·  Legal News, Analysis, & Commentary


The 5 Most Commonly Used Cybersecurity Frameworks in Healthcare

— August 21, 2019

Protecting patient data is the number one priority in healthcare IT departments. Cybersecurity frameworks are one of many means experts use to reach this goal.

No one industry is immune to cybersecurity threats. It’s especially the case with healthcare where confidentiality of patients is the number one priority. 

That’s why health organizations try to address these risks by complying with recognized security standards and frameworks. 

Let’s dig deeper and find out what is a cybersecurity framework itself and what are the five frameworks healthcare organizations use most frequently.

A cybersecurity framework is…

CSF or cybersecurity framework is a guide based on existing practices and guidelines. It’s designed to help organizations to help companies reduce cybersecurity risks and maintain the process of management (e.g. tells how administrators should manage sensitive patient data).

Simply put, the framework is a roadmap indicating how it’s better to secure an IT system.

For instance, if the organization plans EHR system development, the chosen framework will provide its tech staff with common means and methods for preventing cyber threats. The framework isn’t the only true way to protect data.

Here are the main goals of frameworks: 

  • Describe the current security situation
  • Describe targets
  • Non-stop improvements
  • Assess progress

Every framework consists of three components:

Framework components; graphic by author.
Framework components; graphic by author.
  • Implementation tiers. They describe to what extent an organization’s cybersecurity practices comply with the characteristics described in the framework.
  • Framework core. It’s a set of cybersecurity activities sorted by categories and helping multidisciplinary teams to communicate using non-technical, simple language.
  • Profiles. They’re commonly used to identify some room for improving the current cybersecurity situation. 

Security frameworks that are used most of all in healthcare

Lately, HIMSS has published a survey revealing what cybersecurity frameworks are the most popular in the healthcare field. Underneath, I’ve placed the results so you can take a quick look.

Which security frameworks does your organization use? Graphic by author.
Which security frameworks does your organization use? Graphic by author.


It stands for National Institute of Standards and Technology. It’s a U.S.-based firm that develops tech standards and writes guidelines.

The most well-known documents by NIST are as follows: 

With its help, healthcare organizations can perform a risk analysis, eliminate emerging threats, and also cooperate with other entities. 


HITRUST or Health Information Trust Alliance is a private organization that takes second place in the HIMSS survey having 26,4%.

This CSF provides means for risks establishment, methodologies for assessment and assurance, and many more. To support non-U.S. business partners, HITRUST also takes advantage of ISO/IEC 27001:2005 standard.

3. Critical Security Control (CSC)

It’s designed by the Center for Internet Security and represents a list of aims focused on preventing or stopping the most common cyber attacks for healthcare. 

CSC isn’t a standalone solution and is often used along with other cybersecurity frameworks like NIST.

4. ISO 27000

The International Organization for Standardization is a company that stands behind the ISO/IEC 27000 standard.

This framework can be used for healthcare to cope with ever-rising requirements for data security. 


COBIT or Control Objectives for Information and Related Technologies represents a tool for IT allowing companies to keep track of requirements and assists in policy development. 

Currently, COBIT is being adopted by a variety of companies that have something to do with the healthcare (e.g. hospitals, insurance agencies).

Wrapping up

Those were only five of many existing cybersecurity frameworks that can be used in the field of healthcare.

Join the conversation!