Skip to main content

Long Descriptions for Figures

Healthcare and Public Health Sector Cybersecurity Framework Implementation Guide 
 

Figure 1: Notional Information and Decision Flows within an Organization 

Figure 2 describes a common flow of information and decisions at the following levels within an organization:

  • Executive

  • Business/Process

  • Implementation/Operations

The executive level communicates the mission priorities, available resources, and overall risk tolerance to the business/process level. The business/process level uses the information as inputs into the risk management process, and then collaborates with the implementation/operations level to communicate business needs and create a Profile. The implementation/operations level communicates the Profile implementation progress to the business/process level. The business/process level uses this information to perform an impact assessment. Business/process level management reports the outcomes of that impact assessment to the executive level to inform the organization's overall risk management process and to the implementation/operations level for awareness of business impact. 

Figure 2: Healthcare Implementation Process 

The graphic illustrates how an organization could use the Framework to create a new cybersecurity program or improve an existing program. These steps should be repeated as necessary to continuously improve cybersecurity. 

  • Step 1: Prioritize and Scope

  • Step 2: Orient 

  • Step 3: Create Target Profile 

  • Step 4: Conduct Risk Assessment

  • Step 5: Create Current Profile

  • Step 6: Determine, Analyze and Prioritize Gaps

For more information, please refer to pages 14-15 of the NIST Cybersecurity Framework. 
Figure 4: Relating Cybersecurity Risk to Other Forms of Business Risk 
 

Risk Types 
 		Strategic Risk: 
Organizational strategies may not support business objectives 
 		Operations Risk: 
Degradation of day-to-day operations (typically related to cash flow)		Reporting Risk: 
Adverse Impact on credit & cash management 
 		Compliance Risk: 
Adverse outcomes of regulatory or contractual non-compliance 
 
Cybersecurity Risk:

Compromise or unauthorized disclosure of sensitive information and related concerns 
 

(e.g., potential risk to planned M&A or divestment)(e.g., potential risk to continuity of operations) 
 		(e.g., potential risk to accuracy of financial reporting.) 
 		(e.g., potential risk of fines & penalties.) 
 


Figure 5: Example NIST Cybersecurity Framework Scorecard 

The NIST Cybersecurity Framework Scored is organized by function, category and level of compliance. 

Figure 6: Generic Implementation Process 

  • Step 1: Prioritize and Scope

  • Step 2: Orient 

  • Step 3: Create Target Profile 

  • Step 4: Conduct Risk Assessment

  • Step 5: Create Target Profile

  • Step 6: Determine, Analyze and Prioritize Gaps

  • Step 7: Implement Action Plan