Skip to main content
Sign In
This is archived ASPR content.
U.S. Department of Health & Human Services
Toggle navigation
About US
Overview
About Us
Join and Connect
Stay Up-To-Date
Strategic Plan | 2022-2026
ASPR Careers
Newsroom
Leadership Biographies
Boards and Committees
Blog
Organization Chart
Partnering with ASPR
Budget and Funding
Response Operations
Overview
Join. Train. Respond.
Response Resources
Law and Strategy
National Disaster Medical System
Cybersecurity
Public Health Emergency Declarations
Medical Reserve Corps
At-Risk Individuals
Section 1135 Waivers
ESAR-VHP
Disaster Behavioral Health
National Response Framework and Emergency Support Function 8
Emergency Prescription Assistance Program
Legal Authorities, Policies, and Strategies
National Emergency Telemedicine Network
ASPR TRACIE
Health Care Readiness
Overview
Health Care Readiness
Programs and Activities
Resources and Funding
Related Programs
Stories from the Field
Hospital Preparedness Program
Health Care Readiness Funding
Critical Infrastructure Protection
Health Care Readiness Near You
Regional Disaster Health Response System
COVID-19 Health Care Preparedness and Response
Health and Social Services Recovery
National Special Pathogen System
Health Care Readiness Program Webinars
Workforce Capacity and Capability
Performance Measures, Guidance, and Reports
Medical Countermeasures & Biodefense
Overview
Medical Countermeasures
Biodefense
Project NextGen
Industrial Base Expansion
BARDA
S3: Science, Safety, and Security
Doing Business with BARDA
Strategic Planning and Committees
Strategic National Stockpile
Legal Authorities, Policies, and Strategies
Partnering
Overview
Partnership Opportunities
Professional Resources
Join Us
Medical Countermeasures TechWatch
ASPR TRACIE
National Disaster Medical System
EZ-BAA: BARDA DRIVe Easy Broad Agency Announcement
National Emerging Special Pathogens Training and Education Center
Medical Reserve Corps
BARDA Broad Agency Announcement
Critical Infrastructure Protection
ESAR-VHP
IBx Connect
Boards and Committees
Blue Knight
NACCD - Children and Disasters
CARB-X
NACIDD - Disabilities and Disasters
BARDA Ventures
NACSD - Seniors and Disasters
BARDA DRIVe Accelerator Network
NBSB – Biodefense
Project BioShield
Find Us On SAM
ASPR Grant Opportunities
Tools
Overview
Technical Assistance and Information Management
GIS-Based Tools
ASPR TRACIE
HHS emPOWER Program
Regional Emergency Coordinators
GeoHEALTH
ASPR Ready
COVID-19 Test to Treat Locator
Training
COVID-19 Therapeutics Locator
HHS emPOWER Program Web-Based Training
Threat-specific Tools
Strategic National Stockpile Course Listing
CHEMM: Chemical Hazards Emergency Medical Management
Addressing the Needs of Older Adults in Disasters Web Based Training
REMM: Radiation Emergency Medical Management
Access and Functional Needs Web-Based Training
Risk Assessment Tools
Risk Identification and Site Criticality (RISC 2.0)
COVID-19
ASPR COVID-19 Response
For Health Care Professionals
For Patients
Test to Treat
NAVIGATION
CIP
Health Care and Public Health (HPH) Sector Cybersecurity Framework Implementation Guide
HPH Sector Cybersecurity Framework Implementation Guide
Version 2
March 2023
Download the PDF
Table of Contents
Cautionary Note
Acknowledgements
Foreword
Background
Purpose
Version History
Introduction
Overview
Executive Orders and Mandates
Potential Benefits of Health Care’s Implementation of the NIST Cybersecurity Framework
Key Elements of a Cybersecurity Program
Ability to Incorporate Cyber-Physical Aspects of Cybersecurity
Health Sector Cybersecurity Framework Implementation
Overview
Implementation Process
Implementation Conclusion
Additional Resources to Support Framework Use Goals
Informing Existing Sector Efforts
Conclusion
Appendix A: Reference List
Appendix B: Glossary of Terms
Appendix C: NIST Cybersecurity Framework Basics
NIST Cybersecurity Framework Structure and Terminology
Generic Implementation
Appendix D: NIST Online Informative References (OLIR)
Appendix E: Health Care Cybersecurity Framework Structure
Appendix F: HIPAA Security Rule Mapping
Appendix G: Summary of Health Care Implementation Activities
Appendix H: Small Health Care Organization Cybersecurity Guidance
Appendix I: Executive Marketing/Summary Template
Cybersecurity - An Increasing Risk
Standing Up a Cybersecurity Program to Reduce Risk
Leveraging the NIST Cybersecurity Framework
Summary
Appendix J: Communications Plan - Template
Purpose
Scope
Objectives
Roles and Responsibilities
Audience
Communication Phases of Implementation
Core Messages and Vehicles
Calendar of Events
Appendix K: Frequently Asked Questions
Tables and Figures
List of Tables
Table 1. Step 1: Prioritize and Scope Inputs, Activities, and Outputs
Table 2. Step 2: Orient Inputs, Activities, and Outputs
Table 3. Step 3: Target Profile Inputs, Activities, and Outputs
Table 4. Step 4: Risk Assessment Inputs, Activities, and Outputs
Table 5. Step 5: Current Profile Inputs, Activities, and Outputs
Table 6. Step 6: Gap Analysis Inputs, Activities, and Outputs
Table 7. NIST Maturity Levels
Table 8. Achievement Scales
Table 9. Step 7: Implement Action Plan Inputs, Activities, and Outputs
Table 10. Health Care Implementation Activities by Step
Table 11. Relationship of Cyber Implementation and HHS Risk Analysis Elements
Table 12. NIST Cybersecurity Framework Core Functions
Table 13. Roles and Responsibilities
Table 14. Phased Communication Goals
Table 15. Vehicle Selection
Table 16. Communication Vehicles
List of Figures
Figure 1. Notional Information and Decision Flows within an Organization
Figure 2. Health Care Implementation Process
Figure 3. NIST Risk Management Framework
Figure 4. Relating Cybersecurity Risk to Other Forms of Business Risk
Figure 5. Example NIST Cybersecurity Framework Scorecard
Figure 6. Generic Implementation Process
Figure 7. Relationship between NIST Cybersecurity Framework and Informative References
This is archived ASPR content.