Exploring the Importance of the NIST Cybersecurity Framework (CSF) in Healthcare 

Healthcare organizations understand they need to improve their cybersecurity and risk management processes – but most struggle to establish a consistent approach to these challenges. 

That is why industry experts promote the NIST cybersecurity framework (CSF) as an essential tool for healthcare organizations. With robust guidance across five key “functions,” it provides leaders with everything they need to deliver best-in-class security. 

This article explores what the framework involves and outlines its benefits and challenges. Expect to learn: 

• How the NIST CSF has evolved over the last decade 

• What the framework involves and how to use it for your organization 

• Why adopting the framework leads to 66% lower insurance premium increases¹ 

A Brief History of the NIST Cybersecurity Framework (CSF) 

What is the NIST CSF?  

The NIST cybersecurity framework (CSF) is a set of voluntary guidelines and best practices for cybersecurity for all industries and organization types. It was created and is maintained by the National Institute of Standards and Technology (NIST) and consists of five key functions: identify, protect, detect, respond, and recover. 

Why Was the CSF Created? 

NIST first created the framework in response to an executive order from the Obama Whitehouse in 2013. The order outlined several objectives: 

• Identify security standards and guidelines applicable across sectors of critical infrastructure 

• Provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach to cybersecurity 

• Help owners and operators of critical infrastructure identify, assess, and manage cyber risk 

• Enable technical innovation and account for organizational differences 

• Provide guidance that is technology-neutral and enables critical infrastructure sectors to benefit from a competitive market for products and services 

• Include guidance for measuring the performance of implementing the Cybersecurity Framework 

• Identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations 

This led to a year-long development process, culminating in the release of the NIST CSF 1.0 on February 12, 2014. 

Who is the Framework for? 

The framework was originally designed to support industries within which poor cybersecurity posed a serious risk to the public, such as healthcare, utilities, and manufacturing. It was initially called the NIST Framework for Improving Critical Infrastructure Cybersecurity for that reason.  

However, it soon became clear the framework could provide vital assistance to a broader range of organizations, and NIST expanded its remit to allow the CSF to be used by organizations of all sizes, across sectors. One study found that 30% of all American organization had adopted the framework within a year of its publication. 

How Has the Framework Evolved? 

Cybersecurity is a constantly evolving field, adapting to the launch of new technologies as well changing criminal strategies. The NIST CSF been updated twice:  

• NIST CSF 1.1: Published in 2018 to refine the original framework, including more guidance on identity management and supply chain security 

• NIST CSF 2.0: A more comprehensive overhaul of the framework released in 2024, this featured the addition of a “Govern” function, expanded core functions, and offered extra guidance on cybersecurity governance and continuous improvement practices. 

Components of the NIST Cybersecurity Framework 

The NIST CSF is complex and multidimensional, but there are a few core components healthcare leaders should understand: 

Risk-Based Cybersecurity 

The CSF takes what it calls a “risk-based” approach to cybersecurity. In practice, this means it does not offer a single, comprehensive set of prescriptions; instead, it directly provides guidance to help organizations assess, prioritize, and proactively manage risk based on their unique environment, requirements, business objectives, and risk tolerance. 

This is important because it allows organizations a level of flexibility many official frameworks lack. Security teams can customize their use of the framework to match factors like budget and resources – enabling a more nuanced set of “adoption tiers.” 

The CSF Adoption Tiers 

NIST measures organizations’ adherence to the framework using four adoption tiers or “maturity levels”:  

• Partial: Risk management processes are reactive, unstructured, and fragmented. There is limited or non-existent process integration or communication with external stakeholders about cybersecurity. 

• Risk-Informed: Risk management is informed by organizational risk objectives, but the processes, integration, and stakeholder communication are still inconsistent or limited. 

• Repeatable: Risk management processes are established and consistent across the organization. The organization uses these processes to monitor and respond to threats. 

• Adaptive: Cybersecurity processes are deeply embedded within the organization. The program is continuously improved, and stakeholders are collaborative partners in identifying and resolving threats. 

The Five Key Functions of NIST CSF 

The framework offers prescriptive guidance across five key areas:  

1. The “Identify” Function 

The framework provides guidance to establish a comprehensive view of cybersecurity risk and how they may affect operations. This involves: 

• Auditing the business environment and existing cybersecurity policies 

• Assessing cybersecurity risks and organizational vulnerabilities 

• Mapping out roles and responsibilities within the organization 

• Introducing a risk management framework 

These steps are essential for healthcare organizations of all sizes: 

• Enterprise organizations: The scale and complexity of IT systems and vendor networks means cyberthreats are often hidden or overlooked. Equally, the true impact of an attack through a network can have staggering costs, as evidenced during the Change Healthcare attack. 

• SMBs: Many organizations lack comprehensive risk management policies and procedures, and many do not even have individuals within the organizations who are officially responsible for cybersecurity.  
   

2. The “Protect” Function 

The CSF offers extensive support to help organizations introduce cybersecurity safeguards such as: 

• Access controls (e.g., authentication and authorization) 

• Protective technologies (e.g., firewalls and encryption) 

• Employee training and awareness programs 

• Effective data security policies 
   

These are intended to establish more robust protections against potential cyberattacks. There is also extensive crossover with the safeguards outlined in the HIPAA Security Rule, which means the protect function helps healthcare organizations significantly improve their compliance programs. 

3. The “Detect” Function 

Many cyberattacks are not immediately obvious; the recent Ascension attack was initially reported as “unusual activity” before being revealed to be a ransomware hit that would destabilize the network for 36 days. 

The detect function helps organizations identify cybersecurity events as early as possible and respond faster. This is achieved through monitoring and detection systems, as well as tools like intrusion detection systems, security information and event management (SIEM), and log analysis. 

4. The “Respond” Function 

Given the potential patient harm a healthcare cybersecurity incident can cause, it is vital that organizations can contain and mitigate attacks. Yet 37% of healthcare organizations do not have a cybersecurity contingency plan in place.  

The “respond” function provides essential guidance to fix this problem and help organizations create: 

• Incident response plans 

• Policies and official pathways for communicating with stakeholders during an incident 

• Post-event analysis to prevent future attacks 

This ensures a quick and robust response that helps to mitigate the full impact of cyberattacks. 

5. The “Recover” Function 

The period after a cyberattack is often as damaging for healthcare organizations as the incident itself. Staff may be forced to revert back to taking medical notes using pen and paper, lacking access to their electronic health record (EHRs), which significantly impacts patient care. 

The “recover” function aims to ensure organizations can return to normal operations as fast as possible after a cyberattack. This involves developing record and contingency plans, as well as creating communication protocols to help rebuild confidence with stakeholders. 

Should You Adopt the NIST CSF? 

Despite its popularity amongst industry cybersecurity experts, just 44% of healthcare organizations currently meet the standards laid out in the NIST CSF. But does that mean your organization is safe to ignore the framework – or are you putting your patients, reputation, and bottom line at risk? 

Four Benefits of the NIST Framework for Healthcare Organizations 

Explore some of the common benefits, including: 

1. Reduce Cybersecurity Risk 

Adopting the CSF reliably improves healthcare organizations’ cybersecurity posture and decreases the likelihood they will experience an attack or data breach. Because the framework is voluntary, it goes into far greater depth than HIPAA, helping to identify blind spots that simple regulatory compliance efforts may overlook. 

2. Shared Language 

Many healthcare organizations struggle to communicate about cyber risk. If the organization is large with multiple sub-entities, it can feel impossible to deliver consistently across all areas of the business. For smaller organizations, there is often a lack of knowledge about cybersecurity terminology or best practices. 

The CSF provides a shared language and set of concepts that enable better communication both within security teams and toward the C-Suite. This leads to more efficient, effective programs, as well as helping to get executive buy-in for key cybersecurity programs. 

3. Lower Insurance Premiums 

The cost of insurance premiums is a persistent issue for healthcare organizations, but adopting the NIST CSF has proven to lower these increases by 66%. More robust cybersecurity therefore literally pays, prompting the question: why would any healthcare organization choose not to adopt NIST? 

Adopt the NIST CSF with Intraprise Health 

Despite its clear benefits, many healthcare organizations put off adopting the NIST CSF due to: 

• Lack of awareness: Many organizations are simply unaware of the framework or overlook some of its benefits. 

• Resource constraints: Healthcare security teams have limited personnel, time, and/or budgets, making a “voluntary” framework feel unnecessary. 

• Complexity: Many organizations fear the framework is too complex or the level of assessments involved will be too burdensome to manage. 

Intraprise Health helps you overcome all these barriers, providing cutting-edge technology and expert services designed to make adopting the NIST CSF easy. You can quickly assess your maturity level, determine an ideal path to adoption, and gain extensive support to put the framework at the heart of your cybersecurity and risk management programs. 

Want to learn how our NIST experts could help protect your patients, reputation, and bottom line? 

Book a Consultation