Sign In
Search Icon
Menu Icon

Appendix I: Executive Marketing/Summary Template

Health Care and Public Health Sector Cybersecurity Framework Implementation Guide

Cybersecurity – An Increasing Risk

Hackers are increasingly targeting health care organizations to steal information and disrupt operations. Records containing personal, financial, medical, and insurance information are among the dark web’s most valued records selling for up to $1,000 per record. Health care also suffers from the highest breach cost, with an estimated $408 per record. The question is not if your organization is going to be attacked, it’s when.

Today’s climate of increasingly sophisticated cyberattacks exploit fragmented hospital infrastructures, impacting hundreds of applications, vulnerable connected medical devices and multiple EMR’s, making investment priorities in security approaches extremely complex. This situation can negatively impact patient care, cripple business operations, expose sensitive data and negatively impact a company's reputation and market value. Penalties resulting from non-compliance with regulatory agencies have steadily increased, driving corporate management teams and boards to adapt and improve their approach to cyber governance.

As some health care organizations still struggle to manage a collaborative approach to cybersecurity, they settle for a compliance centric or checklist focused processes, rather than a risk-based approach to cybersecurity. Today, organizations are challenged to coordinate how investments translate into meaningful risk reduction and integrating Cybersecurity and Enterprise Risk Management (ERM), by providing additional detail regarding risk guidance, identification, and analysis. It is increasingly important to illustrate risk tolerance, risk appetite, and methods for determining risks in that context and determine the likelihood and impact of various threat events through cybersecurity risk registers integrated into an enterprise risk profile to help prioritize and communicate enterprise cybersecurity risk response and monitoring.

Reinforcing the need for organizations to take a risk-based approach, in 2020 the HHS Office for Civil Rights (OCR) released the findings of their 2016-2017 HIPAA Rules audits,[100] including the requirements for Risk Management and Risk Analysis. Fully 87% of organizations that underwent a ‘Phase 2’ HIPAA Rules audit failed to meet its expectations for risk analysis, and that number grew to 93% for risk management.[101] Many times, this is due to organizations settling for compliance centric or checklist focused cybersecurity processes rather than the broader collaborative engagement that should be undertaken in a risk analysis to effectively identify and manage organizational risk, safeguard patient privacy, and protect business value. To be effective in today’s constantly evolving threat landscape and be compliant with complex regulations, health care organizations must adopt an approach that goes beyond the threats, vulnerabilities, and the controls du jour.

Standing Up a Cybersecurity Program to Reduce Risk

There is mounting pressure on the entire health care ecosystem to improve cybersecurity. Fines, audits, litigation, reputational damage, loss of business, and patient safety are powerful catalysts. But fear by itself is no longer the sole motivating factor. Health care executives are beginning to engage cybersecurity from a business and patient safety perspective.

Senior leadership has a crucial strategic role to play regarding cybersecurity. But they can be hampered by their limited understanding of cyber issues, the quality and frequency of the reporting they receive from management, and inadequate governance structures that often hold back key information. Without senior leadership’s directive and commitment to an agreed upon enterprise cybersecurity framework, they will lack visibility into the threats and vulnerabilities that may impact the mission of the business, and more importantly, patient safety. Basing the program on a cybersecurity framework can help direct capital, operational, and resource allocations to lines of business generating the greatest return on protecting assets/information and minimizing risk exposure.

Leveraging the NIST Cybersecurity Framework

The Department of Health and Human Services (HHS) has recommended two voluntary resources to assist health organizations in managing cybersecurity and HIPAA compliance: The Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework)[102] developed by NIST and the Health Industry Cybersecurity Practices (HICP),[103] developed jointly by the HPH Sector GCC, representing the public sector, and SCC, representing the private sector. The NIST Cybersecurity Framework establishes governance processes to manage cybersecurity through the implementation of an outcome-based risk management framework. HICP offers a practical and focused approach for small, medium, and large organizations to begin addressing their cyber risks and build towards a more comprehensive cybersecurity program. The HICP is mapped to the NIST Cybersecurity Framework, references the crosswalk between the HIPAA Security Rule and the NIST Framework, and provides a Threat Mitigation Matrix that can help users navigate HICP’s technical volumes. The HICP Threat Mitigation Matrix is a useful tool to help organizations’ IT teams identify the five key cybersecurity threats outlined in the HICP that are most pertinent to the organization and apply controls to mitigate those threats. The controls and sub-controls are categorized based on their applicability to an organization’s "size" and mapped to existing NIST CSF Controls.

These documents provide tools that can improve compliance while simultaneously reducing the likelihood and impact of a cyber event. The 2018 HIMSS Cybersecurity Survey showed 58% of health care organizations are leveraging the NIST Cybersecurity Framework.

The NIST Cybersecurity Framework can be thought of as a three-legged stool:

  • The framework articulates what you are going to do
  • The process specifies how you are going to do it
  • The maturity model fosters continuous process improvement

The Core of the NIST Cybersecurity Framework is based on a hierarchy of: Functions, Categories and Subcategories. The Functions are broken into five key areas, as shown by Table 12 below, which resemble a typical incident response process:

Table 12. NIST Cybersecurity Framework Core Functions
Acronym Key Function
Risk Determinations
ID Identify
What assets need protection?
PR Protect What safeguards are available?
DE Detect What techniques can identify incidents?
RS Respond What techniques can contain the impact?
RC Recover What techniques can restore capabilities?

Below are some of the top business reasons to consider implementation of the NIST Cybersecurity Framework. While nothing is guaranteed, implementation could potentially result in:

  • Breach Risk Reduction
  • Improve Patient Safety
  • Increased Compliance
  • Civil Litigation Penalties
  • Decrease Medical Liability Rates
  • Protect Customer Base
  • Avoid Fines and Penalties
  • M&A Considerations
  • Impacting Credit Ratings
  • Detailed Documentation
  • Reasonableness Standard in Court

Leveraging the NIST Cybersecurity Framework is in alignment with the NACD Director’s Handbook on Cyber-Risk Oversight. The NACD provides five key issues to take up with an organization’s Board of Directors.

  1. Approach cybersecurity as part of ERM;[104]
  2. Understand the legal implications of cyber particular to one’s unique organizational circumstances, to include reporting and disclosure;
  3. Engage cybersecurity expertise both internally and externally;
  4. Directors need to set expectations that an enterprise cyber risk management framework should be adopted and adequately staffed and budgeted; and
  5. Board member discussions should include identification of cyber risks and which risks to accept, mitigate, transfer, and avoid.


Organizations need a practical approach for addressing cybersecurity challenges. Boards and Executive Steering Committees want better insights into how cybersecurity management decisions are made and often complain of getting briefed with technobabble and operational security metrics instead. Too often, a business unit’s ownership of risk is nominal, and security responsibility is effectively left with the organization’s cybersecurity team. The NIST Cybersecurity Framework bridges the communications divide to improve leadership’s oversight and engages individuals at all levels in defining maturity level targets, common nomenclature, and complex cybersecurity decisions to effect measurable outcomes.

<< Back                                                                                                              Next >>

100 OCR (2020, Dec). 2016-2017 HIPAA Audits Industry Report

101  Hales, M. (2017, Oct 8). OCR Audits Reveal Dismal Performance

102 NIST (2018, Aug 16).

103 HHS (2022b). Public Health Emergency: Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. 

104 For more information on integrating cybersecurity into an organization’s ERM program, see NIST (2020, Oct).

CIP Right-Nav