Changes are Coming for the NIST Cybersecurity Framework: What Do They Mean for Healthcare and How Can You Prepare for Compliance?

For nearly a decade, the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF)has been the gold standard for developing and managing cybersecurity programs, and as the threat landscape evolves and becomes increasingly complex, the framework is evolving with it.

If you’re new to NIST and the NIST CSF, start here for an overview of how the NIST Cybersecurity Framework helps healthcare organizations.

The NIST Cybersecurity Framework refers to core functions, categories (think of these as control families), and subcategories (controls.) You can take a phased approach to implement these core functions, categories, and subcategories, beginning at partial implementation and progressing in program maturity to risk-informed, repeatable, and adaptive stages.

The NIST CSF has undergone a year-long review to update the cybersecurity best practices. Those pending changes, currently still in review, will have a direct impact on healthcare.


As threat actors increasingly target healthcare more than any other industry, it’s critical that organizations implement security programs to minimize the impact of destructive cyberattacks. Adopting the NIST CSF can help your organization advance its information security strategies while achieving and maintaining operational and cyber resilience. As such, it’s important to understand what framework changes may be coming and why the NIST CSF is evolving.

NIST CSF 1.0 was released in 2014 and updated to version 1.1 in 2018. This is the current version of the framework; however, in February 2022, NIST issued a request for information (RFI) to improve framework effectiveness, including more direction on how to manage supply chain risk. After studying responses and analyzing RFI results, in April 2023, NIST released a core draft of version 2.0, opening up additional public comments to further improve the framework structure. A final version is anticipated in early 2024.

While the changes are still in progress, the reality is that the NIST CSF should be a critical part of all healthcare organizations’ critical infrastructure protections. It enables all organizations to discuss cybersecurity risks and adopt reasonable and appropriate safeguards to protect systems and data.

So, what can you do now to prepare for these changes? Think about these changes as an opportunity to evaluate and improve your organization’s comprehensive security strategy—one you can achieve by developing a new target profile based on the NIST CSF 2.0

First, you should understand how NIST CSF 2.0 differs from NIST CSF 1.1. From there, you can evaluate your current security profile and evaluate it against your target for NIST CSF 2.0 compliance. Remember that to do this, you’ll need new evaluation criteria based on 2.0 to determine your current program effectiveness so you can advance your organization’s information security program while continuing to achieve and maintain resilience. To do that, you will need to:

  • Know your adversary
  • Assess your program
  • Determine organization risk, taking into account:
    • Threat events and sources
    • Threat source characteristics
      • Capability
      • Intent
      • Targeting
    • Relevance and likelihood of attack initiation
    • Vulnerabilities and predisposing conditions
    • Overall likelihood of an attack
    • Overall impact
    • Risk

From v1.1 to 2.0

Based on the latest draft version, one of the biggest changes to the framework will be increasing its current five functions (identify, protect, detect, respond, and recover) to six, with the addition of govern as the first function.

There are also three new categories included in the NIST CSF 2.0: organizational context (govern), platform security (protect), and technology infrastructure resilience (protect).

Adding the govern function into NIST CSF 2.0 is an important part of cybersecurity maturity because governance refers to your ability to determine if you are implementing proper risk management, which includes establishing a risk threshold and understanding and addressing your risk based on that parameter, including building executive-level support to achieve your security goals.

What might the new framework look like for your organization? Here’s a closer look at the six core functions, highlighting some of the key areas healthcare organizations should focus on:

1. Govern: Establish and monitor the organization’s risk management strategy, expectations, and policy. This function aligns the business mission with cybersecurity goals and objectives.

By understanding cyber risk as it aligns with business objectives, you can better prioritize risk management, effectively document your strategies, and integrate cybersecurity into your overall enterprise-wide risk management program, complete with communication across your entire organization to ensure everyone clearly understands your strategic objectives, why they’re important, and the role each person plays in resiliency. This includes insight and planning into:

  • Organizational context
  • Risk management strategy
  • Roles and responsibilities (This is more than program ownership. It also includes organizational leadership and their roles in accepting responsibility for cybersecurity and business risk decisions. By conducting a business impact analysis as part of developing your cybersecurity strategy, you’ll be better positioned to ensure your executives and key stakeholders understand what risk is and what it means to mitigate, accept, or reject it, and clearly define roles and responsibilities based on those risk decisions).
  • Policies and procedures (Not just for your staff, but also your supply chain. Do your third-party vendors understand your security policy, expectations, and requirements? Are they compliant?)

2. Identify: Determine current cybersecurity risk to your organization. Do you understand everything you must protect (assets, data, systems, services)? Where are they? Do you have appropriate safeguards to manage them through their entire lifecycle? This includes:

  • Asset management
  • Risk assessment
  • Supply chain risk management
  • Program improvements and continuous evaluation for your organization and across your supply chain

3. Protect: Use safeguards to sufficiently mitigate and reduce cybersecurity risk, including:

  • Identity management, authentication, and access control
  • Awareness and training
  • Data security
  • Protective technology
  • Platform security (ensuring it’s synchronized with your organizational risk strategy)
  • Technology infrastructure resilience

4. Detect: Find and analyze possible cybersecurity attacks and compromises. This is where contextual information like cyber threat Intelligence and industry security advisories are integrated into your adverse event analysis, going beyond just alerting and establishing plans on alert response and actions to include:

  • Adverse event analysis (Which alerts need immediate attention, and what do you do? How is response integrated into your overall risk management strategies? Do you have a playbook and processes?)
  • Continuous monitoring for your environment and across your supply chain (ensuring third-party vendors implement continuous monitoring and routinely update risk management strategies to keep pace with changing threat landscape)

5. Respond: Take action regarding a detected cybersecurity incident. Other than category name changes, little has changed here from version 1.1 to 2.0, including:

  • Incident management
  • Incident analysis
  • Incident response reporting and communication
  • Incident mitigation

6. Recover: Restore assets and operations impacted by a cybersecurity incident. This is especially important with the increase of ransomware attacks on healthcare. Can you recover systems and or data to return to business as usual? This is more than just doing backups, it extends into ensuring both asset and data integrity, including:

  • Incident recovery plan execution
  • Incident recovery communication

Next Steps

NIST is targeting early 2024 for the release of NIST CSF 2.0. Some organizations may struggle to adapt to these changes, especially once an official implementation date is released. While that may still be a good distance away, it’s important to think about what you can do today to facilitate compliance and decrease some of the many stressors that can accompany changes like these. With proper planning and understanding of how NIST CSF 2.0 changes will affect your organization, you can build an effective strategy to ease this transition.

Find a partner. Clearwater’s cybersecurity and compliance experts bring your organization decades of expertise in healthcare, the industry’s most expansive breadth of services, and a technology-first approach to help you work efficiently and leverage lessons learned cycle to cycle. The Clearwater team can help you:

  • Establish your current security and compliance profile
  • Conduct an effective business impact analysis and risk analysis
  • Identify gaps, vulnerabilities, and other security issues in your existing programs
  • Develop a strategy, timeline, and roadmap for compliance
  • Create communication, education, and training plans to build cybersecurity into the way your organization operates
  • Align your cybersecurity and compliance strategies with business goals and objectives to ensure executive and key stakeholder support and oversight
  • Use new evaluation criteria to determine program conformance and effectiveness

Need some help? Let’s get started.


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us