Appendix K: Frequently Asked Questions

A. No, it is voluntary.

A. See the section, Potential Benefits of Health Care’s Implementation of the NIST Cybersecurity Framework.

A. The guide is intended to help HPH sector organizations understand and leverage the NIST Cybersecurity Framework’s Informative References to support implementation of a sound cybersecurity program that addresses the five core Function areas of the NIST Cybersecurity Framework, ensure alignment with national standards, help organizations assess and improve their level of cyber resiliency, and provide suggestions on how to link cybersecurity with their overall information security and privacy risk management activities to the HPH Sector. The guide will also help an organization’s leadership to understand NIST Cybersecurity Framework terminology, concepts, and benefits; assess their current and targeted cybersecurity posture, identify gaps in their current programs and workforce, and identify current practices that meet or exceed NIST Cybersecurity Framework requirements.

A. This guide is developed specifically for all HPH sector organizations. However, the NIST Framework is not sector specific and can be applied across many organizations.

A. Industry regulators and standards bodies recognize that full implementation of any prescriptive, control-based Informative References may be difficult for many small health care organizations. For example, while ISO does not publish its own guidance for small businesses, the European Digital SME Alliance^[105] publishes ISO/IEC 27001 implementation guidance for small and medium enterprises (SME).^[106] However, NIST does publish its own small business information security guidance^[107] in partnership with the U.S. Small Business Administration (SBA)^[108] and HHS provides small and medium business (SMB) guidance,^[109] as well.

Private-public guidance specific to small health care organizations such as physician practices has also been produced and is discussed at more length in Appendix H – Small Health care Organization Cybersecurity Guidance.

A. The NIST Cybersecurity Framework should be implemented organization-wide; however, controls from one or more Informative References should be tailored and scoped for specific business units and systems/applications (or similar groups of business units and systems/applications) to ensure controls are not specified unnecessarily. In fact, many organizations implement their cybersecurity programs incrementally across their organization and systems/applications over a period of time based on resource (personnel and funding) constraints.

A. Yes, the Joint HPH Cybersecurity WG considers this guide to be a “living” document and subject to update, as needed (e.g., when there are updates to the NIST Cybersecurity Framework), to best serve the health care industry.

A. An ISO 27000-certified organization will have a mature Information Security Management System in place and should have a basic set of information security controls in place. However, an ISO-certified organization has considerable flexibility in how much risk it is willing to accept; and subsequently the organization may not have implemented an industry-acceptable level of due care. Such an organization’s implementation of the NIST Cybersecurity Framework will help ensure it fully addresses the high-level objectives specified by the NIST Cybersecurity Framework’s Core Subcategories, and implementation of the NIST Cybersecurity Framework through a tailored control overlay will help ensure the organization meets industry standards for due care and due diligence. See the section, Potential Benefits of Health Care’s Implementation of the NIST Cybersecurity Framework for more information.

A. No organization is ever “fully secure.” However, the NIST Cybersecurity Framework provides high-level guidance for the implementation of an organization’s cybersecurity program that will help ensure its comprehensive coverage of information security and privacy; however, the NIST Cybersecurity Framework must be supported by more prescriptive control-based frameworks such as those listed in NIST’s Online Informative Reference Catalog^[110]. The quality of an organization’s cybersecurity program will also depend on other factors, such as the organization’s leadership commitment, culture, operational environment, enterprise architecture, and available resources (personnel and funding).

A. This guide is different in that it shows how a control-based Informative Reference can be used to implement an information protection program fully consistent with and reportable through the NIST Cybersecurity Framework.

A. Implementation of the NIST Cybersecurity Framework and the HPH Sector-specific guidance may help support an organization’s assertions around meeting a reasonable standard of due diligence and due care with regulators and federal and state judiciaries.

With regard to state-level advantages, the 2018 Ohio Data Protection Act^[111] provides a legal safe harbor to covered entities that implement a cybersecurity program^[112] that contains administrative, technical, and physical safeguards for the protection of both personal information and restricted information and that reasonably conforms to the NIST Cybersecurity Framework as well as several other public and private sector frameworks.^[113] Ohio was followed by Connecticut in July 2021 with the passage of H.B. No. 6607, An Act Incentivizing the Adoption of Cybersecurity Standards for Business.^[114]

A. Each organization's cybersecurity resources, capabilities, and needs are different. The time to implement the Framework will vary among organizations, ranging from as short as a few weeks to several years. The Framework Core's hierarchical design enables organizations to apportion steps between current state and desired state that is appropriate to their resources, capabilities, and needs. This allows organizations to develop a realistic action plan to achieve Framework outcomes in a reasonable time frame, and then build upon that success in subsequent activities.

A. The guidance applies to all locations and systems/applications with PHI or any other type of sensitive information that requires similar levels of protection, such as PII, federal tax data, payment card data, corporate financial data, and trade secrets. The organization would simply not apply controls for data types that are not relevant to the business unit or system/application. It is important to note that this statement should not viewed as legal advice regarding the protection of data which has different statutory and regulatory protection mandates. It should also be noted that systems not containing sensitive information can still present risks to the organization and should not be overlooked. Unsecured systems can easily become the “weak link” providing access to a malicious actor or malware that could propagate throughout one’s environment and eventually compromise sensitive information.

A. It depends on the size of an organizations. Small, relatively non-complex organizations with low risk could probably get by with standard office tools such as word processors, spreadsheets, and presentations. However, larger organizations, especially those that are complex and/or have high inherent risks, would benefit from using a GRC-type application early in its cybersecurity program implementation. A good GRC tool will help an organization manage its policies and procedures, controls, control gaps and remediation plans, as well as internal and external reporting requirements. The GRC tool should also support workflow management and provide metrics and dashboards relevant to various stakeholders in the organization (e.g., executive management and the board of directors).

A. Actually, the definition of cybersecurity is becoming quite broad. CNSSI No. 4009 defines cybersecurity as:

In fact, the DoD has transitioned from the term “information assurance” to the term “cybersecurity.”^[116] However, there are still some subtle differences. Fortunately, robust Informative References like those listed in NIST’s catalog of Informative References^[117], provide a complete set of information security controls that address all types of information security threats, not just those traditionally associated with cybersecurity. Therefore, implementing the recommendations in the guide will support a comprehensive as well as robust information protection program. Use of commercial examples should not be construed as HHS endorsement. Readers should refer to NIST OLIR Catalog for further information.

A. NIST does not offer any type of certification for the NIST Cybersecurity Framework; however, commercial, private-sector options are available.

A. Yes. The approach was developed for use by organizations that span the largest to the smallest organizations. NIST has a long-standing and on-going effort supporting small business cybersecurity. This is accomplished by providing guidance through websites, publications, meetings, and events. This includes a Small Business Cybersecurity Corner^[118]  website (https://www.nist.gov/itl/smallbusinesscyber) that puts a variety of government and other cybersecurity resources for small businesses in one site. That includes the FTC’s information about how small businesses can make use of the Cybersecurity Framework. Small businesses also may find Small Business Information Security: The Fundamentals (NISTIR 7621 Rev. 1) a valuable publication for understanding important cybersecurity activities. It is recommended as a starter kit for small businesses. The publication works in coordination with the Framework because it is organized according to Framework Functions.

A. The amount and type of financial resources needed to implement the approach outlined in this guide is dependent on the organization’s inherent risk and the existing state of its information protection program.

Some organizations may require external support from knowledgeable professionals to implement an efficient and effective cybersecurity program. The authors of this guide concur with HHS’ position that provider organizations typically do not have this type of expertise “in house” and we recommend they obtain the necessary expertise from a reputable professional, such as a security consultancy, if it does not have suitable resources available. For example, an evaluation of an entity’s security safeguards need not be conducted by an external third-party as an external evaluation could be too costly for a smaller provider.

Professional certifications include those for general security, such as the Information System Audit and Control Association’s (ISACA’s) Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) credentials,^[118] and the International Information Systems Security Certification Consortium’s [(ISC)2’s] Certified Information Systems Security Professional (CISSP) and Information Systems Security Management Professional (CISSP-ISSMP) credentials.^[119] Specialized certifications include (ISC)²’s Health Care Information Security and Privacy Professional (HCISPP).

A. NIST considers the terms synonymous.^[120] However, in common usage, risk analysis is often reserved for the HIPAA-required risk analysis as well as more specific or targeted risk analyses, such as those used for the design or selection of alternate (or compensating) controls and risk acceptance. A risk assessment is often used in common practice for the security controls assessment^[121] and gap analysis, which are components or activities of the overall risk analysis process.

A. Yes. NIST provides a series of Cybersecurity Framework Frequently Asked Questions.^[122]