An updated version of the Healthcare Sector Cybersecurity Framework Implementation Guide is now available. It incorporates the Health Insurance Portability and Accountability Act (HIPAA) Security Rule crosswalk published in April 2016 by the Department of Health and Human Services’ (HHS) Office of Civil Rights (OCR), in addition to other minor changes for clarity.

The Guide is intended to help Healthcare and Public Health Sector organizations understand and use the HITRUST Risk Management Framework (RMF) to appropriately and effectively implement the NIST Cybersecurity Framework (CsF) in the HPH Sector and support critical infrastructure protection. The RMF consists of the HITRUST CSF, CSF Assurance Program and supporting methodologies.

It was developed by the Joint Healthcare and Public Health Cybersecurity Working Group of the HPH Sector Coordinating Council (SCC) and Government Coordinating Council (GCC), along with input from HITRUST, other sector members, and the DHS Critical Infrastructure Cyber Community (C3).

Planned updates to the Guide for version 2, anticipated for release in late 2016 or early 2017, include guidance or templates for organizational policy, corrective action plans, communications, medical device security, and small organization implementation, among others.

The updated, 508-Compliant version of the Healthcare Sector Cybersecurity Framework Implementation Guide can be downloaded from the HITRUST website.

For more information on the HPH SCC and GCC, go to the Healthcare and Public Health Sector: Council Charters and Membership page on

For more information on DHS cybersecurity programs, go to their Cybersecurity Programs page.