Washington Debrief – NIST Cybersecurity Framework RFI released

Dec. 14, 2015
The National Institute of Standards and Technology (NIST) released a request for information (RFI) concerning the “Framework for Improving Critical Infrastructure Cybersecurity.”

NIST Requests Feedback on Implementation, Value of Cybersecurity Framework

Key Takeaway: The National Institute of Standards and Technology (NIST) released a request for information (RFI) concerning the “Framework for Improving Critical Infrastructure Cybersecurity.”

Why It Matters: The first version of the NIST Cybersecurity Framework was released in February of 2014 as a result of an Executive Order focused on improving the cybersecurity of the nation’s critical infrastructure sectors. NIST is seeking input on possible ways the Framework should be updated.

The Framework consists of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. In the RFI released last week, NIST requests information about the variety of ways in which the Framework is being used to improve cybersecurity risk management, how best practices for using the Framework are being shared, the relative value of different parts of the Framework, the possible need for an update of the Framework, and options for the long-term governance of the Framework.

CHIME submitted comments to the framework in late 2013 and will again prepare a response to the RFI. Comments are due February 9, 2016.

Leslie Kriegstein

ONC Released Corrections, Clarifications for 2015 Edition CERT

Key Takeaway: Last week, the Office of the National Coordinator released revisions and clarifications to the final 2015 Edition Health IT Certification Criteria released on October 16, 2015 along with the Meaningful Use Stage 3 Final Rule with comment.

Why It Matters: The health information technology that is certified to the 2015 Edition Health Information Technology (Health IT) Certification Criteria will be necessary for compliance with Stage 3 of the EHR Incentive Program or Meaningful Use.

This document released by ONC last week, corrects errors and clarifies provisions of the 2015 Certification final rule, including additional guidance for the industry resulting from early stakeholder input on the Common Clinical Data Set (CCDS), Privacy and Security Certification Requirements and Mandatory Disclosures for the 2015 Edition Certification.

Senator Highlights Need for Unique Patient Identifier

Key Takeaway: Key Senator recognizes need to be able identify patients with their electronic health information.

Why It Matters: Senator Bill Cassidy (R-LA), a physician and member of both the Senate Committee on Health, Education, Labor & Pensions (HELP) and the Senate Committee on Appropriations, highlighted the current lack of a patient identification strategy during an event at the Bipartisan Policy Center last week.

Senator Cassidy acknowledged the concerns of the privacy community, but said he is working toward a solution that can enhance patient privacy rather than cause angst.

Senator Cassidy shared these sentiments during a HELP Committee hearing on September 16, when he acknowledged a patient identifier as a critical component of data sharing, suggesting a voluntary program like the U.S. Customs and Border Patrol's Global Entry program.

Senator Elizabeth Warren (D-MA), also a member of the Senate HELP Committee, offered her thoughts on the need to be able to identify patients as a matter of patient safety. During the June 10th HELP Committee hearing, Senator Warren shared a 2012 CHIME study outlining the adverse events CIOs could trace to patient mismatches.