HHS, through the Administration for Strategic Preparedness and Response (ASPR), and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group released the Cybersecurity Framework Implementation Guide to help the health care sector manage cybersecurity risks amid an increasingly sophisticated threat landscape.
The guide aims to help health care organizations align their cyber programs with the National Institute for Standards and Technology (NIST) Cybersecurity Framework (CSF).
The publication is not intended to replace other cybersecurity programs or provide a roadmap to compliance, the guide states. Rather, the voluntary guidance can help health care organizations bolster their existing programs and ideally reduce risk by aligning the health care sector with NIST’s robust framework.
HHS and HSCC described the guide as a “roadmap for health care and private health sector organizations to implement the NIST Cybersecurity Framework.”
Specifically, the guidance aims to help organizations identify and implement risk management best practices, provide a common language to manage cyber risk, and outline effective standards to manage risk in a cost-effective manner.
Health care cybersecurity experts have long championed the value of the NIST CSF in a health care setting. The framework is used across a variety of industries and organization sizes and can help the sector communicate risk in a more streamlined manner.
The publication points out numerous incentives for using the framework, such as the potential for reductions in cybersecurity insurance premiums and prioritized technical assistance from the federal government.
The new guidance can also be used in conjunction with the variety of other publicly available cyber guidance, such as the Health Industry Cybersecurity Practices (HICP) guidance, a four-volume publication that was jointly published by HHS and HSCC in 2019 which also aligns with the NIST CSF.
While entirely voluntary, organizations that choose to leverage the Framework Implementation Guide may be able to better manage cyber risk and improve their security programs.