Sign In
U.S. Department of Health & Human Services
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
Critical Infrastructure Protection
HPH Cybersecurity Framework Implementation Guide
Currently selected
HPH Sector Cybersecurity Framework Implementation Guide: Foreword
HPH Sector Cybersecurity Framework Implementation Guide: Cautionary Note
HPH Sector Cybersecurity Framework Implementation Guide: Acknowledgements
HPH Sector Cybersecurity Framework Implementation Guide: Background
HPH Sector Cybersecurity Framework Implementation Guide: Purpose
HPH Sector Cybersecurity Framework Implementation Guide: Version History
HPH Sector Cybersecurity Framework Implementation Guide: Introduction
HPH Sector Cybersecurity Framework Implementation Guide: Health Sector Cybersecurity Framework Implementation
HPH Sector Cybersecurity Framework Implementation Guide: Additional Resources
HPH Sector Cybersecurity Implementation Guide: Informing Existing Sector Efforts
HPH Sector Cybersecurity Implementation Guide: Conclusion
HPH Sector Cybersecurity Implementation Guide: Appendix A
HPH Sector Cybersecurity Implementation Guide: Appendix B
HPH Sector Cybersecurity Framework Implementation Guide: Appendix C
HPH Sector Cybersecurity Framework Implementation Guide: Appendix D
HPH Sector Cybersecurity Framework Implementation Guide: Appendix E
HPH Sector Cybersecurity Framework Implementation Guide: Appendix F
HPH Sector Cybersecurity Framework Implementation Guide: Appendix G
HPH Sector Cybersecurity Framework Implementation Guide: Appendix H
HPH Sector Cybersecurity Framework Implementation Guide: Appendix I
RISC Toolkit 1.0
Reference Materials
RISC Toolkit 2.0
RISC Toolkit Evolution (Text Version)
Preparing for the 2022 Hurricane Season with Lessons Learn from the Hurricane Ida Response
About the Division of Critical Infrastructure Protection
Critical Infrastructure Protection Division Structure
Infrastructure Analysis and Partnerships Branch
Healthcare Sector Preparedness and Response Branch
Cybersecurity
Supply Chain
Risk Analysis and Management
Critical Infrastructure Protection Division Core Activities
Critical Infrastructure Protection Priority Focus Area
Critical Infrastructure Protection Communications
Critical Infrastructure Protection Resources
ASPR Critical Infrastructure Protection Bulletins
Toggle navigation
CIP
Health Care and Public Health (HPH) Sector Cybersecurity Framework Implementation Guide
HPH Sector Cybersecurity Framework Implementation Guide
Version 2
March 2023
Download the PDF
Table of Contents
Cautionary Note
Acknowledgements
Foreword
Background
Purpose
Version History
Introduction
Overview
Executive Orders and Mandates
Potential Benefits of Health Care’s Implementation of the NIST Cybersecurity Framework
Key Elements of a Cybersecurity Program
Ability to Incorporate Cyber-Physical Aspects of Cybersecurity
Health Sector Cybersecurity Framework Implementation
Overview
Implementation Process
Implementation Conclusion
Additional Resources to Support Framework Use Goals
Informing Existing Sector Efforts
Conclusion
Appendix A: Reference List
Appendix B: Glossary of Terms
Appendix C: NIST Cybersecurity Framework Basics
NIST Cybersecurity Framework Structure and Terminology
Generic Implementation
Appendix D: NIST Online Informative References (OLIR)
Appendix E: Health Care Cybersecurity Framework Structure
Appendix F: HIPAA Security Rule Mapping
Appendix G: Summary of Health Care Implementation Activities
Appendix H: Small Health Care Organization Cybersecurity Guidance
Appendix I: Executive Marketing/Summary Template
Cybersecurity - An Increasing Risk
Standing Up a Cybersecurity Program to Reduce Risk
Leveraging the NIST Cybersecurity Framework
Summary
Appendix J: Communications Plan - Template
Purpose
Scope
Objectives
Roles and Responsibilities
Audience
Communication Phases of Implementation
Core Messages and Vehicles
Calendar of Events
Appendix K: Frequently Asked Questions
Tables and Figures
List of Tables
Table 1. Step 1: Prioritize and Scope Inputs, Activities, and Outputs
Table 2. Step 2: Orient Inputs, Activities, and Outputs
Table 3. Step 3: Target Profile Inputs, Activities, and Outputs
Table 4. Step 4: Risk Assessment Inputs, Activities, and Outputs
Table 5. Step 5: Current Profile Inputs, Activities, and Outputs
Table 6. Step 6: Gap Analysis Inputs, Activities, and Outputs
Table 7. NIST Maturity Levels
Table 8. Achievement Scales
Table 9. Step 7: Implement Action Plan Inputs, Activities, and Outputs
Table 10. Health Care Implementation Activities by Step
Table 11. Relationship of Cyber Implementation and HHS Risk Analysis Elements
Table 12. NIST Cybersecurity Framework Core Functions
Table 13. Roles and Responsibilities
Table 14. Phased Communication Goals
Table 15. Vehicle Selection
Table 16. Communication Vehicles
List of Figures
Figure 1. Notional Information and Decision Flows within an Organization
Figure 2. Health Care Implementation Process
Figure 3. NIST Risk Management Framework
Figure 4. Relating Cybersecurity Risk to Other Forms of Business Risk
Figure 5. Example NIST Cybersecurity Framework Scorecard
Figure 6. Generic Implementation Process
Figure 7. Relationship between NIST Cybersecurity Framework and Informative References
