On March 8, 2023, the United States Department of Health and Human Services (“HHS”), through the Administration for Strategic Preparedness and Response and the Health Sector Coordinating Counsel Joint Cybersecurity Working Group, released an updated version of its Cybersecurity Framework Implementation Guide (the “Guide”) “to help the public and private health care sectors prevent cybersecurity incidents.” Specifically, the Guide aims to help healthcare organizations leverage the NIST Cybersecurity Framework to “determine their cybersecurity goals, assess their current cybersecurity practices, or lack thereof, and help identify gaps for remediation.”

Leveraging the NIST CSF. The Guide, which is voluntary, is intended to help healthcare organizations strengthen their cybersecurity programs and reduce risk by implementing the National Institute for Standards and Technology (“NIST”) Cybersecurity Framework (“CSF” or “Framework”). Originally released in 2014 and updated in 2018, the NIST CSF is a framework designed to assist organizations with developing, aligning, and prioritizing cybersecurity activities with business requirements, risk tolerances, and resources. Globally, organizations, industries, and government agencies have increasingly relied upon the Framework to establish cybersecurity programs and measure their maturity.

Roadmap for Implementation. The Guide is intended to serve “as a roadmap for health care and private health sector organizations to implement the NIST Cybersecurity Framework, including:

  • Guiding risk management principles and best practices[;]
  • Providing common language to address and manage cybersecurity risk[;]
  • Outlining a structure for organizations to understand and apply cybersecurity risk management[;] and
  • Identifying effective standards, guidelines, and practices to manage cybersecurity risk cost-effectively based on business needs[.]”

According to the Guide, a comprehensive cybersecurity framework will “provide a common language and structure for discussions around risk and the methods and tools used to manage risk to a level that is not only acceptable to the organization but to other stakeholders such as business partners, customers, and industry and governmental regulators.”

The Guide also notes that, pursuant to 2021 amendments to the HI-TECH Act, HHS must “consider a health care entity’s adoption of recognized security practices, as defined by PL 116-321, when determining the length and outcome of audits or the amount of fines or extent of penalties.” The relevant definition of “recognized security practices” includes NIST standards and guidelines, such as the Framework.

Looking Ahead. HHS’s Guide is another cybersecurity development in light of the White House’s release of its new U.S. National Cybersecurity Strategy, which outlines the need for minimum cybersecurity standards in critical sectors to enhance national security and public safety. In February 2013, healthcare was identified as a critical infrastructure sector under Presidential Policy Directive 21. The Guide also follows shortly after NIST’s request for public comment on potential significant updates to the Framework, including expanding the Framework’s five functions (Identify, Protect, Detect, Respond, and Recover) to add a new function on cybersecurity governance (“Govern”). NIST is still accepting comments on its potential significant updates to the Framework until March 17, 2023.