CybersecurityConnected & Cyber-Physical DevicesNIST IR 8473

NIST IR 8473, Cybersecurity Framework Profile for HPH

NIST's Cybersecurity Framework profile tailored to the Healthcare and Public Health sector, translates NIST CSF outcomes into HPH-specific subcategories and references.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed June 20, 2026

Definition

NIST Interagency Report 8473 is a Cybersecurity Framework (CSF) Profile for the Healthcare and Public Health Sector, developed by NIST in coordination with the HHS 405(d) Task Group and HSCC. The profile takes the NIST CSF's Functions (Govern, Identify, Protect, Detect, Respond, Recover) and tailors the subcategories and informative references to the HPH sector, explicitly mapping each subcategory to HIPAA Security Rule citations, HICP practices, IEC 80001-1, and the HPH Cybersecurity Performance Goals. It is the authoritative bridge between generic NIST CSF guidance and healthcare-specific implementation expectations.

What the regulation says

Published by NIST in coordination with HHS. Not itself binding but referenced by HHS as the recommended approach for HPH organizations to operationalize the NIST CSF and connect it to HIPAA and HICP.

What this means in practice

For medical device manufacturers, IR 8473 is the document that maps your security architecture to the language hospitals and HHS use. Procurement teams increasingly ask which NIST CSF subcategories your product supports; IR 8473's HPH-tailored profile is the right reference to answer. It also makes the relationship between HIPAA, HICP, and CPGs explicit, which removes a lot of duplicate evidence work.

Common pitfalls

•Using the generic NIST CSF instead of the HPH profile, you miss the HIPAA, HICP, and IEC 80001-1 mappings.
•Treating the profile as static, NIST updates CSF profiles as CSF itself evolves (CSF 2.0 introduced the Govern function in 2024).
•Mapping product features to high-level Functions only; procurement maturity demands subcategory-level evidence.

Primary references

3 sources

Link health: 3 verified· last checked 2026-06-20

NIST·1MDCG·1HSCC·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Acronym: NIST IR 8473
Sources: 3
Updated: 6/20/2026

Compare with another term

Learn in 60 seconds

NIST's Cybersecurity Framework profile tailored to the Healthcare and Public Health sector, translates NIST CSF outcomes into HPH-specific subcategories and references.

·For medical device manufacturers, IR 8473 is the document that maps your security architecture to the language hospitals and HHS use.
·Procurement teams increasingly ask which NIST CSF subcategories your product supports; IR 8473's HPH-tailored profile is the right reference to answer.
·It also makes the relationship between HIPAA, HICP, and CPGs explicit, which removes a lot of duplicate evidence work.

Remember this

Watch out: Using the generic NIST CSF instead of the HPH profile, you miss the HIPAA, HICP, and IEC 80001-1 mappings.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.