Sign In
U.S. Department of Health & Human Services
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
Critical Infrastructure Protection
HPH Cybersecurity Framework Implementation Guide
Currently selected
HPH Sector Cybersecurity Framework Implementation Guide: Foreword
HPH Sector Cybersecurity Framework Implementation Guide: Cautionary Note
HPH Sector Cybersecurity Framework Implementation Guide: Acknowledgements
HPH Sector Cybersecurity Framework Implementation Guide: Background
HPH Sector Cybersecurity Framework Implementation Guide: Purpose
HPH Sector Cybersecurity Framework Implementation Guide: Version History
HPH Sector Cybersecurity Framework Implementation Guide: Introduction
HPH Sector Cybersecurity Framework Implementation Guide: Health Sector Cybersecurity Framework Implementation
HPH Sector Cybersecurity Framework Implementation Guide: Additional Resources
HPH Sector Cybersecurity Implementation Guide: Informing Existing Sector Efforts
HPH Sector Cybersecurity Implementation Guide: Conclusion
HPH Sector Cybersecurity Implementation Guide: Appendix A
HPH Sector Cybersecurity Implementation Guide: Appendix B
HPH Sector Cybersecurity Framework Implementation Guide: Appendix C
HPH Sector Cybersecurity Framework Implementation Guide: Appendix D
HPH Sector Cybersecurity Framework Implementation Guide: Appendix E
HPH Sector Cybersecurity Framework Implementation Guide: Appendix F
HPH Sector Cybersecurity Framework Implementation Guide: Appendix G
HPH Sector Cybersecurity Framework Implementation Guide: Appendix H
HPH Sector Cybersecurity Framework Implementation Guide: Appendix I
RISC Toolkit 1.0
Reference Materials
RISC Toolkit 2.0
RISC Toolkit Evolution (Text Version)
Preparing for the 2022 Hurricane Season with Lessons Learn from the Hurricane Ida Response
About the Division of Critical Infrastructure Protection
Critical Infrastructure Protection Division Structure
Infrastructure Analysis and Partnerships Branch
Healthcare Sector Preparedness and Response Branch
Cybersecurity
Supply Chain
Risk Analysis and Management
Critical Infrastructure Protection Division Core Activities
Critical Infrastructure Protection Priority Focus Area
Critical Infrastructure Protection Communications
Critical Infrastructure Protection Resources
ASPR Critical Infrastructure Protection Bulletins
Toggle navigation
HPH Sector Cybersecurity Framework Implementation Guide
Appendix A - Reference List
Appendix A - Reference List
Health Care and Public Health Sector Cybersecurity Framework Implementation Guide
AICPA (2020a).
AICPA
.
AICPA (2020b). SOC 2® -
SOC for Service Organizations: Trust Services Criteria
.
AICPA (2020c).
SOC 2 Examination That Addresses Additional Subject Matters and Additional Criteria
.
Alberts, C. and Dorofee, A. (2002). Managing Information Security Risks: The
OCTAVE Approach. Boston: Addison-Wesley Professional.
An Act Incentivizing the Adoption of Cybersecurity Standards for Business
, Connecticut Public Act No. 21-119 (2021).
An Act to amend the Health Information Technology for Economic and Clinical Health Act to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes
, Pub. Law 116-321.
Barrett, M., Keller, N., Quinn, S., Smith, M., and Scarfone, K. (2020, Nov).
National Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers
(NISTIR 8278A), Gaithersburg, MD: NIST.
Barrett, M., Marron, J., Pillitteri, V., Boyens, J., Quinn, S., Witte, G., and Feldman, L. (2020, Mar).
Approaches for Federal Agencies to Use the Cybersecurity Framework
(NISTIR 8170). Gaithersburg, MD: NIST.
Bowen, P. and Kissel, R. (2007).
Program Review for Information Security Management Assistance (PRISMA)
(NISTIR 7358). Wash., DC: NIST.
Bundesampt fur Sicherheit in der Informationstechnic, BSI (2021, 1 Feb).
IT-Grundschutz-Compendium, Final Draft
. Bonn, GE: Author.
Chew, E., Swanson, M., Stine, K., Barol, N., Brown, A., and Robinson, W. (2008, July).
Performance Measurement Guide for Information Security
(NIST SP 800-55 Reision 1). Gaithersburg, MD: NIST.
CIS (2020).
CIS Controls®
.
CISA (2021a).
Critical Infrastructure Partnership Advisory Council
.
CISA (2021b).
Critical Infrastructure Cyber Community C3 Protection Program
.
CIS
A (2017, 7 Jul).
Executive Order 13800 Update Issue 1
.
Cline, B. (2019, Sep).
Risk Analysis Guide for HITRUST Organizations and Assessors
.
Clinton, L. (Ed.) (2020).
Cyber-Risk Oversight (Director’s Handbook Series)
. Arlington, VA: National Association of Corporate Directors.
CM-SEI (2009).
CMMI for Services
(CMMI-SVC), V1.2, TR CMU/SEI-2009-TR-001, Hanscom AFB, MA: ESC (DoD), p. 23.
CNSS (2015, 6 Apr).
Committee on National Security Systems (CNSS) Glossary
(CNSSI No. 4009).
Cybersecurity Information Sharing Act
(CISA), Publ. L. 114-113, Division N (2015).
DHS (2022).
Cybersecurity: Cyber Physical Systems Security
. Available from Cyber-Physical Systems and Internet of Things | NIST.
DOE (2015). Energy Sector Cybersecurity Framework Implementation Guidance, Version 4 (DRAFT), Wash., D.C.: Author.
Exec. Order No. 13636,
3 C.F.R. 11739-11744 (2013)
.
Exec. Order No. 13800,
3 C.F.R. 22391-22397 (2017)
.
Exec. Order No. 14028,
3 C.F.R. 26633-26647 (2021)
.
European Digital SME Alliance (2020).
About: Who we are
.
European Digital SME Alliance (n.d.).
SME Guide for the Implementation of ISO/IEC 27001 on Information Security Management
.
FDA (2022, Nov).
Medical Devices: Digital Health Center of Excellence: Cybersecurity
.
Freund, J. and Jones, J. (2015). Measuring and Managing Information Risk: A FAIR approach. Oxford: Elsevier, Inc.
GAO (2011, Dec).
Report to Congressional Requesters: Cybersecurity Guidance is Available, but More Can Be Done to Promote Its Use
(Publication No. GAO-12-92 Critical Infrastructure Protection). Wash., DC: Author.
GAO (2016, Aug).
Report to the Committee on Health, Education, Labor, and Pensions, U.S. Senate: HHS Needs to Strengthen Security and Privacy Guidance and Oversight
(Publication No. GAO-16-771 Electronic Health Information). Washington, D.C: Author, p.35.
GAO (2018, February).
Report to Congressional Committees on Critical Infrastructure Protection: Additional actions are Essential for assessing Cybersecurity Framework adoption
(Publication No. GAO -18-211 Critical Infrastructure Protection). Washington, D.C: Author, p.15.
Grassi, P., Garcia, M., and Fenton, J. (2017, Jun).
Digital Identity Guidelines
(NIST SP 800-63-3). Gaithersburg, MD: NIST.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification regulations
text, 45 CFR Pts 160, 162, and 164 (2013, as amended).
Health Information Technology for Economic and Clinical Health (HITECH) Act
, Public Law 11-5, U.S. Statutes at Large 123 (2009): 226-279.
Health IT (2020).
Security Risk Assessment Tool
.
HHS (2022a).
Public Health Emergency: Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
.
HHS (2022b).
Health Sector Cybersecurity Coordination Center (HC3)
.
HHS 405d. (n.d.).
Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations
.
HSCC CWG (2019, Jan).
Medical Device and Health IT Joint Security Plan
.
ISO (2016).
Health informatics – Information security management in health using ISO/IEC 27002
(ISO 27799: 2016).
JTF TI (2012, Sep).
Guide for Conducting Risk Assessments
, NIST SP 800-30 r1, Wash., DC: NIST, p. 23.
Keller, N., Quinn, S., Scarfone, K., Smith, M., and Johnson, V. (2020, Nov).
National Online Informative References (OLIR) Program and OLIR Uses
(NISTIR 8278). Gaithersburg, MD: NIST.
National Institute of Standards and Technology Act
, 15 USC §§ 271 – 286.
NIST (2004).
Standards for Security Categorization of Federal Information and Information Systems
(FIPS Pub 199). Gaithersburg, MD: Author.
NIST (2014).
NIST Releases Cybersecurity Framework Version 1.0
.
NIST (2014, Feb 12). Framework for Improving Critical Infrastructure Cybersecurity, Version 1 (Updated 2018, Jan 8). Wash., DC: Author.
NIST (2018, Apr 16).
Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1
. Gaithersburg, MD: Author.
NIST (2019, Apr).
Cybersecurity Framework Online Informative References (OLIR) Submissions
(NISTIR 8204), Gaithersburg, MD: Author.
NIST (2019, Sep 13).
Cybersecurity Framework: Frequently Asked Questions
.
NIST (2020a).
Cybersecurity Framework: Informative Reference Catalog
.
NIST (2020b).
Small Business Security Cybersecurity Corner
.
NIST (2020c).
Glossary: Cybersecurity
.
NIST (2020d).
Glossary: Risk Assessment
.
NIST (2020e).
Glossary: Security Control Assessment
.
NIST (2020, Jan).
National Cybersecurity Online Informative References (OLIR) Program: Guidelines for OLIR Users and Developers
(NISTIR 8278), Gaithersburg, MD: Author.
NIST (2021, Dec 8).
Cybersecurity Framework: Informative References: What are they, and how are they used?
NIST (
2022a).
National Online Informative References Pr
ogram
.
NIST (2022b).
NIST Risk Management Framework RMF
.
NIST (2022c).
Cybersecurity Framework: The Five Functions
.
OCR (2019, Feb) OCR Concludes 2018 with All-Time Record Year for HIPAA Enforcement
.
OCR (2021). About Us
.
OCR (2020, Dec).
2016-2017 HIPAA Audits Industry Report
.
ONC (2020).
About ONC: What We Do
.
OCR (2022).
Resolution Agreements: Resolution Agreements and Civil Money Penalties
.
Ohio Data Protection Act
, Senate Bill 220 (2018).
Paulsen, C. and Toth, P. (2016, Nov).
Small Business Information Security: The Fundamentals
(NISTIR 7621, Revision 1). Gaithersburg, MD: NIST.
Ross, R., Pillitteri, V., Dempsey, K., and Riddle, M., and Guissanie, G. (2016, Dec).
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
(NIST SP 800-171, Revision 2). Gaithersburg, MD: NIST.
Scholl, M., Stine, K., Hash, J., et al. (2008)
An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
, NIST SP 800-66 r1, Wash., DC: NIST.
Small Business Administration
, SBA (2020).
Small Business Regulatory Enforcement Flexibility Act
(SBREFA), Publ. L. 104-121 (1996; as amended by P.L. 110-28, 2007).
Stine, K., Quinn, S., Witte, G., and Gardner, R. (2020, Oct).
Integrating Cybersecurity and Enterprise Risk Management
(ERM) (NISTIR 8286). Gaithersburg, MD: NIST.
The White House (2013, Feb 12).
Presidential Policy Directive—Critical Infrastructure Security and Resilience
.
US-CERT (2014).
DHS Announces Critical Infrastructure Cyber Community [C3] Voluntary Program
.
US-CERT (2020a).
Assessments: Cyber Resilience Review (CRR)
.
US-CERT (2020b). Resources
.
US-CERT (2020c).
Resources for Small and Midsize Businesses (SMB)
.
<< Back
Next >>
CIP Right-Nav
HPH Sector Cybersecurity Framework Implementation Guide
Preliminaries
Cautionary Note
Acknowledgments
Foreword
Background
Purpose
Version History
Introduction
Health Sector Cybersecurity Framework Implementation
Overview
Implementation Process
Implementation Conclusion
Additional Resources to Support Framework Use Goals
Overview
Informing Existing Sector Efforts
Overview
Conclusion
Overview
Appendices
Appendix A: Reference List
Appendix B: Glossary of Terms
Appendix C: NIST Cybersecurity Framework Basics
Appendix D: NIST Online Informative References (OLIR)
Appendix E: Healthcare Cybersecurity Framwork Structure
Appendix F: HIPAA Security Rule Mapping
Appendix G: Summary of Healthcare Implementation Activities
Appendix H: Small Healthcare Organization Cybersecurity Guidance
Appendix I: Executive Marketing/Summary Template
Appendix J: Communications Plan - Template
Appendix K: Frequently Asked Questions
List of Tables
Table 1. Step 1: Prioritize and Scope Inputs, Activities, and Outputs
Table 2. Step 2: Orient Inputs, Activities, and Outputs
Table 3. Step 3: Target Profile Inputs, Activities, and Outputs
Table 4. Step 4: Risk Assessment Inputs, Activities, and Outputs
Table 5. Step 5: Current Profile Inputs, Activities, and Outputs
Table 6. Step 6: Gap Analysis Inputs, Activities, and Outputs
Table 7. NIST Maturity Levels
Table 8. Achievement Scales
Table 9. Step 7: Implement Action Plan Inputs, Activities, and Outputs
Table 10. Healthcare Implementation Activities by Step
Table 11. Relationship of Cyber Implementation and HHS Risk Analysis Elements
Table 12. NIST Cybersecurity Framework Core Functions
Table 13. Roles and Responsibilities
Table 14. Phased Communication Goals
Table 15. Vehicle Selection
Table 16. Communication Vehicles
List of Figures
Figure 1. Notional Information and Decision Flows within an Organization
Figure 2. Healthcare Implementation Process
Figure 3. NIST Risk Management Framework
Figure 4. Relating Cybersecurity Risk to Other Forms of Business Risk
Figure 5. Example NIST Cybersecurity Framework Scorecard
Figure 6. Generic Implementation Process
Figure 7. Relationship between NIST Cybersecurity Framework and Informative References
