Introduction
Health Care and Public Health Sector Cybersecurity Framework Implementation Guide
The United States has seen a marked increase in the use of digital technologies and cyber-physical systems (CPS), which in health care are critical integration of a network of medical devices. These systems are progressively used in hospitals to achieve continuous high-quality health care, resulting in an increase in exposures to cyber-attacks targeting an organization's cyberspace to steal information or disrupt, disable, or destroy related information resources. As cyber threats increase, President Barack Obama directed the National Institute of Standards and Technology (NIST) to work with the private sector to develop the Framework for Improving Critical Infrastructure Cybersecurity,[12] also known as the Cybersecurity Framework.
The NIST Cybersecurity Framework provides an organizational cybersecurity risk management model that industries, sectors, and organizations can leverage to identify opportunities for improving cybersecurity risk management.
Executive Orders and Mandates
The following sections discuss the history of mandates and executive orders pertaining to the voluntary Cybersecurity Framework used to secure critical infrastructure.
Executive Order 13636: Improving Critical Infrastructure Cybersecurity
In its December 2011 report, "Critical Infrastructure Protection: Cybersecurity Guidance is Available, but More Can Be Done to Promote Its Use"[13], the Government Accountability Office (GAO) found similarities in cybersecurity guidance and practices across multiple sectors.
Less than a year later, President Obama issued Executive Order 13636,[15] calling for development of a voluntary Cybersecurity Framework providing a prioritized, flexible, repeatable, performance-based, and cost-effective approach for managing cybersecurity risks.
The Executive Order directed NIST to develop the Framework incorporating industry best practices. The Department of Homeland Security (DHS) was tasked with supporting adoption across critical infrastructure sectors through a voluntary program.
After multiple workshops, NIST released the final Framework for Improving Critical Infrastructure Cybersecurity Version 1 in February 2014, later updated to Version 1.1 in 2018.
EO 13636 also directed development of a central repository of cybersecurity tools and resources through the Critical Infrastructure Cyber Community (C³) Voluntary Program.
Public Law 113-274: Cybersecurity Enhancement Act of 2014
This law reinforced NIST’s role in supporting voluntary, industry-led cybersecurity standards and best practices for critical infrastructure.
Executive Order 13800: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Issued in May 2017, EO 13800 focused federal efforts on supporting cybersecurity risk management for critical infrastructure while strengthening collaboration and workforce capabilities.
Public Law 116-321: Amending the Health Information Technology for Economic and Clinical Health Act
Signed in 2021, this law requires HHS to consider adoption of recognized security practices when determining audit outcomes or penalties, while maintaining enforcement authority under HIPAA.
Executive Order 14028: Improving the Nation's Cybersecurity
EO 14028 requires federal agencies and private sector partners to strengthen cybersecurity defenses and adapt to evolving cyber threats.
Potential Benefits of Health Care Implementation
The NIST Cybersecurity Framework helps organizations improve cybersecurity posture regardless of size or maturity level by aligning practices with recognized standards and risk management principles.
Provides guidance on risk management principles and best practices
Establishes common cybersecurity risk language
Outlines a structured cybersecurity risk management approach
Identifies effective, cost-efficient cybersecurity standards and practices
Additional benefits may include insurance incentives, prioritized federal assistance, and improved sector-wide coordination.
Key Elements of a Cybersecurity Program
Ensure people, process, and technology address cybersecurity risks
Identify and manage organizational information risks
Support policy enforcement, monitoring, and reporting
Threat modeling, threat intelligence, and collaboration further strengthen cybersecurity resilience across organizations.
Ability to Incorporate Cyber-Physical Aspects of Cybersecurity
Cyber-physical systems security addresses cybersecurity concerns for connected devices and systems increasingly used across critical infrastructure and health care environments.
Medical devices connected to networks improve care delivery but also introduce cybersecurity risks that must be managed through comprehensive risk analysis aligned with the NIST Cybersecurity Framework.
12 NIST (2018, Aug 16).
13 GAO (2011). Critical Infrastructure Protection: Cybersecurity Guidance is Available, but More Can Be Done to Promote Its Use, Wash., DC: Author.
14 Ibid., p. i.
15 Exec. Order No. 13636, 3 C.F.R. 11739-11744 (2013).
16 Critical infrastructure is defined as "systems and assets, physical or virtual, so vital that their incapacity or destruction would impact security, economy, or public health."
17 NIST (2014). NIST Releases Cybersecurity Framework Version 1.0.
18 NIST (2014, Feb 12). Framework for Improving Critical Infrastructure Cybersecurity, Version 1 (Updated 2018, Jan 8).
19 CISA (2021b). Critical Infrastructure Cyber Community C3 Protection Program.
20 Resources related to the former C3 Voluntary Program.
21 Cybersecurity Enhancement Act of 2014. Public Law 113-274.
22 Exec. Order No. 13800, 3 C.F.R. 22391-22397 (2017).
23 CISA (2017).
24 Public Law 116-321.
25 HHS (2017). HITECH Act Enforcement Interim Final Rule.
26 Exec. Order No. 14028, 3 C.F.R. 26633-26647 (2021).
27 Ohio Data Protection Act, Senate Bill 220 (2018).
28 Connecticut Public Act No. 21-119.
29 See Appendix K – Frequently Asked Questions.
30 DOE (n.d.), p. 3.
31 Chew, E., et al. (2008). Performance Measurement Guide for Information Security (NIST SP 800-55 Revision 1).
32 DHS (n.d.). Cybersecurity: Cyber Physical Systems Security.
33 FDA (n.d.). Medical Devices: Digital Health Center of Excellence.