• Print

Privacy & Security

Cybersecurity: A Shared Responsibility

Cybersecurity refers to ways to prevent, detect, and respond to attacks or unauthorized access against a computer system and its information.

While cybersecurity is keenly important for health care data and information systems, its importance touches all U.S. critical infrastructure. Sectors like energy, finance, public transit, and defense rely on cybersecurity to protect them from attack and disruption.

Because cybersecurity affects all of us, cybersecurity is a shared responsibility. The U.S. Government provides resources to equip all sectors to engage in the shared effort. One of these resources is the National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (also known as the Cybersecurity Framework).

Cybersecurity Framework

On February 12, 2013, President Obama issued Executive Order 13636 [PDF - 332 KB] “Improving Critical Infrastructure Cybersecurity.” The order called for the development of a Cybersecurity Framework that organizations can use to help reduce and manage their cybersecurity risks.

As a result, NIST published a Framework for Improving Critical Infrastructure Cybersecurity. In its own words, “The Framework enables organizations — regardless of size, degree of cybersecurity risk, or cybersecurity sophistication — to apply the principles and best practices of risk management” to make critical infrastructure more secure.

The Framework is flexible by design. It allows organizations to apply the Framework in their own context, including that of health care.

Cybersecurity Resources for the Health Care Sector

In parallel with the Framework, the Office of the National Coordinator for Health Information Technology (ONC) continues to develop educational resources around health care cybersecurity and risk management. A few examples include:



The HIPAA Privacy Rule establishes national standards for giving patients the right to access and request amendment of their Protected Health Information (PHI) as well as requesting restrictions on the use or disclosure of such information. The HIPAA Security Rule establishes a national set of security standards for the confidentiality, integrity, and availability of electronic protected health information. The HIPAA Privacy and Security Rules apply to covered entities. Covered entities include health care providers and professionals such as doctors, nurses, psychologists, dentists, and chiropractors. Individuals and organizations that meet the definition of a covered entity and who transmit health information in electronic form in connection with certain transactions must comply with the Rules' requirements to protect the privacy and security of health information. For more information about the HIPAA Privacy and Security Rules, visit the HHS Office for Civil Rights Health Information Privacy website.

The Cybersecurity webpage content is provided for informational purposes only and does not guarantee compliance with federal or state laws. The information and tips presented may not be applicable or appropriate for all health care providers and professionals. We encourage providers, professionals, and organizations to seek expert advice when evaluating these materials. The Cybersecurity webpage content is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. It is also not intended to serve as legal advice or offer recommendations based on a provider’s or professional’s specific circumstances.