Building an Information
Assurance Strategy
for Sinai Chicago
NIST CSF | Regulatory Compliance | AI Governance | Risk Management
Daniza Neri · INFM 208 · June 2026
SECTION 1 · REGULATORY LANDSCAPE
Why NIST Compliance Matters at Sinai Chicago
01
SAFETY-NET HOSPITAL RISK PROFILE
100,000+ patients annually; life-critical services at stake [1]
02
REGULATORY CONVERGENCE
HIPAA, HITECH, and Illinois PIPA overlap and compound
03
RISING HEALTHCARE THREAT LANDSCAPE
93% increase in large breaches, 2018–2022 (HHS) [3]
HIPAA Security & Privacy Rules
Covered entity status: 8 facilities, 100,000+ patients and families served annually, generating ePHI at scale. [1]
IMPACTED AREA | RISK IF NON-COMPLIANT |
EHR & clinical data (Epic) | OCR investigation, penalties up to $1.9M/yr |
Medical device connectivity | Unencrypted PHI transmission violation |
Business Associate Agreements | Shared liability for vendor breach |
SECTION 1: REGULATORY 1 of 3
HITECH Act
Strengthens HIPAA enforcement and breach notification requirements.
SECTION 1: REGULATORY 2 of 3
BREACH NOTIFICATION |
60-day window to notify HHS and patients |
INCREASED PENALTIES |
Fines up to $50,000 per violation |
VENDOR ACCOUNTABILITY |
Business associates directly liable |
Illinois Personal Information Protection Act
Governs personal information (PII) beyond the scope of HIPAA, including employee, billing, and community data.
ELEMENT | REQUIREMENT | SINAI IMPACT |
Scope | Illinois residents' PII beyond PHI | Employee SSNs, payroll data |
Notification | Most expedient time possible | Always-ready breach response |
Security standard | Reasonable security measures | Aligns with NIST CSF |
Biometric data | Governed separately under BIPA | Time-tracking systems in scope |
SECTION 1: REGULATORY 3 of 3
Mission-Critical Assets & Services
SECTION 2: NIST CSF APPLICATION
CLINICAL SYSTEMS |
| Patient safety |
MEDICAL DEVICES |
| Life-critical |
NETWORK INFRASTRUCTURE |
| Availability |
WORKFORCE & ACCESS |
| Insider threat |
COMMUNITY SERVICES |
| Financial/PIPA |
Identify
Strategic benefit: Full visibility across medical devices, clinical systems, and vendor technologies.
SECTION 2: NIST CSF
CURRENT STATE |
Unknown networked medical devices |
Incomplete asset inventory |
FUTURE STATE |
Enterprise device inventory program |
Automated real-time asset discovery |
Protect
Strategic benefit: Reduces attack surface by retiring legacy systems and enforcing identity verification.
SECTION 2: NIST CSF
CURRENT STATE |
Legacy medical device operating systems |
Inconsistent MFA enforcement |
FUTURE STATE |
FDA-aligned technology lifecycle plan |
Zero-trust segmentation + MFA rollout |
Detect
Strategic benefit: Shifts Sinai from reactive breach response to proactive threat detection.
SECTION 2: NIST CSF
CURRENT STATE |
Credential attacks going undetected |
No behavioral baseline for anomalies |
FUTURE STATE |
AI-assisted behavioral monitoring (UEBA) |
Automated alerts for anomalous access |
Respond
Strategic benefit: Faster coordinated response that protects patient care during cyber incidents.
SECTION 2: NIST CSF
CURRENT STATE |
Limited clinical leadership in incident response |
Incident plan untested with clinical scenarios |
FUTURE STATE |
Cyber Incident Clinical Leadership Committee |
Quarterly tabletop exercises |
Recover
Strategic benefit: Measurable recovery targets that reduce downtime and strengthen resilience.
SECTION 2: NIST CSF
CURRENT STATE |
No tested disaster recovery timeline |
Vendor recovery gaps in business continuity planning |
FUTURE STATE |
Quarterly DR exercises with defined RTOs/RPOs |
Contractual vendor SLA enforcement |
Asset Protection Across NIST CSF
ASSET | IDENTIFY | PROTECT | DETECT | RESPOND | RECOVER |
Epic EHR | Asset inventory | MFA + RBAC | UEBA | CICLC | RTO < 4hr |
Medical devices | Inventory | Segmentation | Anomaly alerts | Isolation | Manual fallback |
Clinical network | Asset map | Zero trust | IDS/IPS | Containment | Redundancy |
Staff credentials | IAM audit | MFA enforcement | Behavioral monitoring | Disable & notify | Re-provision |
Revenue cycle | Data map | Encryption | DLP alerts | Breach notify | PIPA notification |
SECTION 2: ASSET TO CSF MAP
NIST CSF Maturity Roadmap
SECTION 2: MATURITY ROADMAP
Scale (1–4) reflects NIST CSF 2.0 Implementation Tiers: Partial, Risk-Informed, Repeatable, Adaptive. [8]
Strategic benefit: Prioritizes investments where maturity gaps create the greatest organizational risk.
Five Immediate Security Policies
1
MEDICAL DEVICE SECURITY
Segmentation & Vendor Accountability
IDENTITY & ACCESS MANAGEMENT
MFA & Least-Privilege Access & Quarterly Review
3
INCIDENT RESPONSE & BREACH NOTIFICATION
CICLC Activation & Code Downtime Testing
04
AI GOVERNANCE & ACCEPTABLE USE
BAA & Bias Assessment before Deployment
05
VENDOR RISK MANAGEMENT
SOC 2 Type II & Annual Vendor Review
SECTION 3: SECURITY POLICY
2
3
4
5
AI-Enhanced Security Operations
ANOMALY DETECTION (UEBA)
COMPLIANCE MONITORING
SECTION 3: AI IN SECURITY OPERATIONS
INCIDENT TRIAGE AUTOMATION
PREDICTIVE VULNERABILITY SCORING
3
Priority 2: Future Enhancement
Priority 1: Immediate Implementation
Strategic benefit: Extends security team capacity through automation while maintaining human oversight.
AI Governance: Ethics, Risk & Frameworks
SECTION 3: AI GOVERNANCE & ETHICS
ACTION | GOVERN UNDER |
Algorithmic Bias | NIST AI RMF |
Transparency Gap | EU AI Act |
Data Governance | NIST AI RMF |
Operational Reliability | NIST AI RMF |
Govern AI systems using recognized frameworks before deployment into clinical, operational, or security workflows
SECTION 4: RISK ASSESSMENT
Risk Assessment Methodology
RISK ASSESSMENT |
|
RISK REGISTER OUTPUT |
|
PRIORITIZED REMEDIATION ROADMAP |
|
Gap Analysis & Strategic Priorities
GAP | IMPACT | PRIORITY |
Medical Device Inventory | Patient Safety | Immediate |
Disaster Recovery Testing | Clinical Continuity | Q3 2026 |
Vendor Risk Management | Regulatory & Third-Party Risk | Q3 2026 |
AI-assisted Monitoring | Threat Detection | Q4 2026 |
AI Governance & Acceptable Use | AI Risk Management | Year 1 |
12-month investment: $295K–$440K | Average healthcare breach cost: $7.42M [9]
SECTION 4: GAP ANALYSIS
SWOT Analysis: Sinai Chicago IA Program
SECTION 4: SWOT ANALYSIS
STRENGTHS | WEAKNESSES |
|
|
|
|
|
|
|
|
OPPORTUNITIES | THREATS |
|
|
|
|
|
|
|
|
Executive Summary
1
COMPLIANCE CONVERGENCE IS A STRATEGIC ADVANTAGE
One IA program satisfies HIPAA, HITECH, and PIPA
2
THREE IMMEDIATE ACTIONS
Device inventory · MFA on Epic · 90-day DR exercise
3
AI AS A FORCE MULTIPLIER WITH GUARDRAILS
Extends team capacity under NIST AI RMF governance
4
THE INVESTMENT CASE
$295–440K program cost vs. $7.42M average breach cost [9]
SECTION 5 · SUMMARY
[1] Sinai Chicago. (2024). 2023 annual report. https://www.sinaichicago.org/wp-content/uploads/2024/03/2023_Annual-Report_Sinai-Chicago.pdf
[2] Mount Sinai Hospital Medical Center. (n.d.). GuideStar nonprofit profile [Self-reported organizational profile, EIN 36-1509000]. Candid/GuideStar. https://www.guidestar.org/profile/36-1509000
[3] U.S. Department of Health and Human Services, Administration for Strategic Preparedness and Response. (2023). Healthcare sector cybersecurity. https://aspr.hhs.gov/cyber/Pages/default.aspx
[4] Sinai Chicago. (n.d.). Leadership and organizational information [LinkedIn company profile]. https://www.linkedin.com/company/sinaichicago
[7] Kapko, M. (2023, August 7). Ransomware attack on Prospect Medical Holdings impacts hospitals across 4 states. Cybersecurity Dive. https://www.cybersecuritydive.com/news/ransomware-hospitals/690130/
[8] National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0 (NIST CSWP 29). U.S. Department of Commerce. https://doi.org/10.6028/NIST.CSWP.29
[9] IBM Security. (2025). Cost of a data breach report 2025. https://www.ibm.com/reports/data-breach
[11] National Institute of Standards and Technology. (2023). Artificial intelligence risk management framework (AI RMF 1.0). U.S. Department of Commerce. https://doi.org/10.6028/NIST.AI.100-1
[12] National Institute of Standards and Technology. (2012). Guide for conducting risk assessments (SP 800-30, Rev. 1). https://doi.org/10.6028/NIST.SP.800-30r1
[13] U.S. Department of Health and Human Services. (2024). Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs). https://hhscyber.hhs.gov/cybersecurity-performance-goals.html
REFERENCES
[14] Illinois General Assembly. (n.d.). Personal Information Protection Act, 815 ILCS 530/1 et seq. https://www.ilga.gov/Legislation/ILCS/Articles?ActID=2702&ChapterID=67
[15] European Parliament and Council of the European Union. (2024). Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Official Journal of the European Union, L 2024/1689. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
[18] U.S. Department of Health and Human Services, Office for Civil Rights. (n.d.). Breach notification rule. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
[19] U.S. Department of Health and Human Services, Office for Civil Rights. (n.d.). HIPAA Security Rule: Administrative safeguards, 45 CFR §164.308. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308
[20] U.S. Food and Drug Administration. (2023, September 27). Cybersecurity in medical devices: Quality system considerations and content of premarket submissions; guidance for industry and Food and Drug Administration staff. https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions
[21] Advanced Research Projects Agency for Health. (2024). UPGRADE: Universal PatchinG and Remediation for Autonomous DEfense. https://arpa-h.gov/research-and-funding/programs/upgrade
[22] U.S. Senate Committee on Finance. (2024). Hacking America's health care: Assessing the Change Healthcare cyber attack and what's next [Hearing]. https://www.finance.senate.gov/hearings/hacking-americas-health-care-assessing-the-change-healthcare-cyber-attack-and-whats-next
REFERENCES