NIST Releases Cybersecurity Framework 2.0

by Lucas Baiocchi 

Cybersecurity is poised for a significant evolution with the release of the National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 (CSF 2.0).  

The healthcare sector, rich with sensitive data, has emerged as a prime target for cyber threats. Despite this, cybersecurity often takes a back seat to immediate patient care tasks.  

Unlike its predecessor, CSF 2.0 delves deeper into how healthcare entities can implement measures to safeguard their data. This new framework provides adaptable, risk-focused standards that can be applied across diverse healthcare environments. CSF 2.0 emphasizes the importance of informed decision-making tailored to each organization's unique circumstances.  

In this article, we'll explore CSF 2.0 specifically within the healthcare sector. 

CSF 2.0: Key Improvements and Innovations  

A key update to CSF 2.0 is the change in audience from critical infrastructure to include all organizations. 

Another key update brings Governance into focus as a new pillar along with the traditional pillars of Identify, Protect, Detect, Respond, and Recover.  

Governance includes the Category Cybersecurity Supply Chain Risk Management (GV.SC) acknowledging an increasing reliance on vendors, systems, and suppliers and the need to mitigate vulnerabilities introduced by these third parties.  

Protect includes important updates to the Category Identity Management, Authentication, and Access Control (PR.AA) to recognize the importance of reducing risk by limiting access. “Access to physical and logical assets is limited to authorized users, services, and hardware, and is managed commensurate with the assessed risk of unauthorized access”  

One of the biggest changes is the inclusion of Implementation Examples for every category. Rather than guessing at how to interpret NIST language, you now have explicit information on how to operationalize each category. 

For example, “GV.SC-04: Suppliers are known and prioritized by criticality” now includes Implement Examples: 

  • “Ex1: Develop criteria for supplier criticality based on, for example, the sensitivity of data processed or possessed by suppliers, the degree of access to the organization's systems, and the importance of the products or services to the organization's mission. 
  • “Ex2: Keep a record of all suppliers, and prioritize suppliers based on the criticality criteria.” 

Boom. You now have two actionable items. The first is to develop criteria for supplier criticality using the parameters in Ex1. The second is to create a record of all of your suppliers and assign the critically to each supplier per Ex2.  

In a surprise move, NIST is also providing a number of tools to assist in the implementation of CSF 2.0 including profiles, quick start guides, and informative references. 

Healthcare entities are encouraged to assess their cybersecurity posture against the NIST CSF 2.0 Framework to identify areas for improvement. You are probably groaning and thinking you don’t have time to deal with yet another government framework. 

Not to worry. Meditology has been studying CSF 2.0 for several months and we are ready to conduct risk assessments using the new framework. We can take all of the hard work out of adapting CSF 2.0. 

Our risk assessment solutions include: 

  • Security Risk Assessments (SRA) using industry standards (e.g., NIST CSF, NIST 800-53, etc.) 
  • SRA combined with HITRUST or SOC 2 
  • Due Diligence and Mergers and Acquisitions Assessments 
  • Privacy Risk Assessments 
  • Risk management program and strategy development (e.g., ongoing monitoring of risk, risk metrics, etc.) 

Meditology Services is a leading provider of risk management, cybersecurity, and regulatory compliance consulting services that is exclusively focused on serving the healthcare community. More than a provider of services, Meditology is a strategic partner committed to providing our clients actionable solutions to achieve their most pressing objectives. With experience serving healthcare organizations ranging in size, structure, and operational complexity, we uniquely understand the challenges our clients face every day and dedicate ourselves to helping solve them. 

CORL, our sister company, has been studying the new supply chain category and is ready to assist you with mitigating third party risks. CORL offers a service-centered solution that combines technology and services to revolutionize TPRM models for providers and vendors. The best part? CORL’s service-centered approach can be customized to suit your specific objectives and realities. 

TPRM services powered by CORL, our sister company include: 

  • Vendor response validation 
  • Vendor risk measurement and reporting 
  • Third-party incident response 
  • TPRM managed services 


Lucas Baiocchi, HCISPP, CCSFP| Manager, IT Risk Management  

Lucas is a seasoned information security, governance, and risk management leader at Meditology Services. While working as a Manager for Meditology, he has found a specialization in building and implementing risk management functions for entities from start-up to national enterprise. Working with Meditology for the past 6 years, he has found himself deeply involved in NIST CSF, NIST 800-53, HITRUST, HIPAA, Promoting Interoperability, and CEHRT attestation while currently holding a HealthCare Information Security and Privacy Practitioner (HCISPP) and Certified CSF Practitioner (CCSFP) certification. With a lifelong passion for artificial intelligence, cryptographic technologies, and advanced malware threats, he finds meaning in ensuring his clients have the most comprehensive yet feasible information security controls against the ever-changing threat landscape and regulatory environment. 

Most Recent Posts
Global IT Outage Impacts Healthcare: What Happened? Read More
Why Cybersecurity Checks are a Must Before Acquiring or Merging with Another Hospital Read More
URGENT SECURITY ALERT: MOVEit Vulnerability Identified Read More