Skip to main content

An official website of the United States government

U.S. Department of Health & Human Services

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Long Descriptions for Figures

Healthcare and Public Health Sector Cybersecurity Framework Implementation Guide

Figure 1:  Notional Information and Decision Flows within an Organization

Figure 2 describes a common flow of information and decisions at the following levels within an organization:

  • Executive
  • Business/Process
  • Implementation/Operations

The executive level communicates the mission priorities, available resources, and overall risk tolerance to the business/process level. The business/process level uses the information as inputs into the risk management process, and then collaborates with the implementation/operations level to communicate business needs and create a Profile. The implementation/operations level communicates the Profile implementation progress to the business/process level. The business/process level uses this information to perform an impact assessment. Business/process level management reports the outcomes of that impact assessment to the executive level to inform the organization’s overall risk management process and to the implementation/operations level for awareness of business impact.


Figure 2: Healthcare Implementation Process

The graphic illustrates how an organization could use the Framework to create a new cybersecurity program or improve an existing program. These steps should be repeated as necessary to continuously improve cybersecurity.

  • Step 1: Prioritize and Scope
  • Step 2: Orient
  • Step 3: Create Target Profile
  • Step 4: Conduct Risk Assessment
  • Step 5: Create Current Profile
  • Step 6: Determine, Analyze and Prioritize Gaps
For more information, please refer to pages 14-15 of the NIST Cybersecurity Framework.



Figure 4: Relating Cybersecurity Risk to Other Forms of Business Risk

Risk Types
 Strategic Risk:
Organizational strategies may not support business objectives
Operations Risk:
Degradation of day-to-day operations (typically related to cash flow)		 Reporting Risk:
Adverse Impact on credit & cash management
 Compliance Risk:
Adverse outcomes of regulatory or contractual non-compliance
Cybersecurity Risk:
Compromise or unauthorized disclosure of sensitive information and related concerns
 (e.g., potential risk to planned M&A or divestment) (e.g., potential risk to continuity of operations)
 (e.g., potential risk to accuracy of financial reporting.)
 (e.g., potential risk of fines & penalties.)



Figure 5: Example NIST Cybersecurity Framework Scorecard

The NIST Cybersecurity Framework Scored is organized by function, category and level of compliance. 


Figure 6: Generic Implementation Process

  • Step 1: Prioritize and Scope
  • Step 2: Orient
  • Step 3: Create Target Profile
  • Step 4: Conduct Risk Assessment
  • Step 5: Create Target Profile
  • Step 6: Determine, Analyze and Prioritize Gaps
  • Step 7: Implement Action Plan