Skip to main content

Appendix G: Summary of Health Care Implementation Activities

Health Care and Public Health Sector Cybersecurity Framework Implementation Guide


Table 10 consolidates health care implementation activities for all steps in the NIST Cybersecurity Framework implementation process.

Table 10. Health Care Implementation Activities by Step
Implementation Process Steps Inputs Activities Outputs

Step 1: Prioritize and Scope

  1. Risk management strategy
  2. Organizational objectives and priorities
  3. Asset inventory
  4. Informative Reference(s)
  1. Organization determines where it wants to apply the Informative Reference(s) to evaluate and potentially guide the improvement of the organization’s capabilities
  2. Threat analysis
  3. Business impact analysis
  4. System categorization (based on sensitivity & criticality)
  1. Usage scope
  2. Unique threats

Step 2: Orient
  1. Usage scope
  2. Risk management strategy
  3. Informative Reference(s)
  1. Organization identifies in-scope systems and assets (e.g., people, information, technology, and facilities) and the appropriate regulatory and other authoritative sources (e.g., cybersecurity and risk management standards, tools, methods, and guidelines)
  1. In-scope systems and assets
  2. In-scope requirements (e.g., organizational, system, regulatory)

Step 3: Create a Target Profile
  1. Organizational objectives
  2. Risk management strategy
  3. Detailed usage scope
  4. Unique threats
  5. Informative Reference(s)
  1. Organization selects one or more Informative References and creates a tailored overlay based on a risk analysis that considers the unique threats identified in the prioritization and scoping phase
  2. Organization determines level of effectiveness or maturity desired in the selected controls
  1. Target Profile (Tailored overlay of one or more Informative References)
  2. Target Tier

Step 4: Conduct a Risk Assessment
  1. Detailed usage scope
  2. Risk management strategy
  3. Target Profile
  4. Informative Reference(s)
  1. Perform a risk assessment for in-scope systems and organizational elements
  1. Risk assessment reports

Step 5: Create a Current Profile
  1. Risk assessment reports
  2. Informative Reference(s)
  1. Organization identifies its current cybersecurity and risk management state
  1. Current Profile (Implementation status of selected controls)
  2. Current Tier (Implementation maturity of selected controls, mapped to NIST Cybersecurity Framework Implementation Tier model)

Step 6: Perform Gap Analysis
  1. Current Profile
  2. Target Profile
  3. Organizational objectives
  4. Impact to critical infrastructure
  5. Gaps and potential consequences
  6. Organizational constraints
  7. Risk management strategy
  8. Risk assessment/analysis reports
  9. Informative Reference(s)
  1. Analyze gaps between Current and Target Profiles in organization’s context
  2. Evaluate potential consequences from gaps
  3. Determine which gaps need attention
  4. Identify actions to address gaps
  5. Perform cost-benefit analysis (CBA) or similar analysis on actions
  6. Prioritize actions (CBA or similar analysis and consequences
  7. Plan to implement prioritized actions
  1. Prioritized gaps and potential consequences
  2. Prioritized implementation plan

Step 7: Implement Action Plan
  1. Prioritized implementation plan
  2. Informative Reference(s)
  1. Implement actions by priority
  2. Track progress against plan
  3. Monitor and evaluate progress against key risks using metrics or other suitable performance indicators
  1. Project tracking data
  2. New security measures implemented

Table 11 correlates the NIST Cybersecurity Framework implementation process with the elements of a risk analysis that accommodate the use of NIST Cybersecurity Framework Core Informative References.

Table 11. Relationship of Cyber Implementation and HHS Risk Analysis Elements
Cyber Implementation Process Risk Analysis Elements
  • Prioritize & Scope
  • Conduct a complete inventory of where ePHI is processed
  • Perform a BIA on all systems with ePHI (criticality)
  • Categorize & evaluate these systems based on sensitivity & criticality
  • Orient
  • Create a Target Profile
  • Select an appropriate framework baseline set of controls
  • Apply an overlay based on a targeted assessment of threats unique to the organization
  • Conduct a Risk Assessment
  • Evaluate residual risk
  • Create a Current Profile
  • Perform Gap Analysis
  • Rank risks and determine risk treatments
  • Make contextual adjustments to likelihood & impact, if needed, as part of the corrective action planning process
  • Implement Action Plan
  • Implement corrective actions and monitor the threat environment

<< Back                                                                                                                                                                              Next >>