U.S. Department of Health & Human Services
HPH Sector Cybersecurity Framework Implementation Guide
Appendix A - Reference List
Appendix A - Reference List
Health Care and Public Health Sector Cybersecurity Framework Implementation Guide
AICPA (2020b). SOC 2® -
SOC for Service Organizations: Trust Services Criteria
SOC 2 Examination That Addresses Additional Subject Matters and Additional Criteria
Alberts, C. and Dorofee, A. (2002). Managing Information Security Risks: The
OCTAVE Approach. Boston: Addison-Wesley Professional.
An Act Incentivizing the Adoption of Cybersecurity Standards for Business
, Connecticut Public Act No. 21-119 (2021).
An Act to amend the Health Information Technology for Economic and Clinical Health Act to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determinations, and for other purposes
, Pub. Law 116-321.
Barrett, M., Keller, N., Quinn, S., Smith, M., and Scarfone, K. (2020, Nov).
National Online Informative References (OLIR) Program: Submission Guidance for OLIR Developers
(NISTIR 8278A), Gaithersburg, MD: NIST.
Barrett, M., Marron, J., Pillitteri, V., Boyens, J., Quinn, S., Witte, G., and Feldman, L. (2020, Mar).
Approaches for Federal Agencies to Use the Cybersecurity Framework
(NISTIR 8170). Gaithersburg, MD: NIST.
Bowen, P. and Kissel, R. (2007).
Program Review for Information Security Management Assistance (PRISMA)
(NISTIR 7358). Wash., DC: NIST.
Bundesampt fur Sicherheit in der Informationstechnic, BSI (2021, 1 Feb).
IT-Grundschutz-Compendium, Final Draft
. Bonn, GE: Author.
Chew, E., Swanson, M., Stine, K., Barol, N., Brown, A., and Robinson, W. (2008, July).
Performance Measurement Guide for Information Security
(NIST SP 800-55 Reision 1). Gaithersburg, MD: NIST.
Critical Infrastructure Partnership Advisory Council
Critical Infrastructure Cyber Community C3 Protection Program
A (2017, 7 Jul).
Executive Order 13800 Update Issue 1
Cline, B. (2019, Sep).
Risk Analysis Guide for HITRUST Organizations and Assessors
Clinton, L. (Ed.) (2020).
Cyber-Risk Oversight (Director’s Handbook Series)
. Arlington, VA: National Association of Corporate Directors.
CMMI for Services
(CMMI-SVC), V1.2, TR CMU/SEI-2009-TR-001, Hanscom AFB, MA: ESC (DoD), p. 23.
CNSS (2015, 6 Apr).
Committee on National Security Systems (CNSS) Glossary
(CNSSI No. 4009).
Cybersecurity Information Sharing Act
(CISA), Publ. L. 114-113, Division N (2015).
Cybersecurity: Cyber Physical Systems Security
. Available from Cyber-Physical Systems and Internet of Things | NIST.
DOE (2015). Energy Sector Cybersecurity Framework Implementation Guidance, Version 4 (DRAFT), Wash., D.C.: Author.
Exec. Order No. 13636,
3 C.F.R. 11739-11744 (2013)
Exec. Order No. 13800,
3 C.F.R. 22391-22397 (2017)
Exec. Order No. 14028,
3 C.F.R. 26633-26647 (2021)
European Digital SME Alliance (2020).
About: Who we are
European Digital SME Alliance (n.d.).
SME Guide for the Implementation of ISO/IEC 27001 on Information Security Management
FDA (2022, Nov).
Medical Devices: Digital Health Center of Excellence: Cybersecurity
Freund, J. and Jones, J. (2015). Measuring and Managing Information Risk: A FAIR approach. Oxford: Elsevier, Inc.
GAO (2011, Dec).
Report to Congressional Requesters: Cybersecurity Guidance is Available, but More Can Be Done to Promote Its Use
(Publication No. GAO-12-92 Critical Infrastructure Protection). Wash., DC: Author.
GAO (2016, Aug).
Report to the Committee on Health, Education, Labor, and Pensions, U.S. Senate: HHS Needs to Strengthen Security and Privacy Guidance and Oversight
(Publication No. GAO-16-771 Electronic Health Information). Washington, D.C: Author, p.35.
GAO (2018, February).
Report to Congressional Committees on Critical Infrastructure Protection: Additional actions are Essential for assessing Cybersecurity Framework adoption
(Publication No. GAO -18-211 Critical Infrastructure Protection). Washington, D.C: Author, p.15.
Grassi, P., Garcia, M., and Fenton, J. (2017, Jun).
Digital Identity Guidelines
(NIST SP 800-63-3). Gaithersburg, MD: NIST.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification regulations
text, 45 CFR Pts 160, 162, and 164 (2013, as amended).
Health Information Technology for Economic and Clinical Health (HITECH) Act
, Public Law 11-5, U.S. Statutes at Large 123 (2009): 226-279.
Health IT (2020).
Security Risk Assessment Tool
Public Health Emergency: Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
Health Sector Cybersecurity Coordination Center (HC3)
HHS 405d. (n.d.).
Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations
HSCC CWG (2019, Jan).
Medical Device and Health IT Joint Security Plan
Health informatics – Information security management in health using ISO/IEC 27002
(ISO 27799: 2016).
JTF TI (2012, Sep).
Guide for Conducting Risk Assessments
, NIST SP 800-30 r1, Wash., DC: NIST, p. 23.
Keller, N., Quinn, S., Scarfone, K., Smith, M., and Johnson, V. (2020, Nov).
National Online Informative References (OLIR) Program and OLIR Uses
(NISTIR 8278). Gaithersburg, MD: NIST.
National Institute of Standards and Technology Act
, 15 USC §§ 271 – 286.
Standards for Security Categorization of Federal Information and Information Systems
(FIPS Pub 199). Gaithersburg, MD: Author.
NIST Releases Cybersecurity Framework Version 1.0
NIST (2014, Feb 12). Framework for Improving Critical Infrastructure Cybersecurity, Version 1 (Updated 2018, Jan 8). Wash., DC: Author.
NIST (2018, Apr 16).
Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1
. Gaithersburg, MD: Author.
NIST (2019, Apr).
Cybersecurity Framework Online Informative References (OLIR) Submissions
(NISTIR 8204), Gaithersburg, MD: Author.
NIST (2019, Sep 13).
Cybersecurity Framework: Frequently Asked Questions
Cybersecurity Framework: Informative Reference Catalog
Small Business Security Cybersecurity Corner
Glossary: Risk Assessment
Glossary: Security Control Assessment
NIST (2020, Jan).
National Cybersecurity Online Informative References (OLIR) Program: Guidelines for OLIR Users and Developers
(NISTIR 8278), Gaithersburg, MD: Author.
NIST (2021, Dec 8).
Cybersecurity Framework: Informative References: What are they, and how are they used?
National Online Informative References Pr
NIST Risk Management Framework RMF
Cybersecurity Framework: The Five Functions
OCR (2019, Feb) OCR Concludes 2018 with All-Time Record Year for HIPAA Enforcement
OCR (2021). About Us
OCR (2020, Dec).
2016-2017 HIPAA Audits Industry Report
About ONC: What We Do
Resolution Agreements: Resolution Agreements and Civil Money Penalties
Ohio Data Protection Act
, Senate Bill 220 (2018).
Paulsen, C. and Toth, P. (2016, Nov).
Small Business Information Security: The Fundamentals
(NISTIR 7621, Revision 1). Gaithersburg, MD: NIST.
Ross, R., Pillitteri, V., Dempsey, K., and Riddle, M., and Guissanie, G. (2016, Dec).
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
(NIST SP 800-171, Revision 2). Gaithersburg, MD: NIST.
Scholl, M., Stine, K., Hash, J., et al. (2008)
An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
, NIST SP 800-66 r1, Wash., DC: NIST.
Small Business Administration
, SBA (2020).
Small Business Regulatory Enforcement Flexibility Act
(SBREFA), Publ. L. 104-121 (1996; as amended by P.L. 110-28, 2007).
Stine, K., Quinn, S., Witte, G., and Gardner, R. (2020, Oct).
Integrating Cybersecurity and Enterprise Risk Management
(ERM) (NISTIR 8286). Gaithersburg, MD: NIST.
The White House (2013, Feb 12).
Presidential Policy Directive—Critical Infrastructure Security and Resilience
DHS Announces Critical Infrastructure Cyber Community [C3] Voluntary Program
Assessments: Cyber Resilience Review (CRR)
US-CERT (2020b). Resources
Resources for Small and Midsize Businesses (SMB)
HPH Sector Cybersecurity Framework Implementation Guide
Health Sector Cybersecurity Framework Implementation
Additional Resources to Support Framework Use Goals
Informing Existing Sector Efforts
Appendix A: Reference List
Appendix B: Glossary of Terms
Appendix C: NIST Cybersecurity Framework Basics
Appendix D: NIST Online Informative References (OLIR)
Appendix E: Healthcare Cybersecurity Framwork Structure
Appendix F: HIPAA Security Rule Mapping
Appendix G: Summary of Healthcare Implementation Activities
Appendix H: Small Healthcare Organization Cybersecurity Guidance
Appendix I: Executive Marketing/Summary Template
Appendix J: Communications Plan - Template
Appendix K: Frequently Asked Questions
List of Tables
Table 1. Step 1: Prioritize and Scope Inputs, Activities, and Outputs
Table 2. Step 2: Orient Inputs, Activities, and Outputs
Table 3. Step 3: Target Profile Inputs, Activities, and Outputs
Table 4. Step 4: Risk Assessment Inputs, Activities, and Outputs
Table 5. Step 5: Current Profile Inputs, Activities, and Outputs
Table 6. Step 6: Gap Analysis Inputs, Activities, and Outputs
Table 7. NIST Maturity Levels
Table 8. Achievement Scales
Table 9. Step 7: Implement Action Plan Inputs, Activities, and Outputs
Table 10. Healthcare Implementation Activities by Step
Table 11. Relationship of Cyber Implementation and HHS Risk Analysis Elements
Table 12. NIST Cybersecurity Framework Core Functions
Table 13. Roles and Responsibilities
Table 14. Phased Communication Goals
Table 15. Vehicle Selection
Table 16. Communication Vehicles
List of Figures
Figure 1. Notional Information and Decision Flows within an Organization
Figure 2. Healthcare Implementation Process
Figure 3. NIST Risk Management Framework
Figure 4. Relating Cybersecurity Risk to Other Forms of Business Risk
Figure 5. Example NIST Cybersecurity Framework Scorecard
Figure 6. Generic Implementation Process
Figure 7. Relationship between NIST Cybersecurity Framework and Informative References