The Chief Information Security Officer of a healthcare facility for cyber risk (Medical-CISO) has the responsibility to maintain the AICs (availability, integrity, and confidentiality) of the assets used to deliver healthcare. In order to operate and maintain AICs, the Medical-CISO must supply cyber-attack trends as they change over time, and must keep up with changes in risk control needs against contemporary changes in risk. Prioritization of risk scenarios should also be obtained to maximize the use of limited resources. The risk control should extend to all hospital information systems, data, and applications that operate within the facility and are used in healthcare, and management should include all vendors, integrators, and others.