1 of 22

Building an Information

Assurance Strategy

for Sinai Chicago

NIST CSF | Regulatory Compliance | AI Governance | Risk Management

Daniza Neri · INFM 208 · June 2026

2 of 22

SECTION 1 · REGULATORY LANDSCAPE

Why NIST Compliance Matters at Sinai Chicago

01

SAFETY-NET HOSPITAL RISK PROFILE

100,000+ patients annually; life-critical services at stake [1]

02

REGULATORY CONVERGENCE

HIPAA, HITECH, and Illinois PIPA overlap and compound

03

RISING HEALTHCARE THREAT LANDSCAPE

93% increase in large breaches, 2018–2022 (HHS) [3]

3 of 22

HIPAA Security & Privacy Rules

Covered entity status: 8 facilities, 100,000+ patients and families served annually, generating ePHI at scale. [1]

IMPACTED AREA

RISK IF NON-COMPLIANT

EHR & clinical data (Epic)

OCR investigation, penalties up to $1.9M/yr

Medical device connectivity

Unencrypted PHI transmission violation

Business Associate Agreements

Shared liability for vendor breach

SECTION 1: REGULATORY 1 of 3

4 of 22

HITECH Act

Strengthens HIPAA enforcement and breach notification requirements.

SECTION 1: REGULATORY 2 of 3

BREACH NOTIFICATION

60-day window to notify HHS and patients

INCREASED PENALTIES

Fines up to $50,000 per violation

VENDOR ACCOUNTABILITY

Business associates directly liable

5 of 22

Illinois Personal Information Protection Act

Governs personal information (PII) beyond the scope of HIPAA, including employee, billing, and community data.

ELEMENT

REQUIREMENT

SINAI IMPACT

Scope

Illinois residents' PII beyond PHI

Employee SSNs, payroll data

Notification

Most expedient time possible

Always-ready breach response

Security standard

Reasonable security measures

Aligns with NIST CSF

Biometric data

Governed separately under BIPA

Time-tracking systems in scope

SECTION 1: REGULATORY 3 of 3

6 of 22

Mission-Critical Assets & Services

SECTION 2: NIST CSF APPLICATION

CLINICAL SYSTEMS

  • Epic EHR
  • PACS
  • Lab systems

Patient safety

MEDICAL DEVICES

  • Infusion pumps
  • Ventilators
  • Monitors

Life-critical

NETWORK INFRASTRUCTURE

  • Clinical Wi-Fi
  • VPN
  • Cloud services

Availability

WORKFORCE & ACCESS

  • Large staff credential footprint
  • MFA

Insider threat

COMMUNITY SERVICES

  • FQHC data
  • Revenue cycle

Financial/PIPA

7 of 22

Identify

Strategic benefit: Full visibility across medical devices, clinical systems, and vendor technologies.

SECTION 2: NIST CSF

CURRENT STATE

Unknown networked medical devices

Incomplete asset inventory

FUTURE STATE

Enterprise device inventory program

Automated real-time asset discovery

8 of 22

Protect

Strategic benefit: Reduces attack surface by retiring legacy systems and enforcing identity verification.

SECTION 2: NIST CSF

CURRENT STATE

Legacy medical device operating systems

Inconsistent MFA enforcement

FUTURE STATE

FDA-aligned technology lifecycle plan

Zero-trust segmentation + MFA rollout

9 of 22

Detect

Strategic benefit: Shifts Sinai from reactive breach response to proactive threat detection.

SECTION 2: NIST CSF

CURRENT STATE

Credential attacks going undetected

No behavioral baseline for anomalies

FUTURE STATE

AI-assisted behavioral monitoring (UEBA)

Automated alerts for anomalous access

10 of 22

Respond

Strategic benefit: Faster coordinated response that protects patient care during cyber incidents.

SECTION 2: NIST CSF

CURRENT STATE

Limited clinical leadership in incident response

Incident plan untested with clinical scenarios

FUTURE STATE

Cyber Incident Clinical Leadership Committee

Quarterly tabletop exercises

11 of 22

Recover

Strategic benefit: Measurable recovery targets that reduce downtime and strengthen resilience.

SECTION 2: NIST CSF

CURRENT STATE

No tested disaster recovery timeline

Vendor recovery gaps in business continuity planning

FUTURE STATE

Quarterly DR exercises with defined RTOs/RPOs

Contractual vendor SLA enforcement

12 of 22

Asset Protection Across NIST CSF

ASSET

IDENTIFY

PROTECT

DETECT

RESPOND

RECOVER

Epic EHR

Asset inventory

MFA + RBAC

UEBA

CICLC

RTO < 4hr

Medical devices

Inventory

Segmentation

Anomaly alerts

Isolation

Manual fallback

Clinical network

Asset map

Zero trust

IDS/IPS

Containment

Redundancy

Staff credentials

IAM audit

MFA enforcement

Behavioral monitoring

Disable & notify

Re-provision

Revenue cycle

Data map

Encryption

DLP alerts

Breach notify

PIPA notification

SECTION 2: ASSET TO CSF MAP

13 of 22

NIST CSF Maturity Roadmap

SECTION 2: MATURITY ROADMAP

Scale (1–4) reflects NIST CSF 2.0 Implementation Tiers: Partial, Risk-Informed, Repeatable, Adaptive. [8]

Strategic benefit: Prioritizes investments where maturity gaps create the greatest organizational risk.

14 of 22

Five Immediate Security Policies

1

MEDICAL DEVICE SECURITY

Segmentation & Vendor Accountability

IDENTITY & ACCESS MANAGEMENT

MFA & Least-Privilege Access & Quarterly Review

3

INCIDENT RESPONSE & BREACH NOTIFICATION

CICLC Activation & Code Downtime Testing

04

AI GOVERNANCE & ACCEPTABLE USE

BAA & Bias Assessment before Deployment

05

VENDOR RISK MANAGEMENT

SOC 2 Type II & Annual Vendor Review

SECTION 3: SECURITY POLICY

2

3

4

5

15 of 22

AI-Enhanced Security Operations

ANOMALY DETECTION (UEBA)

COMPLIANCE MONITORING

SECTION 3: AI IN SECURITY OPERATIONS

INCIDENT TRIAGE AUTOMATION

PREDICTIVE VULNERABILITY SCORING

3

  • Focuses remediation resources on vulnerabilities with the highest organizational risk
  • Prioritizes high-impact systems over lower-risk administrative assets

Priority 2: Future Enhancement

Priority 1: Immediate Implementation

  • Reduces unauthorized PHI access risk through early identification of unusual behavior
  • Improves threat detection across Epic and clinical systems without disrupting workflows
  • Automates audit log review against HIPAA Security Rule requirements, reducing manual reporting effort
  • Improves documentation consistency and readiness for Office for Civil Rights reviews
  • Reduces alert fatigue by classifying and routing events by risk level
  • Accelerates investigation response times for the security team

Strategic benefit: Extends security team capacity through automation while maintaining human oversight.

16 of 22

AI Governance: Ethics, Risk & Frameworks

SECTION 3: AI GOVERNANCE & ETHICS

ACTION

GOVERN UNDER

Algorithmic Bias

NIST AI RMF

Transparency Gap

EU AI Act

Data Governance

NIST AI RMF

Operational Reliability

NIST AI RMF

Govern AI systems using recognized frameworks before deployment into clinical, operational, or security workflows

17 of 22

SECTION 4: RISK ASSESSMENT

Risk Assessment Methodology

RISK ASSESSMENT

  1. Scope & Asset Inventory
  2. Healthcare Threat Identification
  3. Vulnerability Analysis
  4. Patient Safety & Operational Impact Scoring
  5. Risk Prioritization & Treatment Planning

RISK REGISTER OUTPUT

  • Risk Description
  • Impact & Likelihood
  • Assigned Risk Owner
  • Mitigation Strategy
  • Treatment Decision

PRIORITIZED REMEDIATION ROADMAP

  • Resource Allocation
  • Budget Prioritization
  • Implementation Timeline

18 of 22

Gap Analysis & Strategic Priorities

GAP

IMPACT

PRIORITY

Medical Device Inventory

Patient Safety

Immediate

Disaster Recovery Testing

Clinical Continuity

Q3 2026

Vendor Risk Management

Regulatory & Third-Party Risk

Q3 2026

AI-assisted Monitoring

Threat Detection

Q4 2026

AI Governance & Acceptable Use

AI Risk Management

Year 1

12-month investment: $295K–$440K | Average healthcare breach cost: $7.42M [9]

SECTION 4: GAP ANALYSIS

19 of 22

SWOT Analysis: Sinai Chicago IA Program

SECTION 4: SWOT ANALYSIS

STRENGTHS

WEAKNESSES

  • Epic EHR audit & access controls
  • Cybersecurity leadership embedded within IT governance
  • Established HIPAA compliance culture
  • Legacy devices with unpatched OS
  • HIPAA-compliant cloud infrastructure in place
  • Limited security budget vs. peers
  • Community trust and mission engagement
  • No formal AI governance structure

OPPORTUNITIES

THREATS

  • HHS Cybersecurity Performance Goals
  • Ransomware targeting safety-net hospitals
  • HRSA cybersecurity funding opportunities
  • Third-party vendor breach precedents
  • ARPA-H healthcare resilience initiatives
  • Illinois BIPA litigation exposure
  • AI extends small security team's reach
  • AI-generated phishing on the rise

20 of 22

Executive Summary

1

COMPLIANCE CONVERGENCE IS A STRATEGIC ADVANTAGE

One IA program satisfies HIPAA, HITECH, and PIPA

2

THREE IMMEDIATE ACTIONS

Device inventory · MFA on Epic · 90-day DR exercise

3

AI AS A FORCE MULTIPLIER WITH GUARDRAILS

Extends team capacity under NIST AI RMF governance

4

THE INVESTMENT CASE

$295–440K program cost vs. $7.42M average breach cost [9]

SECTION 5 · SUMMARY

21 of 22

 

[1] Sinai Chicago. (2024). 2023 annual report. https://www.sinaichicago.org/wp-content/uploads/2024/03/2023_Annual-Report_Sinai-Chicago.pdf

[2] Mount Sinai Hospital Medical Center. (n.d.). GuideStar nonprofit profile [Self-reported organizational profile, EIN 36-1509000]. Candid/GuideStar. https://www.guidestar.org/profile/36-1509000

[3] U.S. Department of Health and Human Services, Administration for Strategic Preparedness and Response. (2023). Healthcare sector cybersecurity. https://aspr.hhs.gov/cyber/Pages/default.aspx

[4] Sinai Chicago. (n.d.). Leadership and organizational information [LinkedIn company profile]. https://www.linkedin.com/company/sinaichicago

[7] Kapko, M. (2023, August 7). Ransomware attack on Prospect Medical Holdings impacts hospitals across 4 states. Cybersecurity Dive. https://www.cybersecuritydive.com/news/ransomware-hospitals/690130/

[8] National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0 (NIST CSWP 29). U.S. Department of Commerce. https://doi.org/10.6028/NIST.CSWP.29

[9] IBM Security. (2025). Cost of a data breach report 2025. https://www.ibm.com/reports/data-breach

[11] National Institute of Standards and Technology. (2023). Artificial intelligence risk management framework (AI RMF 1.0). U.S. Department of Commerce. https://doi.org/10.6028/NIST.AI.100-1

[12] National Institute of Standards and Technology. (2012). Guide for conducting risk assessments (SP 800-30, Rev. 1). https://doi.org/10.6028/NIST.SP.800-30r1

[13] U.S. Department of Health and Human Services. (2024). Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs). https://hhscyber.hhs.gov/cybersecurity-performance-goals.html

REFERENCES

22 of 22

[14] Illinois General Assembly. (n.d.). Personal Information Protection Act, 815 ILCS 530/1 et seq. https://www.ilga.gov/Legislation/ILCS/Articles?ActID=2702&ChapterID=67

[15] European Parliament and Council of the European Union. (2024). Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, L 2024/1689. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng

[18] U.S. Department of Health and Human Services, Office for Civil Rights. (n.d.). Breach notification rule. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

[19] U.S. Department of Health and Human Services, Office for Civil Rights. (n.d.). HIPAA Security Rule: Administrative safeguards, 45 CFR §164.308. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308

[20] U.S. Food and Drug Administration. (2023, September 27). Cybersecurity in medical devices: Quality system considerations and content of premarket submissions; guidance for industry and Food and Drug Administration staff. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions

[21] Advanced Research Projects Agency for Health. (2024). UPGRADE: Universal PatchinG and Remediation for Autonomous DEfense. https://arpa-h.gov/research-and-funding/programs/upgrade

[22] U.S. Senate Committee on Finance. (2024). Hacking America's health care: Assessing the Change Healthcare cyber attack and what's next [Hearing]. https://www.finance.senate.gov/hearings/hacking-americas-health-care-assessing-the-change-healthcare-cyber-attack-and-whats-next

REFERENCES