author photo
By Cam Sivesind
Mon | Mar 20, 2023 | 1:21 PM PDT

A new guide from the U.S. Department of Health and Human Services (HHS) seeks to help Health Care and Public Health (HPH) Sector organizations understand and use NIST Cybersecurity Framework's Informative References to achieve the goals of the framework.

Thanks to Shawn Tuma, Co-Chair, Data Privacy & Cybersecurity Practice, Spencer Fane, LLP, for alerting SecureWorld to the March 8th release of Version 2 of the "HPH Sector Cybersecurity Framework Implementation Guide" (see link to download the complete guide) in a brief blog post on LinkedIn this morning.

Tuma is providing  the lunch keynote on "Cybersecurity Is a Team Sport" on Day 2 of this week's SecureWorld Boston conference, March 22-23 at the Hynes Convention Center.

As Tuma writes in his post: "This Guide is not only a must-read for all healthcare 'covered entities,' especially small and midsize organizations, but it is excellent advice for all organizations—healthcare and non-healthcare alike—as it demonstrates practical implementation and use of the NIST Cybersecurity Framework."

According to the HHS, the guidance will also help an organization's leadership to:

  • Understand NIST Cybersecurity Framework terminology, concepts, and benefits
  • Assess their current and targeted cybersecurity posture
  • Identify gaps in their current programs and workforce
  • Identify current practices that help address recommended NIST Cybersecurity Framework outcomes

HHS says potential benefits for healthcare orgs—and any business—mean:

"The many cybersecurity-focused executive orders and laws that have been developed in the last 10 years show the importance of strong cybersecurity in protecting critical infrastructure. The NIST Cybersecurity Framework is a powerful tool to help achieve this goal.

Since it is based on a collection of cybersecurity standards and industry best practices, the Cybersecurity broadly applies across all organizations, regardless of size, industry, or cybersecurity sophistication.

Whether an organization has a mature risk management program and processes, is developing a program or processes, or has no program or processes, the Framework can help guide an organization in improving cybersecurity and thereby improve the security and resilience of critical infrastructure."

SecureWorld is hosting its first Healthcare virtual conference on April 12th, featuring speakers from Children's Mercy Kansas City Hospital, Cooper University Hospital, Cape Cod Healthcare, Tufts Medicine, Vancouver Clinic, EY,  CyberSN and Secure Diversity, Acumatica, and more. The event is free, and attendees can earn CPE credits.