Additional Resources to Support Framework Use Goals

Health Care and Public Health Sector Cybersecurity Framework Implementation Guide

The use of the NIST Cybersecurity Framework’s Informative References along with other tools and approaches discussed previously is an important step that the HPH Sector organizations can take to align their cybersecurity programs with existing sector-level goals and guidelines. The approaches below can also be used to increase knowledge and enhance cybersecurity practices. Inclusion of non-federal resources should not imply endorsement by HHS. Use of any of these resources is neither required by, nor guarantees compliance with, federal, state, or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations.

Center for Internet Security (CIS) Critical Security Controls (CSC) for Effective Cyber Defense:^[55] The Critical Controls for Effective Cyber Defense (the Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive attacks. They were developed and are maintained by a consortium of hundreds of security experts from across the public and private sectors. An underlying theme of the Controls is support for large-scale, standards-based security automation for the management of cyber defenses.
DHS Cyber Resilience Review (CRR):^[56] The CRR is a no-cost, voluntary, non-technical assessment to evaluate an organization's operational resilience and cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals. The CRR assesses enterprise programs and practices across a range of ten domains including risk management, incident management, service continuity, and others. The assessment is designed to measure existing organizational resilience and provide a gap analysis for improvement based on recognized best practices.
Security Risk Assessment (SRA) Tool:^[57] The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), developed a downloadable tool to help guide organizations through the HIPAA Security Rule risk assessment/analysis process. The SRA Tool presents a question about an organization’s activities for each HIPAA Security Rule standard and implementation specification, and then identifies what is needed to take corrective action for that particular item. Resources for each question help assessors understand the context of the question, consider the potential impacts to ePHI if the requirement is not met, and provides the actual safeguard language that The Security Risk Assessment Tool is intended for medium and small providers and is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks of the HIPAA Security Rule. DISCLAIMER: The SRA Tool is provided for informational purposes only. Use of this tool is neither required by, nor guarantees, compliance with federal, state, or local laws. (Note: the information presented may not be applicable or appropriate for all health care providers and organizations.)
The Health Care and Public Health (HPH) Risk Identification and Site Criticality (RISC)^[58] Toolkit is an objective, data-driven all-hazards risk assessment that can be used by public and private organizations within the HPH Sector to inform emergency preparedness planning, risk management activities, and resource investments. The RISC Toolkit 1.0 contains three self-assessment modules. These allow users to identify external threats and internal hazards specific to their site by using objective national-level data; assess the vulnerability of their site based on industry standards and guidance; and evaluate the criticality of and consequences to their site in the event of an incident. The RISC Toolkit compares multiple facilities across systems, coalitions, and regions to identify dependencies and interdependencies in a consistent and repeatable method to help create a more resilient health care system. One of the key elements of the RISC Toolkit is a focus on cyber vulnerabilities.
Health Industry Cybersecurity Practices (HICP):^[59] Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP), the primary publication of the Cybersecurity Act of 2015, Section 405(d) Task Group, aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector. It seeks to aid health care and public health organizations to develop meaningful cybersecurity objectives and outcomes. The publication includes a main document, two technical volumes, and resources and templates. The HICP examines cybersecurity threats and vulnerabilities that affect the health care industry. It explores five current threats and presents 10 practices to mitigate those threats. Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations discusses the 10 Cybersecurity Practices along with Sub-Practices for small health care organizations. Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations does the same for these larger entities. HICP also provides a variety of cybersecurity resources and templates in a separate volume, as well as a HICP Threat Mitigation Matrix intended to help organizations prioritize their cyber threats and develop their own action plans. (As of this writing, the tool is still under development. To receive an advance copy, please contact the developers via email at CISA405d@hhs.gov.)
Health Sector Cybersecurity Coordination Center (HC3):^[60] The Health Sector Cybersecurity Coordination Center (HC3) was created by HHS to aid in the protection of vital, health care-related controlled information and ensure that cybersecurity information sharing is coordinated across the Health and Public Health (HPH) Sector. Its mission is to support the defense of the health care and the public health sector’s information technology infrastructure by strengthening coordination and information sharing within the sector and by cultivating cybersecurity resilience, regardless of organizations’ technical capacity. Products developed by the HC3 can be found at http://www.hhs.gov/hc3.
ISO 27799:^[61] ISO 27799:2016 provides technology-neutral implementation guidance for the controls described in ISO/IEC 27002 and supplements them where necessary, so that they can be effectively used for managing health information security. By implementing ISO 27799:2016, health care organizations and other custodians of health information will be able to ensure a minimum requisite level of security that is appropriate to their organization's circumstances and that will maintain the confidentiality, integrity, and availability of personal health information in their care. It applies to health information in all its aspects, whatever form the information takes (words and numbers, sound recordings, drawings, video, and medical images), whatever means are used to store it (printing or writing on paper or storage electronically), and whatever means are used to transmit it (by hand, through fax, over computer networks, or by post), as the information should always be appropriately protected. The following areas of information security are outside the scope of ISO 27799:2016:

Methodologies and statistical tests for effective anonymization of personal health information;
Methodologies for pseudonymization of personal health information (see Bibliography for a brief description of a Technical Specification that deals specifically with this topic);
Network quality of service and methods for measuring availability of networks used for health informatics; and
Data quality (as distinct from data integrity).

Medical Device and Health IT Joint Security Plan:^[62] The Joint Security Plan (JSP) provides recommendations intended to aid health care organizations (e.g., medical device manufacturers, health IT vendors, and health care providers) in enhancing cybersecurity for their software-based medical technologies (products) irrespective of their size or maturity. It is intended to be globally applicable, inspire organizations to ‘raise the bar’ for product cybersecurity to meet specific cybersecurity challenges, including but not limited to transparency and disclosure between vendors and end users and security by design throughout the product lifecycle. Specifically, the JSP is a total product lifecycle reference guide to developing, deploying, and supporting cyber secure technology solutions in the health care environment:

Cybersecurity practices in design and development of medical technology products.
Handling product complaints relating to cybersecurity incidents and vulnerabilities.
Managing security risk throughout the lifecycle of medical technology; and
Assessing the maturity of a product cybersecurity program.

Health Industry Cybersecurity Supply Chain Risk Management Guide (HIC-SCRiM):^[63] The Health Sector Coordinating Council’s HIC-SCRiM toolkit is intended for small to mid-sized health care institutions to better ensure the security of the products and services they procure through an enterprise supply chain cybersecurity risk management program that maps to the NIST CSF.