Sign In

An official website of the United States government

U.S. Department of Health & Human Services

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Health Sector Cybersecurity Framework Implementation

Health Care and Public Health Sector Cybersecurity Framework Implementation Guide

While the generic cybersecurity framework implementation approach outlined in Appendix C – NIST Cybersecurity Framework Basics works well for organizations that design or specify their own controls, it does not work as well (i.e., most efficiently) for those organizations that leverage external control frameworks such as those provided by the NIST Cybersecurity Framework's Informative References[34]. Fortunately, this generic implementation approach can be modified to accommodate a controlled framework-based approach to risk analysis and control specification.

The primary reason for the modification is that, for those organizations that already leverage or intend to leverage one or more Informative References, Target Profiles are easily obtained once organizations are able to scope their organization and systems and then tailor the Informative Reference(s) to address any unique threats/risks. There is no need to develop a Current Profile beforehand. Placement of the Current and Target Profiles can subsequently be reversed, although some basic information about the state of the organization's cybersecurity program will necessarily be ascertained before the Target Profile is complete.


Implementation Process

The Cybersecurity Framework can be used to compare an organization's current cybersecurity activities with those outlined in the Framework Core. Through the creation of a Current Profile, organizations can examine the extent to which they are achieving the outcomes described in the Core Categories and Subcategories, aligned with the five high-level Functions: Identify, Protect, Detect, Respond, and Recover. An organization may find that it is already achieving the desired outcomes, thus managing cybersecurity commensurate with the known risk. Alternatively, an organization may determine that it has opportunities to (or needs to) improve. The organization can use that information to develop an action plan to strengthen existing cybersecurity practices and reduce cybersecurity risk. An organization may also find that it is overinvesting to achieve certain outcomes and use this information to reprioritize resources. Figure 2 illustrates how an organization could use the Framework to create a new cybersecurity program or improve an existing program. These steps should be repeated as necessary to continuously improve cybersecurity.[35]

Figure 2. Health Care Implementation Process

The seven steps of the healthcare implementation process illustrated as circular flow chart.  


HPH Sector organizations leveraging Informative References[36] as the basis for their cybersecurity programs can use the following seven-step process for implementation depicted in Figure 2, which slightly modifies the general approach outlined in the NIST Cybersecurity Framework.[37]

As with the generic process, it is recommended that implementation include a plan to communicate progress to appropriate stakeholders, such as senior management, as part of its risk management program. In addition, each step of the process should provide feedback and validation to previous steps. 

Each step is now discussed in more detail, first introduced by Table 1 describing the step's inputs, activities, and outputs followed by additional explanation.[38] A table of the inputs, activities, and outputs for all seven steps is also included in Appendix G – Summary of Health Care Implementation Activities.

Table 3. Step 3: Target Profile Inputs, Activities, and Outputs
Inputs
Activities
Outputs
  1. Organizational objectives
  2. Risk management strategy
  3. Detailed usage scope
  4. Unique threats
  5. Informative Reference(s)
  1. Organization selects one or more Informative References and creates a tailored overlay based on a risk analysis that considers the unique threats identified in the prioritization and scoping phase
  2. Organization determines level of effectiveness or maturity desired in the selected controls
  1. Target Profile (Tailored overlay of one or more Informative References)
  2. Target Tier


The NIST Risk Management Framework (RMF) shown in Figure 3 below provides organizations an overarching risk management process that integrates security, privacy, and cyber supply chain risk[40] management activities into the system development life cycle. The risk-based approach to control selection and specification provided in the first three steps of the seven-step process - shown in Figure 4 in Step 4 - considers effectiveness, efficiency, and constraints due to applicable laws, regulations, policies, standards, contractual, and similar obligations. This RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.[41]

Figure 3. NIST Risk Management Framework

Infographic shows the seven RMF steps and descriptions  

The organization considers the cyber threats and subsequent risk to its operations as determined during the first two steps to create a tailored overlay of its selected Informative Reference(s) to account for any unique threats/risks (as compared to other, similar organizations that are the target(s) of the Informative Reference(s)). The Target Profile should include these practices as well.

However, information protection cannot be a “one size fits all" approach. For example, organizations, more often as not, have different information systems (or different implementations of similar systems), different business and compliance requirements, different cultures, and different risk appetites.[42]

For whatever reason an organization cannot implement a control specified by its selected Informative Reference(s), one or more compensating controls should be selected to address the risks posed by the threats the originally specified control was meant to address. (Note these compensating controls may already exist within the organization and should be leveraged appropriately.)

Organizations should be able to demonstrate the validity of a compensating control by way of a legitimate risk analysis that shows the control has the same level of rigor and addresses a similar type and level of risk as the original. Additionally, the compensating control must be something other than what may be required by other, existing controls specified in the tailored overlay of its selected Informative Reference(s).

The organization should determine the evaluation approach it will use to identify its current cybersecurity and risk management posture. Organizations can use any of several evaluation methods to identify their current cybersecurity posture and create a Current Profile. These include self-evaluations, where an organization may leverage its own resources and expertise; facilitated approaches, where the evaluation is assisted by a third party; or completely independent evaluations, such as those used to support certification or accreditation against the Informative Reference(s) or an American Institute of Certified Public Accountants (AICPA)[43] Service Organization Control 2 (SOC 2)[44] that uses the organization's selected Informative Reference(s) as the basis for assessment.[45]

The organization should also determine its goals for the Target Tier from the NIST Cybersecurity Framework and identify the equivalent levels of control maturity required to achieve those goals. This will generally involve mapping relevant controls from the organization's cybersecurity program to the topical areas (characteristics) addressed by the Tiers (i.e., Risk Management Process, Integrated Risk Management Program, and External Participation) and then evaluating these areas (characteristics) for their respective Tier (i.e., 1 – Partial, 2 – Risk Informed, 3 – Repeatable, and 4 – Adaptive):

  • Select an appropriate framework baseline set of controls
  • Apply an overlay based on a targeted assessment of threats unique to the organization


Implementation Conclusion

This implementation approach can help organizations leverage Informative References to establish a strong cybersecurity program or validate the effectiveness of an existing program. It enables organizations to map their existing program to the NIST Cybersecurity Framework, identify improvements, and communicate results. It can incorporate and align with processes and tools the organization is already using or plans to use.

The process is intended to be continuous, repeated according to organization-defined criteria (such as a specific period or a specific type of event) to address the evolving risk environment. Implementation of this process should include a plan to communicate progress to appropriate stakeholders, such as senior management, as part of its overall risk management program. In addition, each step of the process should provide feedback and validation to previous steps. Validation and feedback provide a mechanism for process improvement and can increase the overall effectiveness and efficiency of the process. Comprehensive and well-structured feedback and communication plans are a critical part of any cybersecurity risk management approach.


<< Back                                                                                                                                                                              Next >>


34 NIST (2022a). National Online Informative References Program, Informative Reference Catalog.

35  NIST (2022a). NIST (2018, Aug 16), p. 14.

36  NIST (Updated 2021, Dec 8). Informative References: What are they, and how are they used

37  NIST (2018, Apr 16), pp. 13-15.

38  The tables describing the activities in the 7-step implementation process are derived from DOE (2015).

39  HHS (2016, May).

40  For more information on aligning an enterprise supply chain cyber security program to the NIST CSF, see HSCC CWG (2020, Sep). Health Industry Cybersecurity Supply Chain Risk Management Guide Version 2.0 (HIC-SCRiM v2.0). 

41 NIST (2022b). NIST Risk Management Framework RMF.

42  For more information on risk appetite, see Stine, K., Quinn, Stephen, Witte, G., and Gardner, R. (2020, Oct).

43 AICPA (2020a). AICPA.

44 AICPA (2020b). SOC 2® - SOC for Service Organizations: Trust Services Criteria.

45 AICPA (2020c). SOC 2 Examination That Addresses Additional Subject Matters and Additional Criteria.

46 There are multiple approaches to evaluating risk:

  • For an example of a qualitative approach, see Alberts, C. and Dorofee, A. (2002). Managing Information Security Risks: The OCTAVE Approach. Boston: Addison-Wesley Professional.
  • For examples of a semi- or quasi-quantitative approach, see:
  • For an example of a quantitative approach, see Freund, J. and Jones, J. (2015). Measuring and Managing Information Risk: A FAIR Approach. Oxford: Elsevier, Inc.

47 JTF TI (2011, Mar). Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39). Gaithersburg, MD: NIST.

48  Stine, K., Quinn, S., Witte, G., and Gardner, R. (2020, Oct), p. 2.

49  Ibid., pp. 42-43.

50 Quinn, S., Ivy, N., Barrett, M., Feldman, L. Witte, G., and Gardner, R. (2021, Nov). Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management (NISTIR 8286A).

51  Stine, K., Quinn, Stephen, Witte, G., and Gardner, R. (2020, Oct), pp. 40-42.

52 Ibid., p. 17.

53  Bowen, P. and Kissel, R. (2007). Program Review for Information Security Management Assistance (PRISMA), NISTIR 7358, Wash., DC: NIST.

54  It’s important to note that ‘achievement’ is measured in terms of the control requirements the organization states it needs to achieve the outcomes specified by the Framework’s Core Subcategories, and those requirements should be based on an appropriate risk analysis.