. It is a collection of recipes that will help you with how to actually prepare those cybersecurity dishes. Because it was written with NIST CSF and the needs of the Healthcare Industry in mind, it’s not just any cookbook with a random collection of recipes either. It’s like buying the cookbook from a great restaurant to know how to make exactly those dishes you want (might I suggest Le Bernadin Cookbook by Eric Ripert & Maguy Le Coze).
A common concern with practices-based frameworks is that they will be too prescriptive and won’t allow flexibility for the nuances of an organization. One thing I’ve learned over the years is that organizations (like people) are more alike than we are different. Still, anyone who has done a bit of cooking understands that recipes do not remove all flexibility (nor required skill to execute, or we’d all be Michelin Star chefs).
You need to select your own brand of flour and other ingredients, but you can also take liberties with the recipe to adjust for taste, allergies, etc. There is also no rule against deciding entire dishes just aren’t for you or adding a few of your own recipes to the meal. The same is true when implementing the practices found in HICP. The framework is very purposefully voluntary in nature.
Even professional chefs use recipes. This is to say that while the benefit of HICP is clear for smaller organizations that might have uncertainty in how to accomplish NIST CSF, there is value for organizations of all sizes and maturity to be found in the framework. Am I suggesting every healthcare organization immediately drop NIST CSF as their core framework and pivot to HICP? No. For us it made sense due to a collision of factors. A move toward health system shared services, a transition to a Scaled Agile operating model, and a replacement of a GRC platform that are all flipping the apple cart each contributed to our direction.
For organizations that are in the home cook period of their cyber journey, I certainly recommend looking at HICP to accelerate the learning curve. For well-established organizations with their own cookbooks, I’d point out looking at other recipes can be a good source of both validation and inspiration.
Now, if we could only find the cyber equivalent of bacon. That magic ingredient you can add to any recipe to make it better.
This piece was written by Nate Couture, Network AVP of Information Security and CISO at The University of Vermont Health Network, following a recent panel discussion. More information regarding HICP can be found on the 405(d) website and by following HHS 405(d) – Aligning Health Care Industry Security Approaches.