Cybersecurity Framework Implementation Guide Helps Healthcare Organizations Manage Risks

The Health Sector Coordinating Council Cybersecurity Working Group and the U.S. Department of Health and Human Services jointly released a guide to help the public and private healthcare sectors align their cybersecurity programs with the NIST Cybersecurity Framework.  

The Cybersecurity Framework Implementation Guide provides specific steps that healthcare organizations can take immediately to manage cyber risks to their information technology systems and reduce the number of cyber incidents affecting the sector. Recent high-profile cyberattacks reinforce the need for health providers and organizations to assess their cyber health and take actions to improve cybersecurity. 

The guide was jointly developed by the HHS and HSCC — a public-private partnership for critical infrastructure protection. The National Institute for Standards and Technology and other federal agencies contributed substantially to its content. 

“This publication is an example of an innovative partnership that industry and government leveraged to develop actionable recommendations for higher competency and accountability in healthcare cybersecurity,” said Erik Decker HSCC Cybersecurity Working Group chair and Intermountain Healthcare chief information security officer. “The guide supplements an earlier joint publication of the HHS/HSCC 405(d) Program — the Health Industry Cybersecurity Practices — which is aligned with the NIST Cybersecurity Framework. With this toolkit, organizations of all sizes can implement cybersecurity best practices, protect their patients and make the sector more resilient.” 

The 2018 NIST Framework for Improving Critical Infrastructure Cybersecurity is a risk management model that has become the standard for government agencies and industry in managing cybersecurity risks. The guide released today adapts the 2018 NIST Framework for healthcare organizations.  

Using the new guide, healthcare organizations can assess their current cybersecurity practices and risks and identify gaps for remediation. The guide serves as a roadmap for healthcare and private health sector organizations to implement the NIST Cybersecurity Framework, including: 

• Guiding risk management principles and best practices 
• Providing common language to address and manage cybersecurity risk 
• Outlining a structure for organizations to understand and apply cybersecurity risk management 
• Identifying effective standards, guidelines, and practices to manage cybersecurity risk cost-effectively based on business needs