The Health Sector Coordinating Council (HSCC) Cybersecurity Working Group and the US Department of Health and Human Services (HHS) jointly released a guide to help the public and private healthcare sectors align their cybersecurity programs with the National Institute of Standards Technology (NIST) Cybersecurity Framework.
The Cybersecurity Framework Implementation Guide provides specific steps that healthcare organizations can take immediately to manage cyber risks to their information technology systems and reduce the number of cyber incidents affecting the sector.1 Recent high-profile cyberattacks reinforce the need for health providers and organizations to assess their cyber health and take actions to improve cybersecurity.
The guide was jointly developed by the HHS and HSCC—a public–private partnership for critical infrastructure protection. The NIST and other federal agencies contributed substantially to its content.
“This publication is an example of an innovative partnership that industry and government leveraged to develop actionable recommendations for higher competency and accountability in healthcare cybersecurity,” said Erik Decker, Chair, HSCC Cybersecurity Working Group, and Chief Information Security Officer, Intermountain Healthcare, Salt Lake City, UT. “The guide supplements an earlier joint publication of the HHS/HSCC 405(d) Program—the Health Industry Cybersecurity Practices—which is aligned with the NIST Cybersecurity Framework. With this toolkit, organizations of all sizes can implement cybersecurity best practices, protect their patients, and make the sector more resilient.”
The 2018 NIST Framework for Improving Critical Infrastructure Cybersecurity is a risk management model that has become the standard for government agencies and industry in managing cybersecurity risks. The guide released in March 2023 adapts the 2018 NIST Framework for healthcare organizations.
Using the new guide, healthcare organizations can assess their current cybersecurity practices and risks and identify gaps for remediation. The guide serves as a roadmap for healthcare and private health sector organizations to implement the NIST Cybersecurity Framework, including:
- Guiding risk management principles and best practices
- Providing common language to address and manage cybersecurity risk
- Outlining a structure for organizations to understand and apply cybersecurity risk management
- Identifying effective standards, guidelines, and practices to manage cybersecurity risk cost-effectively based on business needs.
Reference
- Administration for Strategic Preparedness & Response. Health care and public health sector cybersecurity framework implementation guide. Version 2. March 2023. https://aspr.hhs.gov/cip/hph-cybersecurity-framework-implementation-guide/Documents/HPH-Sector-CSF-Implementation-Guide-508.pdf. Accessed March 8, 2023.