A True Story on Implementation
Healthcare did not wake up one morning and decide to adopt a new cybersecurity framework.
Healthcare got here the way it gets to most operational change, through pressure and accumulation. Ransomware that shuts down clinics, third-party incidents that ripple across an ecosystem, and board questions that keep coming back, quarter after quarter.
Are we improving? Are we exposed? Are we prepared?
That is the real context for the release of the NIST Cybersecurity Framework 2.0, and why it is landing differently in healthcare than the previous version.
The National Institute of Standards and Technology first released the Cybersecurity Framework in 2014. A refinement followed in 2018 with version 1.1. But on February 26, 2024, NIST released CSF 2.0, the first major structural update since the framework’s inception.
The headline change is easy to summarize and hard to overstate. CSF 2.0 adds a sixth function, Govern, alongside Identify, Protect, Detect, Respond, and Recover.
In other words, it makes explicit what healthcare has been learning the hard way: Cybersecurity is not just a technical capability. It is a governance problem. It is an enterprise risk problem.
And when it is done well, it is also a patient safety capability.
NIST CSF 2.0: Why healthcare should take note
The Cybersecurity Framework is often described as voluntary, which is true in the narrow sense. It is not a law. But in healthcare, frameworks have a way of becoming the language of credibility. A framework is how you demonstrate you are not improvising.
CSF 2.0 is built to help organizations understand, assess, prioritize, and communicate cybersecurity risk.
It is designed for any organization, not just critical infrastructure owners. That shift matters for healthcare because the sector is not a single category. It is hospitals, specialty providers, payers, physician groups, technology vendors and other business partners, all connected by data flows and operational dependencies.
CSF 2.0 also arrives as regulators sharpen expectations. The HHS Office for Civil Rights (OCR) released a proposed rule to strengthen the HIPAA Security Rule, explicitly tied to rising cyberattacks in healthcare.
At the same time, OCR has continued to emphasize “recognized security practices” under the 2021 HITECH Act amendment, and it has published guidance materials explaining how it evaluates evidence of those practices. In their January 2026 Newsletter they also signaled more scrutiny in the risk management and system hardening areas.
This is the environment in which CSF 2.0 is being adopted. Not as a trend, but as a structure that makes risk legible to leadership, defensible to regulators, and measurable over time.
▶Watch: Clearwater Monthly Cyber Briefing Discussion on NIST 2.0
The Real Shift in CSF 2.0 Is Not the New Function. It Is the New Audience.
Yes, Govern is the headline addition that captured attention when NIST released the Cybersecurity Framework 2.0. But the more consequential shift is not structural. It is cultural.
CSF 1.1 could not be used by executives. In practice, it often lived inside security teams. CSF 2.0 forces the conversation outward. Toward governance. Toward oversight. Toward accountability. Toward integration with enterprise risk management.
NIST’s own overview materials emphasize improved communication across teams and integration with broader risk strategies. That is not accidental.
NIST is acknowledging what boards have already decided. Cyber risk is now business risk, legal risk, operational risk, and reputational risk simultaneously.
In healthcare, the translation is even more direct.
It is patient safety risk.
A Healthcare Adoption Story: OU Health Starts With Standards, Not Improvisation
Framework adoption is often described as a neat strategic decision. The reality is usually less tidy.
An organization tries to measure its security program. The assessment is not comparable year to year. The results feel subjective. Progress is difficult to quantify. Eventually someone asks a harder question.
What are we actually measuring against?
That is how Sean Mathena, Director of Governance, Risk, and Compliance at OU Health, described their turning point.
They had been working with another organization performing assessments, but those assessments were not standards based. As Sean explained:
“Their assessment wasn’t really standards-based. They had cobbled it together from several different standards.”
OU Health wanted something different. Something measurable. Something repeatable.
“We wanted to do a standards-based assessment that had an actual maturity score that we could be measured against.”
They began with HIPAA risk assessments and then moved into a NIST CSF 2.0 assessment.
This is the adoption story many healthcare leaders recognize.
Not a desire to collect more controls.
A desire to stop guessing.
Govern in Healthcare: The Moment Cyber Stops Being an IT Program
When asked about the new Govern function and whether cyber had been integrated into enterprise risk, Sean’s answer was revealing.
For OU Health, Govern was not disruptive because they started with CSF 2.0. But what followed mattered more.
“OU Health is putting together an enterprise risk program, but the risk program has started with cyber. So it started off with the NIST 2.0 assessment.”
They are building a full risk management framework that will integrate with the broader enterprise risk framework.
This is the promise of CSF 2.0 in healthcare.
It formalizes cyber as a risk discipline, not a technical silo.
Dave Bailey captured the broader implication:
“It’s no longer just about cybersecurity. It’s about enterprise risk, and how cybersecurity integrates with enterprise risk.”
That shift is not semantic. It changes reporting structures. It changes board conversations. It changes budget discussions.
It also introduces something healthcare executives consistently ask for.
Metrics.
Sean noted leadership’s interest in measurable output:
“Our leadership is really supportive of the risk program. They’re really interested in getting the metrics out of the CSF.”
Boards may not always articulate it this way, but they want directional visibility. They want to see movement over time.
CSF 2.0 gives them a way to do that.
The Patient First Translation: Maturity Is Not Abstract in Healthcare
Frameworks fail in healthcare when they do not connect to mission.
OU Health’s mission is explicit.
“OU Health has a very patients-first focus… we’re highlighting our posture and our maturity to executive leadership around cyber and IT, and how that ultimately affects patient satisfaction and patient-first methodology,” Sean says.
That framing matters.
When systems go down, patients feel it first.
When diversion happens, patients feel it first.
When clinical workflows revert to paper, patients feel it first.
Cyber maturity in healthcare is not theoretical. It is operational resilience in service of care delivery.
CSF 2.0 becomes meaningful when it is framed that way.
The Underrated Reason CSF 2.0 Is Gaining Traction: Measurement Changes Behavior
Many healthcare organizations maintain dashboards.
Few tie cyber maturity to accountability.
OU Health is doing something many discuss but rarely operationalize.
“We’re actually using our CSF score as part of one of our annual goals. It drives things like budget, bonuses, things of that nature,” Sean adds.
They expect to be held accountable for improvement year over year.
This is a behavioral shift.
Cyber moves from episodic remediation to performance management.
Dave has seen what that looks like across the industry:
“The average for a first-time organization is in the 40s. The average for their third assessment is in the 70s.”
That improvement is not accidental. It reflects commitment, multi-year strategy, and sustained governance focus.
CSF 2.0 supports continuous improvement as an operating posture, not a compliance event.
The question stops being: Are we compliant?
It becomes: Are we getting better, and can we prove it?
What Healthcare Leaders Should Expect When Adopting CSF 2.0
The OU Health experience is valuable because it is candid.
Communication Is the First Control
Sean notes: “Communication before the assessment was key… making sure that the people that were going to be involved knew what was coming and what was going to be required of them.”
In healthcare environments where stakeholders are overloaded, unmanaged expectations derail assessments quickly.
Planning is not optional. It is structural.
There Is a Real Time Commitment
Sean acknowledged the practical challenge:
“It’s sometimes difficult to find that hour, hour and a half to be on a phone call to talk to an assessor.”
Standards-based maturity assessments require evidence, context, and cross-functional input. There is no shortcut to organizational truth.
Evidence Collection Reduces Future Burden
OU Health made a strategic move.
“After the assessment, we also requested evidence of what was given to the assessor. We wanted to have it ready and at our fingertips for next year,” Sean says.
That is maturity.
It aligns with increasing regulatory emphasis on demonstrable, documented security practices and audit readiness.
Be Prepared for What You Find
“It’s going to be eye-opening in some areas… it’s going to require people to maybe change their business processes,” Sean notes.
Findings are not technical inconveniences. They are governance decisions.
If treated as IT backlog, they stall. If treated as enterprise risk, they move.
CSF 2.0 and HIPAA: Why Frameworks Are Becoming the Safer Way to Operate
HIPAA does not mandate a single framework. But enforcement trends and proposed rulemaking increasingly expect demonstrable rigor.
The HIPAA Security Rule NPRM signals intent to strengthen cybersecurity expectations across the healthcare sector. Encryption, hardening, and accountability are receiving sharper attention.
CSF 2.0 helps translate regulatory direction into a coherent operating model because it:
🔹 Creates a shared taxonomy for leadership communication
🔹 Supports measurable maturity scoring
🔹 Elevates governance and enterprise risk integration
🔹 Encourages continuous improvement
Compliance tells you what you must do.
A framework tells you how to run the program.
Why CSF 2.0 Is Becoming the Backbone of Healthcare Cyber Programs
CSF 2.0 is not gaining adoption because it is new. It is gaining adoption because it fits.
Healthcare is being pushed toward governance, evidence, and measurable improvement.
OU Health’s experience illustrates the emerging pattern:
🔹 A small GRC team chooses standards-based measurement over improvised models
🔹 Cyber maturity becomes the starting point for enterprise risk
🔹 Leadership demands metrics and board visibility
🔹 Results drive budgeting and accountability
🔹 The program is framed in terms healthcare understands, patient-first outcomes and operational resilience
If CSF 1.1 helped healthcare organize security work, CSF 2.0 is pushing healthcare to organize responsibility.
Hospitals do not adopt CSF 2.0 to feel more compliant. They adopt it to make cyber risk governable.
The Govern function signals what the sector already knows. Cybersecurity has matured into enterprise risk management, and healthcare is being asked to prove it, measure it, and improve it.
CSF 1.1 organized security activities.
CSF 2.0 organizes accountability.
And in healthcare, accountability is no longer optional.
Move From Compliance to Measurable Cyber Governance
CSF 2.0 is not a checklist. It is a governance model.
If your organization is evaluating how to mature its cybersecurity program, integrate cyber into enterprise risk, or prepare for increased regulatory scrutiny, we can help you build a defensible, measurable path forward.
Learn more about Clearwater’s NIST CSF 2.0 services
Contact our team to discuss your current posture.
