Cybersecurity Frameworks: Why Use Them in Healthcare?

Any healthcare app or website that deals with patients’ health records these days should compile with HIPAA (Health Insurance Portability and Accountability Act). But HIPAA alone doesn’t guarantee security. That’s why many hospital choose and follow a cybersecurity framework. 

The need to share and secure sensitive data makes adoption of the cybersecurity frameworks much more critical for healthcare organizations. 

Health centers, hospitals, clinics, and doctor’s offices need frameworks to secure information and protecting their patients’ privacy. Healthcare universities need frameworks to share information securely.  

What are these frameworks, what do they bring to healthcare, and which cybersecurity frameworks are the best—find out in this guide.   

What’s a Healthcare Cybersecurity Framework? 

A healthcare cybersecurity framework (CSF) is a guide that explains how to better manage and reduce security risks. In plain English, they are roadmaps for healthcare IT systems. 

Hospitals, clinics, healthcare universities, and other facilities implement these frameworks to better understand their cybersecurity risks—and find a way to deal with them.  

For example, here’s how the most popular healthcare framework—NIST—looks like. This document includes an overview of the framework, explanation of its basics, and instructions on how to use it.

Check the full version here

A CSF is not a set of strict instructions for clinics and hospitals to adhere to. It’s rather a guideline of IT security best practices that can be adopted to complement or improve existing cybersecurity policies.

No matter what cybersecurity framework you choose, it is not set in stone. It’s a living document you need to update in time and adapt to your specific organization and business needs.

A CSF consists of three components—the core, implementation tiers, and profiles:  

  • The core guides cybersecurity activities and outcomes. It presents industry standards helping organizations to handle cyber risks.
  • Implementation tiers are framework components used to evaluate the current cybersecurity posture of an organization. They help hospitals, clinics, and other facilities determine what level of standard suits their cybersecurity program best. 
  • Framework profile lets an organization make a blueprint for minimizing the cyber risks aligned with the organization’s goals. They may use more than one profile to find weak spots and opportunities for better cybersecurity posture. 

Why Use Cybersecurity Frameworks?

As I’ve said, healthcare is heavily regulated by documents like HIPAA or HITECH in the US. If you want to remain compliant with the legislation, you need to do things right, do things fast, and protect your organization’s privacy and security. 

But implementing information security is a complicated thing—you need to consider user access, infrastructure, and physical security—and it’s hard to figure out where to start. 

Probably, that’s why 17 percent of healthcare organizations use no CSF at all. 

A cybersecurity framework is a “cheat sheet” for implementing a security program that’ll help your organization remain compliant and protect sensitive data. 

How do the frameworks help?

First, they identify and detect security threats—and help organizations recover from their consequences. 

Next, they ensure that security goals align with your business requirements, budget, and risk tolerance. 

Finally, they help to align both business and tech policies of your organization. 

With such threats like malware and ransomware attacks, malicious insiders, errors, and privilege misuse, healthcare organizations must always be protected. And a cybersecurity framework is a must-have for that.  

Best Cybersecurity Frameworks in Healthcare

According to the 2018 HIMSS Cybersecurity Survey report, there’s no universally adopted security framework for all healthcare organizations. 17 percent of respondents have no CSF adopted, and that’s disturbing. 

But if there’s no universal framework, what are hospitals using to address cybersecurity issues? 

As it turns out, there are several CSFs—from hugely popular NIST to ISO, COBIT, and many others. Some use more than one security framework. 

We’re going to take a look at three best.

#1. NIST

The best-known cybersecurity framework is made by NIST. It stands for the National Institute of Standards and Technology, a US company that creates tech standards and guidelines. Their “Framework for Improving Critical Infrastructure Cybersecurity” was published in 2018, and now it’s the gold standard in many industries, including healthcare. 

You can look through or download NIST framework here

NIST CSF is a living document with an ongoing process for continued maintenance and innovation. It is designed to evolve along with ever-changing technologies.

Other well-known framework made by NIST: 

  • NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations (list of security and privacy controls for federal agencies)
  • NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (solid framework for small businesses)

As for use cases, The Biological Sciences Division under the University of Chicago adopted the framework.

The university supports basic research, clinical research, education, and patient care. They wanted to find a cybersecurity program that’ll work across all their 23 departments. There were gaps in security controls that resulted in lots of security expenses.

By adopting the NIST framework, they’ve managed to align security risk expectations, identify requirements, and prioritize security goals. 


The HITRUST CSF integrates data protection requirements from many sources–ISO, NIST, PCI, HIPAA–and tailors the requirements to an organization based on specific risk factors. 

The latest version of the HITRUST framework is available on their website for any organization involving in data protection. You can find HITRUST CSF License Agreement here.  

#3. Critical Security Controls (CSC)

Developed by the Center for Internet Security (CIS), CSC is a list of practices that aim to minimize cyber attacks’ risk. The framework lists security controls that depend on their priorities, with the most important ones appearing at the top of the list. 

You need to fill in a form to download CIS framework on their website.

No healthcare organization—be it a hospital, clinic, or doctor’s office—is immune to cyberthreats. It’s not enough to rely on HIPAA compliance to secure the sensitive data of their patients, 

All these organizations should also have a comprehensive security framework in place. By choosing to act now, healthcare organizations have much more flexibility in how they implement the cybersecurity framework. And more time to improve their internal processes.

Author’s bio:

Maria Diachenko is a tech writer at Cleveroad. It’s a custom healthcare software development company in Ukraine. Maria enjoys making how-to tech guides, describing programming trends and IoT innovations.

About the Author

Maria Diachenko is a tech writer at Cleveroad. It's a mobile and web development company in Ukraine. Maria loves writing about one-of-a-kind startups, UI/UX trends, and marketing tips.