Skip to main content
Sign In

An official website of the United States government

U.S. Department of Health & Human Services

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Acknowledgements

Health Care and Public Health Sector Cybersecurity Framework Implementation Guide


In 2015, the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework") in response to a requirement of Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity. EO 13636 also called on Sector Specific Agencies (SSAs) like the U.S. Department of Health and Human Services (HHS) to “coordinate with the Sector Coordinating Councils (SCCs) to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments."

The Risk Management (RM) Sub-Working Group (SG) was formally chartered under CIPAC under the Joint HPH Cybersecurity Working Group (WG) in late 2015 to produce the Health Care Sector Cybersecurity Framework Implementation Guide (Sector Guide) to help Health Care and Public Health (HPH) Sector organizations implement the NIST Cybersecurity Framework in accordance with EO 13636.

Initially released in February 2016 as Version (Ver.) 1, a 508-compliant version, Ver. 1.1 with additional minor updates and corrections was published in May 2016. The Joint HPH Cybersecurity WG was later re-chartered under CIPAC as the HPH Sector Coordinating Council (HSCC) Joint Cyber WG (JCWG) and the original RM SG was renamed as Task Group 1A (TG-1A) under the JCWG in 2018.

TG-1A members who assisted with the development and internal review of this major new release, Ver 2.0, of the Sector Guide include:

Alexander Reniers, U.S. Dept. of Homeland Security (DHS)
Anna Verrichia, Merck
Dr. Bryan Cline, HITRUST (TG-1A Chair)
Cathlynn Nigh, Beyond LLC
Dr. Claude Council, Shriner's Hospitals for Children
Clay Ramsey, Health Management Systems
Clyde Hewitt, CynergisTek / NCHICA
David Leonard, Anthem Inc.
Dwayne Stevens, Westcare Foundation
Gagandeep Goyal, Idaho College of Osteopathic Medicine
Greg Garcia, HSCC (JCWG Cybersecurity Director)
Henry Sprafkin, Clearwater Compliance
Jon Moore, Clearwater Compliance
Kevin Dang, HHS
Larry Tritschuh, Health Equity

LassineCherif, DC Primary Care Association
Leo Dittemore, Agilon Health
Lenny Levy, Unaffiliated (Direct Patient Care)
Marilyn Zigmund Luke, America’s Health Insurance Plans (AHIP)
Michael McNeil, Royal Phillips
Mitchell Parker, Indiana University of Health
Murali Balakrishnan, TIDI Products
Paul Curylo, INOVA Health System
Phil Meadows, Charleston Area Medical Center
Quang Tran, National Committee for Quality Assurance (NCQA)
Ramakrishnan Pillai, Elekta
Rich Curtiss, Coalfire Systems, Inc.
Ron Yeager, HonorHealth
Sonia Sadana, PNC Bank
Steve Abrahamson, GE Health Care
Ty Greenhalgh, Cyber Tyger, LLC

Government Coordinating Council (GCC) organizations that conducted formal reviews of this document include the U.S. Food and Drug Administration (FDA), the Office for Civil Rights (OCR), the HHS Administration for Strategic Preparedness and Response (ASPR), the HHS Office of the Chief Information Officer (CIO), the Centers for Medicare & Medicaid Services, the Office of the National Coordinator​ for Health Information Technology (ONC), the National Institute of Standards and Technology (NIST), and the HHS Office for Civil Rights (OCR).

<< Back                                                                                                                                                                              Next >>



CIP Right-Nav

HPH Sector Cybersecurity Framework Implementation Guide