skip to main content

Topic Collection: Cybersecurity

Recent cyberattacks on healthcare facilities have had significant effects on every aspect of patient care and organizational continuity. They highlight the need for healthcare organizations of all sizes and types to implement cybersecurity best practices and conduct robust planning and exercising for cyber incident response and consequence management. As the number of cyberattacks on this sector increases, healthcare practitioners, facility executives, information technology professionals, and emergency managers must remain current on the ever-changing nature and type of threats to their facilities, systems, patients, and staff. The resources in this Topic Collection can help stakeholders better protect against, mitigate, respond to, and recover from cyber threats, ensuring patient safety and operational continuity. This Topic Collection was updated in May 2017.

Each resource in this Topic Collection is placed into one or more of the following categories (click on the category name to be taken directly to that set of resources). Resources marked with an asterisk (*) appear in more than one category.

Topic Collection (PDF - 340.4 KB)

Must Reads
Education and Training
Education and Training: HHS-Specific
Guidance
Incident Management
Legal/Regulatory Resources
Lessons Learned
Medical Devices
Plans, Tools, and Templates
Ransomware Resources
Risk and Threat
Agencies and Organizations

Must Reads

Cybersecurity Unit. (2015). Best Practices for Victim Response and Reporting of Cyber Incidents.

This document provides planning and response guidance based on lessons learned by federal prosecutors while handling cyber investigations and prosecutions. The authors drafted the document with smaller organizations (with fewer resources) in mind, but larger organizations should also find it useful.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Filkins, B. (2014). Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon. SANS Institute.

The project team analyzed a year’s worth of healthcare intelligence data and provide an overview of the sector’s vulnerabilities (including the “Internet of Things” and challenges related to compliance). The author shares three case studies that demonstrate traffic and how healthcare networks were attacked and concludes with preparedness tips useful to both information technology professionals and emergency planners.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Healthcare and Public Health Sector Coordinating Councils. (2014). Protecting the Digital Infrastructure: Cybersecurity Checklist.

This short (introductory) checklist can help healthcare providers protect their digital infrastructure.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Healthcare and Public Health Sector Cybersecurity Working Group. (2013). Healthcare and Public Health Cybersecurity Primer: Cybersecurity 101.

This primer can help healthcare providers learn more about the basics of cybersecurity, common vulnerabilities and threats, and how to manage risk. Also included is a matrix of threats with consequences that can be helpful to administrators.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Johnson, C., Badger, L., and Waltermire, D., et al. (2016). Guide to Cyber Threat Information Sharing. (NIST SP 800-150.) National Institute of Standards and Technology, U.S. Department of Commerce.

This publication can help cyber professionals in the healthcare system establish and participate in cyber threat information sharing relationships. It contains information on developing information sharing goals, identifying threat sources, engaging with existing information sharing communities, and effectively using threat information, which can help health systems share threat information in a structured fashion.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

National Institute of Standards and Technology. (2014). Framework for Improving Critical Infrastructure Cybersecurity (V. 1.0).

This document provides a detailed framework to protect critical infrastructure and a set of activities to achieve specific cybersecurity outcomes. The Core Functions include: Identify, Protect, Detect, Respond, and Recover, and Section 3 of the guide includes examples of how the framework can be employed.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Perakslis, E.D. and Stanley, M. (2016). A Cybersecurity Primer for Translational Research, Science Translational Medicine. Science Translational Medicine. 8(322): 2.

The authors discuss recent healthcare-related data breaches and how they could have been prevented. They also highlight the differences between compliance and security (and how they overlap)—particularly in the research arena—and share tips for improving cybersecurity.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Health and Human Services, Office for Civil Rights. (n.d.). Security Rule Guidance Material. (Accessed 3/21/2017.)

This webpage assists healthcare professionals find information about the HIPAA Security Rule and provides links to other standards and resources on safeguarding electronic protected health information.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Health and Human Services, Office for Civil Rights and Office of the National Coordinator for Health Information Technology. (2015). Security Risk Assessment (SRA) Tool.

The Security Risk Assessment tool was designed to help guide healthcare providers in small to medium-sized offices conduct risk assessments of their organizations’ HIPPA compliance. This webpage contains a user guide and tutorial video. Users can download the 156 question app to their computers or iPads.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

United States Computer Emergency Readiness Team. (n.d.). Resources for Business. (Accessed 3/21/2017.) U.S. Department of Homeland Security.

This webpage (known by the acronym US-CERT) features links to cybersecurity resources for businesses (e.g., healthcare facilities) grouped into the following categories: Resources to Identify, Resources to Protect, Resources to Detect, and Resources to Recover.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

United States Computer Emergency Readiness Team. (2016). Ransomware and Recent Variants.

This factsheet provides an overview of ransomware and shares how the variants Locky and Samas were recently used to compromise healthcare networks.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Williams, P.A. and Woodward, A.J. (2015). Cybersecurity Vulnerabilities in Medical Devices: A Complex Environment and Multifaceted Problem. Medical Devices. 8:305-16.

The authors review the factors that can contribute to cybersecurity vulnerabilities in medical devices and provide guidance regarding protection mechanisms, mitigations, and processes.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Education and Training

Grance, T., Nolan, T., Burke, K., et al. (2006). Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities. (NIST SP 800-84.) National Institute of Standards and Technology, U.S. Department of Commerce.

This guide can help staff in healthcare facilities design, develop, conduct and evaluate cybersecurity tests, training, and exercise events.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Healthcare and Public Health Sector Cybersecurity Working Group. (2013). Healthcare and Public Health Cybersecurity Primer: Cybersecurity 101.

This primer can help healthcare providers learn more about the basics of cybersecurity, common vulnerabilities and threats, and how to manage risk. Also included is a matrix of threats with consequences that can be helpful to administrators.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Industrial Control Systems Cyber Emergency Response Team. (n.d.). Industrial Control Systems Cyber Emergency Response Team. (Accessed 3/21/2017.) U.S. Department of Homeland Security.

This webpage includes links to scheduled web-based and instructor-led cybersecurity training on the ICS-CERT calendar. These programs are geared toward industrial control system protection.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

National Initiative for Cybersecurity Careers and Studies. (n.d.). Training. (Accessed 3/21/2017.) U.S. Department of Homeland Security.

From this webpage, visitors can search for offered trainings by focus area, offering entity, level of training, location of training, and other factors as well as access various on-line training sites.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

* National Institute of Standards and Technology. (2015). National Cybersecurity Workforce Framework.

The National Cybersecurity Workforce Framework was developed to provide employers, staff, training providers, and participants with a common set of skills and tasks (based on common language) to define and perform cybersecurity work. This webpage includes links to various framework materials which feature with tasks and skills tied to job categories.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

* U.S. Department of Health and Human Services, Office for Civil Rights. (n.d.). HIPAA Training & Resources. (Accessed 3/21/2017.)

These training and resource materials were developed to help entities implement privacy and security protections. This webpage includes videos and slides from state attorneys general training and educational programs for healthcare providers.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Homeland Security. (2013). DHS Cyber Tabletop Exercise (TTX) for the Healthcare Industry [Exercise Materials].

Healthcare organizations can download this zip file which contains a package of materials that can help them plan and organize a cyber tabletop exercise.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Education and Training: HHS-Specific

U.S. Department of Health and Human Services, Office for Civil Rights. (2013). Rules of Behavior for Use of HHS Information Resources.

These rules apply to government employees, contractors, and other system users and must be read by all new users prior to accessing HHS data, systems, or networks. The policies may serve as a helpful template for private sector entities.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Health and Human Services, Office for Civil Rights. (2015). Information Security for Executives: Fiscal Year 2015.

This training course defines the security responsibilities for senior executives within HHS.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Health and Human Services, Office for Civil Rights. (2015). Information Security for IT Administrators, Fiscal Year 2015.

This training course defines the security responsibilities for IT Administrators within HHS.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Health and Human Services, Office for Civil Rights. (2015). Information Security for Managers: Fiscal Year 2015.

This training course defines the security responsibilities for information technology and program managers within HHS.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Health and Human Services, Office for Civil Rights. (2016). Cybersecurity Awareness Training: Fiscal Year 2016.

This training course provides general guidelines for securing information and information systems for federal employees though it may be a valuable outline for private sector employee learning.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Guidance

American Hospital Association. (2017). Cybersecurity.

This webpage is sponsored by the American Hospital Association and includes links to resources (e.g., webinars, tools, and fact sheets) stakeholders can use to protect their healthcare facilities.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Anderson, D., McNeil, M., and Rice, T. (2017). Cybersecurity in the Health Care Sector: Strengthening Public-Private Partnerships. U.S. House of Representatives, Committee on Energy and Commerce.

In this Congressional hearing, speakers emphasized the importance of cyber hygiene as it relates to patient safety and sector security.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

ASPR TRACIE. (2017). HHS Update: International Cyber Threat to Healthcare Organizations. U.S. Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Health.

This special issue of The Express contains information about the May 2017 international cyber threat to healthcare organizations.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Centers for Medicare & Medicaid Services. (2017). Homeland Security Threats.

This webpage includes links to cybersecurity resources deemed useful for Centers for Medicare and Medicaid Services surveyors, providers, and suppliers.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Cichonski, P., Millar, T., Grance, T., and Scarfone, K. (2012). Computer Security Incident Handling Guide. (NIST SP 800-61.) National Institute of Standards and Technology, U.S. Department of Commerce.

Cyber Storm is the U.S. Department of Homeland Security’s biennial cybersecurity exercise. This webpage includes highlights and lessons learned from exercises and links for more information.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Clark, D., Berson, T., and Lin, H.S. (Eds.). (2014). At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. (Free download.) The National Academies Press.

This book “is a call for action to make cybersecurity a public safety priority.” It provides a comprehensive overview of the field and approaches for assessing and improving cybersecurity.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Cybersecurity Unit. (2015). Best Practices for Victim Response and Reporting of Cyber Incidents.

This document provides planning and response guidance based on lessons learned by federal prosecutors while handling cyber investigations and prosecutions. The authors drafted the document with smaller organizations (with fewer resources) in mind, but larger organizations should also find it useful.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Dietrich, T. and Schuler, K. (2016). The Business Case for Information Governance in Healthcare. BDO.

The authors explain the need for information governance programs in healthcare, and highlight the associated benefits (e.g., improved quality of care, increased operational effectiveness, reduced cost and risk).
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Filkins, B. (2014). Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon. SANS Institute.

The project team analyzed a year’s worth of healthcare intelligence data and provide an overview of the sector’s vulnerabilities (including the “Internet of Things” and challenges related to compliance). The author shares three case studies that demonstrate traffic and how healthcare networks were attacked and concludes with preparedness tips useful to both information technology professionals and emergency planners.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Filkins, B. (2014). New Threats Drive Improved Practices: State of Cybersecurity in Health Care Organizations. SANS Institute.

The author presents results from a SANS 2014 State of Cybersecurity in Health Care Organizations survey. Overall, 41% of respondents ranked current data breach detection strategies as ineffective and more than half found the “negligent insider” to be the primary threat to security.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Health Information Trust Alliance. (2014). Healthcare's Model Approach to Critical Infrastructure Cybersecurity.

This white paper provides an overview of cybersecurity, including how it is being addressed in the healthcare enterprise, and the key elements of a cybersecurity program. Also included is a highly detailed mapping of how healthcare can implement the NIST Cybersecurity Framework, and how to best use threat intelligence.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Homeland Security Information Network. (2016). Cybersecurity Publications. (Free registration required.)

This library includes information on potential cybersecurity threats grouped into several categories: FBI Flash (information from the Liaison Alert System); HHS Cyber Threat Intelligence Program Product; DHS Weekly Analytic Synopsis; Ransomware; and other sources.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Independent Security Evaluators. (2016). Securing Hospitals: A Research Study and Blueprint.

The authors describe research conducted on a variety of hospital and healthcare-related infrastructures and systems; identify industry-specific challenges; and create a blueprint for improving healthcare facility security.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Johnson, C., Badger, L., and Waltermire, D., et al. (2016). Guide to Cyber Threat Information Sharing. (NIST SP 800-150.) National Institute of Standards and Technology, U.S. Department of Commerce.

This publication can help cyber professionals in the healthcare system establish and participate in cyber threat information sharing relationships. It contains information on developing information sharing goals, identifying threat sources, engaging with existing information sharing communities, and effectively using threat information, which can help health systems share threat information in a structured fashion.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

* Joint HPH Cybersecurity Working Group. (2016). Healthcare Sector Cybersecurity Framework Implementation Guide.

This guide was developed in consultation with the Healthcare and Public Health (HPH) Sector Coordinating Council and Government Coordinating Council, along with input from other sector members and the U.S. Department of Homeland Security Critical Infrastructure Cyber Community. The goal of the guide is to help HPH Sector organizations understand and use the HITRUST Risk Management Framework—consisting of the HITRUST CSF, CSF Assurance Program, and supporting methodologies—to implement the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity in the HPH Sector and meet its objectives for critical infrastructure protection.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Koppel, R., Smith, S., Blythe, J., and Kothari, V. (2015). Workarounds to Computer Access in Healthcare Organizations: You Want my Password or a Dead Patient? (Abstract only.) Studies in Health Technology and Informatics. 208: 215-220.

The authors examine the methods some healthcare providers use to circumvent cybersecurity. These “creative, flexible, and motivated” employees did not have criminal intention—they were presumably focused on providing patient care in a fast-paced environment.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

National Institute of Standards and Technology. (2014). Framework for Improving Critical Infrastructure Cybersecurity.

The three sections of this document (Framework Core, the Framework Profile, and the Framework Implementation Tiers) were developed to help organizations apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

* National Institute of Standards and Technology. (2015). National Cybersecurity Workforce Framework.

The National Cybersecurity Workforce Framework was developed to provide employers, staff, training providers, and participants with a common set of skills and tasks (based on common language) to define and perform cybersecurity work. This webpage includes links to various framework materials which feature with tasks and skills tied to job categories.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Perakslis, E.D. and Stanley, M. (2016). A Cybersecurity Primer for Translational Research, Science Translational Medicine. Science Translational Medicine. 8(322): 2.

The authors discuss recent healthcare-related data breaches and how they could have been prevented. They also highlight the differences between compliance and security (and how they overlap)—particularly in the research arena—and share tips for improving cybersecurity.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Pilch, P. and Shaghaghi, S. (2016). Cybercrime: How the Healthcare Sector Can Protect Itself. (Registration required to access entire article.) Private Healthcare Investor.

The authors provide an overview of the cyber threat to the healthcare industry and tips for guarding against future attacks.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Scarfone, K. and Mell, P. (2012). Guide to Intrusion Detection and Prevention Systems (IDPS) (Draft). (NIST SP 800-94). National Institute of Standards and Technology, U.S. Department of Commerce.

This report provides an overview of four intrusion detection and prevention technologies: network-based, wireless, network behavior analysis (NBA), and host-based.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

* Spelman, R. (2016). Hospital Leaders' Guide to Cybersecurity Risk Management and Response.

The speaker in this webinar explains cybersecurity risks and how to minimize them. He also provides an overview of vulnerability, how preparedness levels vary by organization, and lists types of cybersecurity risks (e.g., ransomware and phishing).
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Health and Human Services, Office for Civil Rights. (n.d.). Security Rule Guidance Material. (Accessed 3/21/2017.)

This webpage assists healthcare professionals find information about the HIPAA Security Rule and provides links to other standards and resources on safeguarding electronic protected health information.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response. (2017). Health Care Industry Cybersecurity Task Force.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

United States Computer Emergency Readiness Team. (n.d.). Resources for Business. (Accessed 3/21/2017.) U.S. Department of Homeland Security.

This webpage (known by the acronym US-CERT) features links to cybersecurity resources for businesses (e.g., healthcare facilities) grouped into the following categories: Resources to Identify, Resources to Protect, Resources to Detect, and Resources to Recover.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Valderrama, A., Lee, S., Batts, D., et al. (2016). Healthcare Organization and Hospital Discussion Guide For Cybersecurity. Centers for Disease Control and Prevention.

Healthcare facility staff can use this document--presented as a discussion-based exercise--to identify their cybersecurity challenges, needs, and strengths.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Incident Management

Bartock, M., Cichonski, J., Souppaya, M., et al. (2016). Guide for Cybersecurity Event Recovery. National Institute of Standards and Technology.

The authors provide guidance for cyber attack recovery planning and emphasize the importance of learning from past events and developing, testing, and improving recovery planning. This document includes an example scenario that demonstrates guidance and informative metrics that may be helpful for improving information systems resilience.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Forum of Incident Response and Security Teams. (2016). FIRST.

This membership organization is comprised of computer security incident response teams from government, educational, and commercial organizations. FIRST’s goals include encouraging cooperation and coordination in incident prevention, rapid incident response, and the promotion of information sharing among members and the community at large.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

ISACA. (2012). Incident Management and Response White Paper. (Free registration required.)

This document provides an overview of incident management and response as it relates to information security threats and incidents.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Mell, P., Kent, K., and Nusbaum, J. (2005). Guide to Malware Incident Prevention and Handling. (NIST SP 800-83.) National Institute of Standards and Technology, U.S. Department of Commerce.

The authors provide recommendations that can help an organization prevent, prepare for, respond to, and recover from malware incidents, especially widespread ones. Several types of malware are addressed (e.g., worms, viruses, and Trojan horses) and Appendix B provides malware incident handling scenarios that can help identify strengths and gaps in a facility’s cybersecurity plans.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

* Spelman, R. (2016). Hospital Leaders' Guide to Cybersecurity Risk Management and Response.

The speaker in this webinar explains cybersecurity risks and how to minimize them. He also provides an overview of vulnerability, how preparedness levels vary by organization, and lists types of cybersecurity risks (e.g., ransomware and phishing).
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

The International Organization for Standardization. (n.d.). Information Security Incident Management. (ISO/IEC 27035; accessed 3/21/2017.)

Cybersecurity professionals can use the guidance in this International Standard to “a) detect, report and assess information security incidents; b) respond to and manage information security incidents; c) detect, assess and manage information security vulnerabilities; and d) continuously improve information security and incident management as a result of managing information security incidents and vulnerabilities.”
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.


Kent, K., Chevalier, S., Grance, T., and Dang, H. (2006). Guide to Integrating Forensic Techniques into Incident Response.

The guidance in this document can help cyber professionals develop digital forensic capabilities that complements local regulations. The authors provide comprehensive information on using the analysis process with four data categories (network traffic, files, operating systems, and applications).
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

The White House. (2013). Executive Order -- Improving Critical Infrastructure Cybersecurity.

This Executive Order directs the U.S. government to “increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.”
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

The White House. (2015). Executive Order -- Promoting Private Sector Cybersecurity Information Sharing.

This Executive Order builds upon the 2013 directive and Presidential Policy Directive-21, and calls for the U.S. Secretary of Homeland Security to “encourage the development and formation of Information Sharing and Analysis Organizations.” The organizations may include members from the public or private sectors and can operate as for-profit or nonprofit entities.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Health and Human Services, Office for Civil Rights. (n.d.). HIPAA for Professionals. (Accessed 6/10/2016.)

Cybersecurity professionals can locate information about HIPAA rules, guidance on compliance, the Office for Civil Rights’ enforcement activities, frequently asked questions, and more on this webpage.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

* U.S. Department of Health and Human Services, Office for Civil Rights. (n.d.). HIPAA Training & Resources. (Accessed 3/21/2017.)

These training and resource materials were developed to help entities implement privacy and security protections. This webpage includes videos and slides from state attorneys general training and educational programs for healthcare providers.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

United States Congress. (2015). S.754 - Cybersecurity Information Sharing Act of 2015.

This bill requires the Director of National Intelligence and the U.S. Departments of Homeland Security, Defense, and Justice to develop strategies to share cybersecurity threat information with all entities under threats (e.g., private, nonfederal government agencies, state, tribal, and local governments, and the public). This includes information that could prevent/mitigate adverse effects and best practices.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Lessons Learned

ASPR TRACIE. (2016). Cybersecurity and Healthcare Facilities. U.S. Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response.

Cybersecurity is a critical issue facing the ASPR TRACIE audience. In this webinar, a distinguished panel of experts describe lessons learned from recent experiences, planning considerations, and steps the federal government is taking to address cybersecurity and cyber hygiene.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Davis, J. (2016). Human Element the Weakest Link in Healthcare Security, Says Verizon Report. Healthcare IT News.

Verizon examined more than 100,000 security incidents and found that of the 166 healthcare breaches, 115 had confirmed data loss, 32% were caused by stolen assets, and 23% were a result of privilege misuse. The report also found reuse of credentials to be a healthcare-specific risk.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Duncan, I., McDaniels, A.K., and Campbell, C. (2016). Hackers Offering Bulk Discount to Unlock Encrypted MedStar Data. The Baltimore Sun.

The authors provide an overview of a recent attack on MedStar (a system in the Baltimore-Washington, DC region), highlighting the need for newer employees to also be familiar with more traditional (non-electronic) paper-pencil methods for maintaining records.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Johnson, A. and Millett, L. (2016). Data Breach Aftermath and Recovery for Individuals and Institutions: Proceedings of a Workshop (2016).

Participants in this workshop discussed protecting and assisting healthcare consumers in the wake of a data breach.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Stone, J. (2016). (2016). Hackers Ransom Attack on California Hospital More Proof Healthcare Cybersecurity Is Floundering. International Business Times.

The author provides an overview of the cyberattack on Hollywood Presbyterian Medical Center (CA).
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response. (2016). Health Care Industry Cybersecurity Task Force Fourth In-Person Meeting.

In this final meeting (of four), participants from the task force discussed outstanding challenges (e.g., protecting medical devices from cyber attacks) and strategies for addressing them via policy and practice.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Homeland Security. (2016). Cyber Storm: Securing Cyber Space.

Cyber Storm is the U.S. Department of Homeland Security’s biennial cybersecurity exercise. This webpage includes highlights and lessons learned from exercises and links for more information.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Verizon. (2016). 2016 Data Breach Investigations Report.

This comprehensive report details data from over 100,000 incidents affecting various industries, including healthcare. Victim demographics, vulnerabilities, phishing, and incident classification patterns are discussed and an entire appendix is devoted to “attack graphs.”
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Medical Devices

Armstrong, D.G. Kleidermacher, D.N., Klonoff, D.C., and Slepian, M.J. (2015). Cybersecurity Regulation of Wireless Devices for Performance and Assurance in the Age of "Medjacking.". Journal of Diabetes Science and Technology. 10(2): 435-438.

The authors outline a framework for securing wireless health devices to minimize the occurrence of “medjacking,” or the hacking medical devices.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Gerard, P., Kapadia, N., Acharya, J., et al. (2013). Cybersecurity in Radiology: Access of Public Hot Spots and Public Wi-Fi and Prevention of Cybercrimes and HIPAA Violations. (Abstract only.) American Journal of Roentgenology. 201(6): 1186-1189.

The authors list steps that can be taken to protect sensitive information while transferring medical information over public and home networks. They emphasize the importance of these steps and strategies as the role of information technology in modern radiology practice increases.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Klonoff, D.C. (2015). Cybersecurity for Connected Diabetes Devices. Journal of Diabetes Science and Technology. 9(5):1143-7.

The author provides an overview of the “CIA Triad” for information security, where C stands for confidentiality, I stands for integrity, and A stands for availability. The author explains how a cybersecurity standard designed specifically for connected diabetes devices will improve device safety and increase security.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Kramer, D.B., Baker, M., Ransford, B., et al. (2012). Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance. PLoS One. 7(7):e40200.

The authors evaluated recalls and adverse events related to security and privacy risks of medical devices and found “sharp inconsistencies” in the way individual providers secured devices. The authors challenged manufacturers and regulators to consider the security and privacy elements of their devices and systems and to build the ability to collect cybersecurity threat indicators into their medical devices.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Food and Drug Administration. (2014). Content of Premarket Submissions for Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff. U.S. Department of Health and Human Services.

This guidance provides recommendations to consider and information to include in FDA medical device premarket submissions for effective cybersecurity management. Effective cybersecurity management is intended to reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Food and Drug Administration. (2016). Moving Forward: Collaborative Approaches to Medical Device Cybersecurity, January 20-21, 2016. U.S. Department of Health and Human Services.

Users can access webcasts, presentations, transcripts, and a program book from this meeting held in 2016 as well as the new January 2016 draft guidance on medical devices (updated from 2014). Speakers in the workshop highlighted collaborative efforts and shared information about existing frameworks that can help assess an organization’s cybersecurity processes.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Food and Drug Administration. (2016). Postmarket Management of Cybersecurity in Medical Devices.

This guidance can help manufacturers and healthcare providers manage cybersecurity in medical devices, particularly those that are networked.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Food and Drug Administration. (2017). Cybersecurity.

This webpage highlights the U.S. Food and Drug Administration's efforts to secure medical devices. It includes links to helpful resources, including webinars and guidance documents.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Food and Drug Administration. (2017). The FDA's Role in Medical Device Cybersecurity.

Myths and facts about medical device cybersecurity are shared in this table geared towards manufacturers and providers.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Food and Drug Administration. (2017). Webinar-Postmarket Management of Cybersecurity in Medical Devices-Final Guidance-January 12, 2017.

This webinar sponsored by the U.S. Food and Drug Administration (FDA): clarified recommendations for managing postmarket cybersecurity vulnerabilities; emphasized the importance of monitoring, identifying, and addressing cybersecurity vulnerabilities and attacks on a continual basis; highlighted the importance of establishing a risk-based framework for assessing when changes to medical devices for cybersecurity vulnerabilities require reporting to the FDA; and outlined circumstances in which the FDA does not intend to enforce reporting requirements under 21 CFR, part 806.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Williams, P.A. and Woodward, A.J. (2015). Cybersecurity Vulnerabilities in Medical Devices: A Complex Environment and Multifaceted Problem. Medical Devices. 8:305-16.

The authors review the factors that can contribute to cybersecurity vulnerabilities in medical devices and provide guidance regarding protection mechanisms, mitigations, and processes.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Plans, Tools, and Templates

Health Information Trust Alliance. (2014). HITRUST De-Identification Framework. (Free registration required.)

Developed in collaboration with healthcare, information security, and de-identification professionals, the HITRUST De-Identification Framework provides a consistent, managed methodology for the contextual de-identification of data and the sharing of compliance and risk information amongst entities and their key stakeholders. The Framework provides 12 criteria for a successful de-identification program and methodology that can be scaled to any organization: the first four criteria address the programmatic and administrative controls that an organization should have in place to govern de-identification, and the remaining eight criteria may be used to derive a de-identified data set, either on an ad hoc basis or by instituting a process that will deliver de-identified data sets.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Healthcare and Public Health Sector Coordinating Councils. (2014). Protecting the Digital Infrastructure: Cybersecurity Checklist.

This short (introductory) checklist can help healthcare providers protect their digital infrastructure.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

IAPP. (2016). Security Breach Response Plan Toolkit.

This toolkit can help healthcare facility cybersecurity planners create a security breach response plan and lower the risk of a breach that could compromise patient health and the reputation of the facility.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

* Joint HPH Cybersecurity Working Group. (2016). Healthcare Sector Cybersecurity Framework Implementation Guide.

This guide was developed in consultation with the Healthcare and Public Health (HPH) Sector Coordinating Council and Government Coordinating Council, along with input from other sector members and the U.S. Department of Homeland Security Critical Infrastructure Cyber Community. The goal of the guide is to help HPH Sector organizations understand and use the HITRUST Risk Management Framework—consisting of the HITRUST CSF, CSF Assurance Program, and supporting methodologies—to implement the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity in the HPH Sector and meet its objectives for critical infrastructure protection.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Kent, K. and Souppaya, M. (2006). Guide to Computer Security Log Management. (NIST SP 800-92). National Institute of Standards and Technology, U.S. Department of Commerce.

The authors emphasize the need for log management and provide guidelines that can help healthcare facility cyber professionals establish related robust policies and procedures.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

National Council of Information Sharing and Analysis Centers. (2016). Information Sharing and Analysis Centers and Their Role in Critical Infrastructure Protection.

This factsheet provides an explanation of Information Sharing and Analysis Centers and highlights recent accomplishments.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

National Institute of Standards and Technology. (2014). Framework for Improving Critical Infrastructure Cybersecurity (V. 1.0).

This document provides a detailed framework to protect critical infrastructure and a set of activities to achieve specific cybersecurity outcomes. The Core Functions include: Identify, Protect, Detect, Respond, and Recover, and Section 3 of the guide includes examples of how the framework can be employed.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

* National Institute of Standards and Technology. (2015). National Cybersecurity Workforce Framework.

The National Cybersecurity Workforce Framework was developed to provide employers, staff, training providers, and participants with a common set of skills and tasks (based on common language) to define and perform cybersecurity work. This webpage includes links to various framework materials which feature with tasks and skills tied to job categories.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Energy. (2014). Cybersecurity Capability Maturity Model (C2M2).

The C2M2 model can help healthcare facilities evaluate their cybersecurity capabilities. Sections of this document are geared towards decision makers, leaders/managers, practitioners, and facilitators.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Health and Human Services, Office for Civil Rights. (2016). HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework.

This document maps paths between two seminal healthcare cybersecurity documents. It can help healthcare planners use the Cybersecurity Framework as a “common language” and identify gaps to boost compliance with the Security Rule.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Homeland Security. (n.d.). Assessments: Cyber Resilience Review (CRR). (Accessed 3/21/2017.)

This website explains the (free) cyber resilience review process and lists benefits and variables measured. It also explains the cyber security evaluation tool and its benefits. Important links for getting started and requesting reviews are also included.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

United States Computer Emergency Readiness Team. (2016). The National Cyber Incident Response Plan (NCIRP).

This plan applies to significant cyber incidents that have the potential to cause significant harm to national security interests, foreign relations, economy, or public health and safety. Sections include Roles and Responsibilities; Core Capabilities; and Coordinating Structures and Integration. Additional guidance is provided in the appendices.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Ransomware Resources

Callahan, M. (2016). What Hospitals Need to Know about Ransomware. American Hospital Association.

The author provides a brief introduction and overview of ransomware, how it can be used to infect mobile and desktop devices, and the importance of security and regularly backing up patient and facility data.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Shaghaghi, S. and Pilch, P. (2016). HIT Think Ransomware: What Providers Should do now. (Registration required to access entire article.) Health Data Management.

The authors discuss steps facilities can take to prevent and mitigate the effects of a ransomware attack.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Shaghaghi, S. and Pilch, P. (2016). Preparing For and Responding To Hospital Ransomware Attacks. BDO.

The authors illustrate the actual and projected rise of ransomware attacks on all industries, and share related preparedness and response strategies for healthcare facilities.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Homeland Security. (2016). HSIN-HPH Bulletin: Ransomware (Locky Variant). (Subscription required.)

This bulletin includes an overview of Locky ransomware, how it has traditionally been delivered, and mitigation steps for healthcare facilities.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

United States Computer Emergency Readiness Team. (2016). Ransomware and Recent Variants.

This factsheet provides an overview of ransomware and shares how the variants Locky and Samas were recently used to compromise healthcare networks.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Risk and Threat

Anti-Phishing Work Group. (2016). APWG.

The Anti-Phishing Working Group (AFWG) is a coalition whose goal is to unify “the global response to cybercrime across industry, government, and law enforcement sectors and NGO communities.” Their website includes links to helpful resources, reporting mechanisms, programming options, and the like.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Financial Services Sector Coordinating Council. (2015). Automated Cybersecurity Assessment Tool. (Located at the bottom of the page.)

This tool—available in Excel—can help healthcare institutions identify their risks, assess their cybersecurity preparedness, and inform related risk management plans and strategies.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Healthcare Information and Management Systems Society. (2015). 2015 HIMSS Cybersecurity Survey. (Executive summary only.)

Nearly 300 individuals from the healthcare field completed this cybersecurity survey, and 87% indicated that information security had gained ground as a business priority over the past year. Sixty-four percent of respondents reported incidents committed by external actors (e.g., hackers or scam artists). Approximately 20% of these events led to the loss of patient, financial, or operational data.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Healthcare IT News. (2015). Infographic: Greatest Areas of Improvement in Cybersecurity.

This infographic—based on findings from the 2015 Healthcare Information and Management Systems Society survey—shows that survey respondents chose cybersecurity and network security as the two areas that have seen the greatest amount of improvement.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Healthcare IT News. (2015). Infographic: Top 10 Cybersecurity Threats of the Future.

Healthcare Information and Management Systems Society survey respondents listed ten cybersecurity threats they will be challenged by in the future. Some of these threats include: phishing attacks, known software vulnerabilities, denial of service attacks, and negligent insiders.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

InfraGuard. (n.d.). InfraGuard: Partnership for Prevention. (Accessed 3/21/2017.)

InfraGard is a partnership between the private sector and the Federal Bureau of Investigation, and includes members from businesses, academic institutions, state and local law enforcement agencies, and other participants who represent 16 critical infrastructures (including emergency services and healthcare and public health). Interested parties can apply to join online, and the open-access part of the webpage includes links to state and local chapters and a calendar of events.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Internet Storm Center. (2016). Internet Storm Center (ISC).

This volunteer-run webpage was created in 2001 and features free warning and analysis to Internet users while working closely with Internet service providers to combat cyberattacks. The webpage features daily “Stormcasts” and links to articles, patches, podcasts, tools, and other helpful information.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Ipswitch. (2016). Sponsored: Report Reveals Only 30 percent of Healthcare IT Teams are Restricting Insecure Cloud File Sharing.

In a vendor-sponsored survey, 38% of healthcare information technology respondents indicated that they use cloud file sharing services (for patient records and medical data). Just 40% of U.S. respondents (and 20% of European respondents) reported having related restrictive policies.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

McCann, E. (2012). Healthcare Data Breaches on the Rise, with Potential $7B Price Tag. Healthcare IT News.

According to the author, the third annual “Benchmark Study on Patient Privacy and Data Security" found that 94 % of hospitals reported experiencing data breaches over the past two years (involving medical files, billing, and insurance records). Many breaches are a result of preventable incidents (e.g., loss of equipment, employee errors). The associated cost to healthcare facilities is staggering
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Siwicki, B. (2016). Ponemon: 89 Percent of Healthcare Entities Experienced Data Breaches. Healthcare IT News.

Findings from the Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data highlighted that, so far in 2016, half of data breaches in healthcare are due to criminal activity. The other half are due to mistakes.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

U.S. Department of Health and Human Services, Office for Civil Rights. (n.d.). OCR Cyber Awareness Newsletters. (Accessed 3/21/2017.)

The Office for Civil Rights issues periodic newsletters share knowledge about the various security threats and vulnerabilities that currently exist in the healthcare sector, helping stakeholders understand what security measures can be taken to decrease the possibility of being exposed by these threats, and how to reduce breaches of electronic protected health information.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Zetter, K. (2016). Why Hospitals are the Perfect Targets for Ransomware. Wired.

According to the author, hospitals make “good” targets because delays in paying ransom could result in the death of a patient or lawsuit. Lack of staff training on cybersecurity awareness was another reason experts listed.
Please Login to Add favorite.
This Article is not Rated. 0-5 Stars Please Login to rate.
You must login to add a comment.

Agencies and Organizations

Note: The agencies and organizations listed in this section have a page, program, or specific research dedicated to this topic area.

American Hospital Association. Cybersecurity.



Federal Bureau of Investigation. Cyber Crime.



Healthcare Information and Management Systems Society. HIMSS Healthcare Cybersecurity Environmental Scan Reports.

HealthcareITNews. Privacy and Security.






National Institute of Standards and Technology. Cybersecurity Framework.

U.S. Department of Health and Human Services. Office for Civil Rights.

U.S. Department of Health and Human Services, Office for Civil Rights. HIPAA for Professionals.

U.S. Department of Homeland Security. United States Computer Emergency Response Team.

U.S. Food and Drug Administration. Cybersecurity.

This ASPR TRACIE Topic Collection was comprehensively reviewed in May 2016 by the following subject matter experts (listed in alphabetical order):

Bryan Cline, Ph.D., Vice President, Standards & Analytics, Health Information Trust Alliance; Scott Cormier, Vice President, Emergency Management, EC, and Safety, Medxcel; Steve Curren, MSFS, Director, Division of Resilience, Office of Emergency Management, HHS ASPR; Andrea Geiger, Health Information Privacy and Security Specialist, U.S. Department of Health and Human Services, Office for Civil Rights; John Hick, MD, HHS ASPR and Hennepin County Medical Center; Iliana Peters, Senior Health Information Privacy Specialist, U.S. Department of Health and Human Services, Office for Civil Rights; Patrick Pilch, CPA, MBA, Managing Director and National Healthcare Advisory Leader, BDO; Shahryar Shaghaghi, MS, Technology Advisory Services National Leader and Head of International Cybersecurity, BDO; and Staff from the Office of Information Security, HHS.