Back to BlogUsing the NIST CSF to Support GDPR and HIPAA Compliance
Cybersecurity and regulatory compliance have become inextricably linked. GDPR and HIPAA mandate the protection of electronic data and customer notification in the case of a breach. If your organization falls under these rules, you know very well the serious consequences of falling out of compliance.
GDPR, the European Union’s General Data Protection Regulation, includes penalties for non-compliance that can reach 4% of a company’s global revenue. Violations of the US Health Insurance Portability and Accountability Act (HIPAA) can result in civil fines and criminal penalties including imprisonment.
While the rules outline the types of information that must be protected, they don’t specify exactly how. In fact, HIPAA states that companies “may use any security measures that allow (them) to reasonably and appropriately implement the standards and implementation specifications.” The stakes are high, but you have to fill in the details. One way to do that is with the Blumira SIEM (security information and event management solution).
A security framework for compliance
You may feel like you’ve already got a lot of acronyms weighing you down, but NIST CSF is actually here to help. Originally developed by the US government to address cybersecurity risk in critical infrastructure, the National Institute of Standards and Technology Cybersecurity Framework has been adopted by private sector companies and organizations worldwide.
The NIST framework is popular for a number of reasons. It was developed with the input of global experts and provides a comprehensive guide for cybersecurity planning and implementation. The framework and an extensive library of resources is available for free; users can adapt it to suit their specific needs.
At the core of the NIST framework are five pillars: Identify, Protect, Detect, Respond, and Recover. Users drill down to categories and sub-categories within each pillar to structure a cybersecurity plan that meets their current and future business needs.
How the NIST framework works for compliance
Where cybersecurity intersects with compliance, you have the opportunity to check off two objectives at once. Here are some ways GDPR and HIPAA can be addressed within the NIST framework:
Identify. This pillar provides 28 items in six categories that an organization can use as a checklist for identifying potential areas of risk. Some of them specifically address compliance. This includes understanding and managing legal and regulatory requirements regarding cybersecurity, privacy, and civil liberties obligations. The identify pillar also highlights the importance of assessing and auditing suppliers to confirm they are meeting their contractual obligations.
Protect. It makes sense why regulators tell you what you have to protect, but not how to do it. On the one hand, new defensive technologies continue to be developed. On the other hand, attackers are persistent and increasingly sophisticated. The protect section of the NIST framework includes actions like access controls; user awareness and training; and measures to enhance data security and protect sensitive information.
Detect. From a compliance standpoint, the detect pillar is a link between protection and response. Faster detection usually means faster containment, limiting data exposure. Both GDPR and HIPAA include the potential for hefty fines. They also mandate timely reporting and disclosure when an incident occurs. You can establish a solid detection protocol using the NIST framework, and support it with the Blumira SIEM.
Respond. NIST includes a list of processes and procedures for responding to a cybersecurity incident. As you work through the framework, it helps businesses identify the categories that align with GDPR or HIPAA requirements. Reports available from Blumira SIEM can help you assess the extent of a detected attack so you can develop meaningful communications to customers, regulators, and stakeholders.
Recover. The NIST framework outlines steps for a post-incident recovery plan. This is a piece regulators will expect you to have in place so you’re able to quickly restore customer access to important personal or health information.
The NIST framework isn’t a law, mandate, or compliance standard. It’s been developed to offer best practices for holistic cybersecurity planning. Because it’s so comprehensive, it can seem daunting. In fact, it was designed to be flexible for use by any kind of business or organization. Part of NIST CSF implementation is the development of profiles—a current profile that documents existing cybersecurity outcomes, and a target profile that outlines what you plan to achieve. Blumira SIEM is a threat detection and response solution that small and mid-sized organizations are using to reach their target.
Healthcare companies rely on Blumira
Recently we spoke to a healthcare company that switched their SIEM to Blumira. The reliability of their previous solution had declined after being acquired by a larger company, and it became too cumbersome to get support when it was needed. The company’s small in-house IT team was able to set up Blumira, integrate with their current tech stack, and start seeing value immediately.
The company provides insurance services, and therefore is considered a healthcare vendor. That means they not only need to comply with HIPAA themselves, the companies they serve regularly come to them for security audits as part of their own compliance schedules. Blumira makes it easy for the company to quickly provide the reports they need.
You can read this healthcare case study, along with quotes from their CISO, on the Blumira blog.
Compliance continues to evolve
Regulations will continue to evolve, so companies need to take an adaptable approach to compliance. You can use the NIST framework to implement controls that address a full spectrum of cybersecurity principles. You can also use the framework to regularly review and fine-tune protocols in order to establish a compliance program that benefits security and the bottom line.
Blumira experts will help you get the most out of your SIEM and make sure it’s supporting your compliance requirements. Contact us today for a demo and to learn more about how our platform can support your business.
This is part of a series of five articles that can help your business adopt NIST CSF for cybersecurity and compliance planning.