Sign In
U.S. Department of Health & Human Services
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
Toggle navigation
CIP
Health Care and Public Health (HPH) Sector Cybersecurity Framework Implementation Guide
HPH Sector Cybersecurity Framework Implementation Guide
Version 2
March 2023
Download the PDF
Table of Contents
Cautionary Note
Acknowledgements
Foreword
Background
Purpose
Version History
Introduction
Overview
Executive Orders and Mandates
Potential Benefits of Health Care’s Implementation of the NIST Cybersecurity Framework
Key Elements of a Cybersecurity Program
Ability to Incorporate Cyber-Physical Aspects of Cybersecurity
Health Sector Cybersecurity Framework Implementation
Overview
Implementation Process
Implementation Conclusion
Additional Resources to Support Framework Use Goals
Informing Existing Sector Efforts
Conclusion
Appendix A: Reference List
Appendix B: Glossary of Terms
Appendix C: NIST Cybersecurity Framework Basics
NIST Cybersecurity Framework Structure and Terminology
Generic Implementation
Appendix D: NIST Online Informative References (OLIR)
Appendix E: Health Care Cybersecurity Framework Structure
Appendix F: HIPAA Security Rule Mapping
Appendix G: Summary of Health Care Implementation Activities
Appendix H: Small Health Care Organization Cybersecurity Guidance
Appendix I: Executive Marketing/Summary Template
Cybersecurity - An Increasing Risk
Standing Up a Cybersecurity Program to Reduce Risk
Leveraging the NIST Cybersecurity Framework
Summary
Appendix J: Communications Plan - Template
Purpose
Scope
Objectives
Roles and Responsibilities
Audience
Communication Phases of Implementation
Core Messages and Vehicles
Calendar of Events
Appendix K: Frequently Asked Questions
Tables and Figures
List of Tables
Table 1. Step 1: Prioritize and Scope Inputs, Activities, and Outputs
Table 2. Step 2: Orient Inputs, Activities, and Outputs
Table 3. Step 3: Target Profile Inputs, Activities, and Outputs
Table 4. Step 4: Risk Assessment Inputs, Activities, and Outputs
Table 5. Step 5: Current Profile Inputs, Activities, and Outputs
Table 6. Step 6: Gap Analysis Inputs, Activities, and Outputs
Table 7. NIST Maturity Levels
Table 8. Achievement Scales
Table 9. Step 7: Implement Action Plan Inputs, Activities, and Outputs
Table 10. Health Care Implementation Activities by Step
Table 11. Relationship of Cyber Implementation and HHS Risk Analysis Elements
Table 12. NIST Cybersecurity Framework Core Functions
Table 13. Roles and Responsibilities
Table 14. Phased Communication Goals
Table 15. Vehicle Selection
Table 16. Communication Vehicles
List of Figures
Figure 1. Notional Information and Decision Flows within an Organization
Figure 2. Health Care Implementation Process
Figure 3. NIST Risk Management Framework
Figure 4. Relating Cybersecurity Risk to Other Forms of Business Risk
Figure 5. Example NIST Cybersecurity Framework Scorecard
Figure 6. Generic Implementation Process
Figure 7. Relationship between NIST Cybersecurity Framework and Informative References
