The final version of the NIST Framework for critical infrastructure cybersecurity has been published. Healthcare and public health have been designated as critical infrastructure. In its introduction, the framework states “Due to the increasing pressures from external and internal threats, organizations responsible for critical infrastructure need to have a consistent and iterative approach to identifying, assessing, and managing cybersecurity risk. This approach is necessary regardless of an organization?s size, threat exposure, or cybersecurity sophistication today.” The framework is voluntary and not industry specific. It takes a risk-based approach to managing cybersecurity risk in an enterprise. While the framework is voluntary, it seems likely that regulation, litigation and insurance will consider it the minimum expectation for managing cybersecurity risks in an enterprise.
The Framework and related documentation can be found at the link provided.