Cybersecurity
Topic Collection
January 21, 2021
Topic Collection: Cybersecurity
Recent cyberattacks on healthcare facilities have had significant effects on every aspect of patient care and organizational continuity. They highlight the need for healthcare organizations of all sizes and types to implement cybersecurity best practices and conduct robust planning and exercising for cyber incident response and consequence management. As the number of cyberattacks on this sector increases, healthcare practitioners, facility executives, information technology professionals, and emergency managers must remain current on the ever-changing nature and type of threats to their facilities, systems, patients, and staff. The resources in this Topic Collection can help stakeholders better protect against, mitigate, respond to, and recover from cyber threats, ensuring patient safety and operational continuity. This Topic Collection was updated in May 2017.
Each resource in this Topic Collection is placed into one or more of the following categories (click on the category name to be taken directly to that set of resources). Resources marked with an asterisk (*) appear in more than one category.
Must Reads
This document provides planning and response guidance based on lessons learned by federal prosecutors while handling cyber investigations and prosecutions. The authors drafted the document with smaller organizations (with fewer resources) in mind, but larger organizations should also find it useful.
Login to rate, favorite, and comments on the article
The project team analyzed a year’s worth of healthcare intelligence data and provide an overview of the sector’s vulnerabilities (including the “Internet of Things” and challenges related to compliance). The author shares three case studies that demonstrate traffic and how healthcare networks were attacked and concludes with preparedness tips useful to both information technology professionals and emergency planners.
Login to rate, favorite, and comments on the article
This short (introductory) checklist can help healthcare providers protect their digital infrastructure.
Login to rate, favorite, and comments on the article
This primer can help healthcare providers learn more about the basics of cybersecurity, common vulnerabilities and threats, and how to manage risk. Also included is a matrix of threats with consequences that can be helpful to administrators.
Login to rate, favorite, and comments on the article
This publication can help cyber professionals in the healthcare system establish and participate in cyber threat information sharing relationships. It contains information on developing information sharing goals, identifying threat sources, engaging with existing information sharing communities, and effectively using threat information, which can help health systems share threat information in a structured fashion.
Login to rate, favorite, and comments on the article
This document provides a detailed framework to protect critical infrastructure and a set of activities to achieve specific cybersecurity outcomes. The Core Functions include: Identify, Protect, Detect, Respond, and Recover, and Section 3 of the guide includes examples of how the framework can be employed.
Login to rate, favorite, and comments on the article
The authors discuss recent healthcare-related data breaches and how they could have been prevented. They also highlight the differences between compliance and security (and how they overlap)—particularly in the research arena—and share tips for improving cybersecurity.
Login to rate, favorite, and comments on the article
This guidance document: provides an overview of the current cybersecurity threats faced by the healthcare and public health (HPH) sector; highlights challenges and weaknesses that increase HPH organizational vulnerability; and shares promising practices ranked by cybersecurity experts as the most effective to mitigate the threats.
Login to rate, favorite, and comments on the article
This webpage assists healthcare professionals find information about the HIPAA Security Rule and provides links to other standards and resources on safeguarding electronic protected health information.
Login to rate, favorite, and comments on the article
U.S. Department of Health and Human Services, Office for Civil Rights and Office of the National Coordinator for Health Information Technology. (2015).
Security Risk Assessment (SRA) Tool.
The Security Risk Assessment tool was designed to help guide healthcare providers in small to medium-sized offices conduct risk assessments of their organizations’ HIPAA compliance. This webpage contains a user guide and tutorial video. Users can download the 156 question app to their computers or iPads.
Login to rate, favorite, and comments on the article
United States Computer Emergency Readiness Team. (n.d.).
Resources for Business.
(Accessed 10/1/2019.)U.S. Department of Homeland Security.
This webpage (known by the acronym US-CERT) features links to cybersecurity resources for businesses (e.g., healthcare facilities) grouped into the following categories: Resources to Identify, Resources to Protect, Resources to Detect, and Resources to Recover.
Login to rate, favorite, and comments on the article
This factsheet provides an overview of ransomware and shares how the variants Locky and Samas were recently used to compromise healthcare networks.
Login to rate, favorite, and comments on the article
The authors review the factors that can contribute to cybersecurity vulnerabilities in medical devices and provide guidance regarding protection mechanisms, mitigations, and processes.
Login to rate, favorite, and comments on the article
Education and Training
This guide can help staff in healthcare facilities design, develop, conduct and evaluate cybersecurity tests, training, and exercise events.
Login to rate, favorite, and comments on the article
This primer can help healthcare providers learn more about the basics of cybersecurity, common vulnerabilities and threats, and how to manage risk. Also included is a matrix of threats with consequences that can be helpful to administrators.
Login to rate, favorite, and comments on the article
This webpage includes links to scheduled web-based and instructor-led cybersecurity training on the ICS-CERT calendar. These programs are geared toward industrial control system protection.
Login to rate, favorite, and comments on the article
National Initiative for Cybersecurity Careers and Studies. (n.d.).
Training.
(Accessed 5/11/2020.)U.S. Department of Homeland Security.
From this webpage, visitors can search for offered trainings by focus area, offering entity, level of training, location of training, and other factors as well as access various on-line training sites.
Login to rate, favorite, and comments on the article
The National Cybersecurity Workforce Framework was developed to provide employers, staff, training providers, and participants with a common set of skills and tasks (based on common language) to define and perform cybersecurity work. This webpage includes links to various framework materials which feature with tasks and skills tied to job categories.
Login to rate, favorite, and comments on the article
These training and resource materials were developed to help entities implement privacy and security protections. This webpage includes videos and slides from state attorneys general training and educational programs for healthcare providers.
Login to rate, favorite, and comments on the article
Healthcare organizations can download this zip file which contains a package of materials that can help them plan and organize a cyber tabletop exercise.
Login to rate, favorite, and comments on the article
Education and Training: HHS-Specific
These rules apply to government employees, contractors, and other system users and must be read by all new users prior to accessing HHS data, systems, or networks. The policies may serve as a helpful template for private sector entities.
Login to rate, favorite, and comments on the article
This training course defines the security responsibilities for senior executives within HHS.
Login to rate, favorite, and comments on the article
This training course defines the security responsibilities for IT Administrators within HHS.
Login to rate, favorite, and comments on the article
This training course defines the security responsibilities for information technology and program managers within HHS.
Login to rate, favorite, and comments on the article
This training course provides general guidelines for securing information and information systems for federal employees though it may be a valuable outline for private sector employee learning.
Login to rate, favorite, and comments on the article
Guidance
This webpage is sponsored by the American Hospital Association and includes links to resources (e.g., webinars, tools, and fact sheets) stakeholders can use to protect their healthcare facilities.
Login to rate, favorite, and comments on the article
Anderson, D., McNeil, M., and Rice, T. (2017).
Cybersecurity in the Health Care Sector: Strengthening Public-Private Partnerships.
(Book available for purchase.)
In this Congressional hearing, speakers emphasized the importance of cyber hygiene as it relates to patient safety and sector security.
Login to rate, favorite, and comments on the article
ASPR TRACIE. (2016).
The Exchange, Issue 2.
United States Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response.
This issue of the newsletter focuses on cybersecurity and cyber hygiene.
Login to rate, favorite, and comments on the article
This special issue of The Express contains information about the May 2017 international cyber threat to healthcare organizations.
Login to rate, favorite, and comments on the article
This webpage includes links to cybersecurity resources deemed useful for Centers for Medicare and Medicaid Services surveyors, providers, and suppliers.
Login to rate, favorite, and comments on the article
This publication can help agencies establish computer security incident response capabilities and ensure that incidents are handled efficiently and effectively.
Login to rate, favorite, and comments on the article
In this short fact sheet, the Cybersecurity and Infrastructure Security Agency (CISA), Multi-State Information Sharing and Analysis Center (MS-ISAC), National Governors Association (NGA), and the National Association of State Chief Information Officers (NASCIO) list three steps to take to build critical infrastructure resilience against ransomware.
Login to rate, favorite, and comments on the article
This book “is a call for action to make cybersecurity a public safety priority.” It provides a comprehensive overview of the field and approaches for assessing and improving cybersecurity.
Login to rate, favorite, and comments on the article
This document provides planning and response guidance based on lessons learned by federal prosecutors while handling cyber investigations and prosecutions. The authors drafted the document with smaller organizations (with fewer resources) in mind, but larger organizations should also find it useful.
Login to rate, favorite, and comments on the article
The authors explain the need for information governance programs in healthcare, and highlight the associated benefits (e.g., improved quality of care, increased operational effectiveness, reduced cost and risk).
Login to rate, favorite, and comments on the article
The project team analyzed a year’s worth of healthcare intelligence data and provide an overview of the sector’s vulnerabilities (including the “Internet of Things” and challenges related to compliance). The author shares three case studies that demonstrate traffic and how healthcare networks were attacked and concludes with preparedness tips useful to both information technology professionals and emergency planners.
Login to rate, favorite, and comments on the article
The author presents results from a SANS 2014 State of Cybersecurity in Health Care Organizations survey. Overall, 41% of respondents ranked current data breach detection strategies as ineffective and more than half found the “negligent insider” to be the primary threat to security.
Login to rate, favorite, and comments on the article
This white paper provides an overview of cybersecurity, including how it is being addressed in the healthcare enterprise, and the key elements of a cybersecurity program. Also included is a highly detailed mapping of how healthcare can implement the NIST Cybersecurity Framework, and how to best use threat intelligence.
Login to rate, favorite, and comments on the article
This report highlights the cost of data breaches on healthcare facilities and how these costs are computed. Steps for mitigating risks are included, along with links to related resources.
Login to rate, favorite, and comments on the article
This library includes information on potential cybersecurity threats grouped into several categories: FBI Flash (information from the Liaison Alert System); HHS Cyber Threat Intelligence Program Product; DHS Weekly Analytic Synopsis; Ransomware; and other sources.
Login to rate, favorite, and comments on the article
This guide can help smaller to mid-sized healthcare organizations manage supply chain cybersecurity risk.
Login to rate, favorite, and comments on the article
The authors describe research conducted on a variety of hospital and healthcare-related infrastructures and systems; identify industry-specific challenges; and create a blueprint for improving healthcare facility security.
Login to rate, favorite, and comments on the article
This publication can help cyber professionals in the healthcare system establish and participate in cyber threat information sharing relationships. It contains information on developing information sharing goals, identifying threat sources, engaging with existing information sharing communities, and effectively using threat information, which can help health systems share threat information in a structured fashion.
Login to rate, favorite, and comments on the article
This guide was developed in consultation with the Healthcare and Public Health (HPH) Sector Coordinating Council and Government Coordinating Council, along with input from other sector members and the U.S. Department of Homeland Security Critical Infrastructure Cyber Community. The goal of the guide is to help HPH Sector organizations understand and use the HITRUST Risk Management Framework—consisting of the HITRUST CSF, CSF Assurance Program, and supporting methodologies—to implement the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity in the HPH Sector and meet its objectives for critical infrastructure protection.
Login to rate, favorite, and comments on the article
The authors examine the methods some healthcare providers use to circumvent cybersecurity. These “creative, flexible, and motivated” employees did not have criminal intention—they were presumably focused on providing patient care in a fast-paced environment.
Login to rate, favorite, and comments on the article
The National Cybersecurity Workforce Framework was developed to provide employers, staff, training providers, and participants with a common set of skills and tasks (based on common language) to define and perform cybersecurity work. This webpage includes links to various framework materials which feature with tasks and skills tied to job categories.
Login to rate, favorite, and comments on the article
The three sections of this document (updated in 2018) (Framework Core, the Framework Profile, and the Framework Implementation Tiers) were developed to help organizations apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure.
Login to rate, favorite, and comments on the article
The toolkit can help rural healthcare facilities develop a cybersecurity program focused on awareness, assessment, implementation & remediation, and education.
Login to rate, favorite, and comments on the article
The authors discuss recent healthcare-related data breaches and how they could have been prevented. They also highlight the differences between compliance and security (and how they overlap)—particularly in the research arena—and share tips for improving cybersecurity.
Login to rate, favorite, and comments on the article
The authors provide an overview of the cyber threat to the healthcare industry and tips for guarding against future attacks.
Login to rate, favorite, and comments on the article
This report provides an overview of four intrusion detection and prevention technologies: network-based, wireless, network behavior analysis (NBA), and host-based.
Login to rate, favorite, and comments on the article
The speaker in this webinar explains cybersecurity risks and how to minimize them. He also provides an overview of vulnerability, how preparedness levels vary by organization, and lists types of cybersecurity risks (e.g., ransomware and phishing).
Login to rate, favorite, and comments on the article
This guidance document: provides an overview of the current cybersecurity threats faced by the healthcare and public health (HPH) sector; highlights challenges and weaknesses that increase HPH organizational vulnerability; and shares promising practices ranked by cybersecurity experts as the most effective to mitigate the threats.
Login to rate, favorite, and comments on the article
This webpage assists healthcare professionals find information about the HIPAA Security Rule and provides links to other standards and resources on safeguarding electronic protected health information.
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
This document highlights cybersecurity practices for small health care organizations, which do not traditionally have the resources needed for dedicated information technology staff.
Login to rate, favorite, and comments on the article
This presentation highlights the threat, some early examples, operational impacts on healthcare, emerging trends, and strategies for protecting from and detecting threats.
Login to rate, favorite, and comments on the article
United States Computer Emergency Readiness Team. (n.d.).
Resources for Business.
(Accessed 10/1/2019.)U.S. Department of Homeland Security.
This webpage (known by the acronym US-CERT) features links to cybersecurity resources for businesses (e.g., healthcare facilities) grouped into the following categories: Resources to Identify, Resources to Protect, Resources to Detect, and Resources to Recover.
Login to rate, favorite, and comments on the article
Healthcare facility staff can use this document--presented as a discussion-based exercise--to identify their cybersecurity challenges, needs, and strengths.
Login to rate, favorite, and comments on the article
Incident Management
The authors provide guidance for cyber attack recovery planning and emphasize the importance of learning from past events and developing, testing, and improving recovery planning. This document includes an example scenario that demonstrates guidance and informative metrics that may be helpful for improving information systems resilience.
Login to rate, favorite, and comments on the article
The authors highlight the importance of managing technological incidents quickly and collaboratively with the facility's emergency preparedness department. They share a case study of a healthcare system in the Midwest where the IT and emergency preparedness departments partners to design a major incident management system based closely on the hospital incident command structure.
Login to rate, favorite, and comments on the article
Forum of Incident Response and Security Teams. (2016).
FIRST.
This membership organization is comprised of computer security incident response teams from government, educational, and commercial organizations. FIRST’s goals include encouraging cooperation and coordination in incident prevention, rapid incident response, and the promotion of information sharing among members and the community at large.
Login to rate, favorite, and comments on the article
This document provides an overview of incident management and response as it relates to information security threats and incidents.
Login to rate, favorite, and comments on the article
The authors provide recommendations that can help an organization prevent, prepare for, respond to, and recover from malware incidents, especially widespread ones. Several types of malware are addressed (e.g., worms, viruses, and Trojan horses) and Appendix B provides malware incident handling scenarios that can help identify strengths and gaps in a facility’s cybersecurity plans.
Login to rate, favorite, and comments on the article
The speaker in this webinar explains cybersecurity risks and how to minimize them. He also provides an overview of vulnerability, how preparedness levels vary by organization, and lists types of cybersecurity risks (e.g., ransomware and phishing).
Login to rate, favorite, and comments on the article
Cybersecurity professionals can use the guidance in this International Standard to “a) detect, report and assess information security incidents; b) respond to and manage information security incidents; c) detect, assess and manage information security vulnerabilities; and d) continuously improve information security and incident management as a result of managing information security incidents and vulnerabilities.”
Login to rate, favorite, and comments on the article
Legal/Regulatory Resources
The guidance in this document can help cyber professionals develop digital forensic capabilities that complements local regulations. The authors provide comprehensive information on using the analysis process with four data categories (network traffic, files, operating systems, and applications).
Login to rate, favorite, and comments on the article
This Executive Order directs the U.S. government to “increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.”
Login to rate, favorite, and comments on the article
This Executive Order builds upon the 2013 directive and Presidential Policy Directive-21, and calls for the U.S. Secretary of Homeland Security to “encourage the development and formation of Information Sharing and Analysis Organizations.” The organizations may include members from the public or private sectors and can operate as for-profit or nonprofit entities.
Login to rate, favorite, and comments on the article
*
U.S. Department of Health and Human Services, Office for Civil Rights. (n.d.).
HIPAA for Professionals.
(Accessed 10/1/2019.)
Cybersecurity professionals can locate information about HIPAA rules, guidance on compliance, the Office for Civil Rights’ enforcement activities, frequently asked questions, and more on this webpage.
Login to rate, favorite, and comments on the article
These training and resource materials were developed to help entities implement privacy and security protections. This webpage includes videos and slides from state attorneys general training and educational programs for healthcare providers.
Login to rate, favorite, and comments on the article
This bill requires the Director of National Intelligence and the U.S. Departments of Homeland Security, Defense, and Justice to develop strategies to share cybersecurity threat information with all entities under threats (e.g., private, nonfederal government agencies, state, tribal, and local governments, and the public). This includes information that could prevent/mitigate adverse effects and best practices.
Login to rate, favorite, and comments on the article
Lessons Learned
Cybersecurity is a critical issue facing the ASPR TRACIE audience. In this webinar, a distinguished panel of experts describe lessons learned from recent experiences, planning considerations, and steps the federal government is taking to address cybersecurity and cyber hygiene.
Login to rate, favorite, and comments on the article
Verizon examined more than 100,000 security incidents and found that of the 166 healthcare breaches, 115 had confirmed data loss, 32% were caused by stolen assets, and 23% were a result of privilege misuse. The report also found reuse of credentials to be a healthcare-specific risk.
Login to rate, favorite, and comments on the article
The authors provide an overview of a recent attack on MedStar (a system in the Baltimore-Washington, DC region), highlighting the need for newer employees to also be familiar with more traditional (non-electronic) paper-pencil methods for maintaining records.
Login to rate, favorite, and comments on the article
This report highlights the cost of data breaches on healthcare facilities and how these costs are computed. Steps for mitigating risks are included, along with links to related resources.
Login to rate, favorite, and comments on the article
Participants in this workshop discussed protecting and assisting healthcare consumers in the wake of a data breach.
Login to rate, favorite, and comments on the article
The author provides an overview of the cyberattack on Hollywood Presbyterian Medical Center (CA).
Login to rate, favorite, and comments on the article
In this final meeting (of four), participants from the task force discussed outstanding challenges (e.g., protecting medical devices from cyber attacks) and strategies for addressing them via policy and practice.
Login to rate, favorite, and comments on the article
This presentation highlights the threat, some early examples, operational impacts on healthcare, emerging trends, and strategies for protecting from and detecting threats.
Login to rate, favorite, and comments on the article
Cyber Storm is the U.S. Department of Homeland Security’s biennial cybersecurity exercise. This webpage includes highlights and lessons learned from exercises and links for more information.
Login to rate, favorite, and comments on the article
This comprehensive report details data from over 100,000 incidents affecting various industries, including healthcare. Victim demographics, vulnerabilities, phishing, and incident classification patterns are discussed and an entire appendix is devoted to “attack graphs.”
Login to rate, favorite, and comments on the article
Medical Devices
The authors outline a framework for securing wireless health devices to minimize the occurrence of “medjacking,” or the hacking medical devices.
Login to rate, favorite, and comments on the article
The authors list steps that can be taken to protect sensitive information while transferring medical information over public and home networks. They emphasize the importance of these steps and strategies as the role of information technology in modern radiology practice increases.
Login to rate, favorite, and comments on the article
The author provides an overview of the “CIA Triad” for information security, where C stands for confidentiality, I stands for integrity, and A stands for availability. The author explains how a cybersecurity standard designed specifically for connected diabetes devices will improve device safety and increase security.
Login to rate, favorite, and comments on the article
The authors evaluated recalls and adverse events related to security and privacy risks of medical devices and found “sharp inconsistencies” in the way individual providers secured devices. The authors challenged manufacturers and regulators to consider the security and privacy elements of their devices and systems and to build the ability to collect cybersecurity threat indicators into their medical devices.
Login to rate, favorite, and comments on the article
This guidance provides recommendations to consider and information to include in FDA medical device premarket submissions for effective cybersecurity management. Effective cybersecurity management is intended to reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity.
Login to rate, favorite, and comments on the article
Users can access webcasts, presentations, transcripts, and a program book from this meeting held in 2016 as well as the new January 2016 draft guidance on medical devices (updated from 2014). Speakers in the workshop highlighted collaborative efforts and shared information about existing frameworks that can help assess an organization’s cybersecurity processes.
Login to rate, favorite, and comments on the article
This guidance can help manufacturers and healthcare providers manage cybersecurity in medical devices, particularly those that are networked.
Login to rate, favorite, and comments on the article
This webpage highlights the U.S. Food and Drug Administration's efforts to secure medical devices. It includes links to helpful resources, including webinars and guidance documents.
Login to rate, favorite, and comments on the article
Myths and facts about medical device cybersecurity are shared in this table geared towards manufacturers and providers.
Login to rate, favorite, and comments on the article
This webinar sponsored by the U.S. Food and Drug Administration (FDA): clarified recommendations for managing postmarket cybersecurity vulnerabilities; emphasized the importance of monitoring, identifying, and addressing cybersecurity vulnerabilities and attacks on a continual basis; highlighted the importance of establishing a risk-based framework for assessing when changes to medical devices for cybersecurity vulnerabilities require reporting to the FDA; and outlined circumstances in which the FDA does not intend to enforce reporting requirements under 21 CFR, part 806.
Login to rate, favorite, and comments on the article
The authors review the factors that can contribute to cybersecurity vulnerabilities in medical devices and provide guidance regarding protection mechanisms, mitigations, and processes.
Login to rate, favorite, and comments on the article
Plans, Tools, and Templates
Developed in collaboration with healthcare, information security, and de-identification professionals, the HITRUST De-Identification Framework provides a consistent, managed methodology for the contextual de-identification of data and the sharing of compliance and risk information amongst entities and their key stakeholders. The Framework provides 12 criteria for a successful de-identification program and methodology that can be scaled to any organization: the first four criteria address the programmatic and administrative controls that an organization should have in place to govern de-identification, and the remaining eight criteria may be used to derive a de-identified data set, either on an ad hoc basis or by instituting a process that will deliver de-identified data sets.
Login to rate, favorite, and comments on the article
This short (introductory) checklist can help healthcare providers protect their digital infrastructure.
Login to rate, favorite, and comments on the article
This toolkit can help healthcare facility cybersecurity planners create a security breach response plan and lower the risk of a breach that could compromise patient health and the reputation of the facility.
Login to rate, favorite, and comments on the article
This guide was developed in consultation with the Healthcare and Public Health (HPH) Sector Coordinating Council and Government Coordinating Council, along with input from other sector members and the U.S. Department of Homeland Security Critical Infrastructure Cyber Community. The goal of the guide is to help HPH Sector organizations understand and use the HITRUST Risk Management Framework—consisting of the HITRUST CSF, CSF Assurance Program, and supporting methodologies—to implement the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity in the HPH Sector and meet its objectives for critical infrastructure protection.
Login to rate, favorite, and comments on the article
The authors emphasize the need for log management and provide guidelines that can help healthcare facility cyber professionals establish related robust policies and procedures.
Login to rate, favorite, and comments on the article
This factsheet provides an explanation of Information Sharing and Analysis Centers and highlights recent accomplishments.
Login to rate, favorite, and comments on the article
This document provides a detailed framework to protect critical infrastructure and a set of activities to achieve specific cybersecurity outcomes. The Core Functions include: Identify, Protect, Detect, Respond, and Recover, and Section 3 of the guide includes examples of how the framework can be employed.
Login to rate, favorite, and comments on the article
The National Cybersecurity Workforce Framework was developed to provide employers, staff, training providers, and participants with a common set of skills and tasks (based on common language) to define and perform cybersecurity work. This webpage includes links to various framework materials which feature with tasks and skills tied to job categories.
Login to rate, favorite, and comments on the article
The C2M2 model can help healthcare facilities evaluate their cybersecurity capabilities. Sections of this document are geared towards decision makers, leaders/managers, practitioners, and facilitators.
Login to rate, favorite, and comments on the article
This document maps paths between two seminal healthcare cybersecurity documents. It can help healthcare planners use the Cybersecurity Framework as a “common language” and identify gaps to boost compliance with the Security Rule.
Login to rate, favorite, and comments on the article
This objective, data-driven all hazards risk assessment can be used to inform emergency preparedness planning and risk management activities. The toolkit consists of three self-assessment modules allowing healthcare facilities to: identify site-specific threats and hazards; assess site-specific vulnerabilities; and evaluate criticality and consequences. (A related webinar explains the toolkit in more detail: https://files.asprtracie.hhs.gov/documents/aspr-risc-toolkit-webinar-slides-final-508.pdf.)
Login to rate, favorite, and comments on the article
U.S. Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response. (2019).
National Health Security Strategy.
U.S. Department of Health and Human Services.
The goal of the National Health Security Strategy (NHSS) is to strengthen and sustain communities’ abilities to prevent, protect against, mitigate the effects of, respond to, and recover from disasters and emergencies. This webpage includes links to the full text of the plan, an overview, the NHSS Implementation Plan, the NHSS Evaluation of Progress, and an NHSS Archive.
Login to rate, favorite, and comments on the article
This website explains the (free) cyber resilience review process and lists benefits and variables measured. It also explains the cyber security evaluation tool and its benefits. Important links for getting started and requesting reviews are also included.
Login to rate, favorite, and comments on the article
This plan applies to significant cyber incidents that have the potential to cause significant harm to national security interests, foreign relations, economy, or public health and safety. Sections include Roles and Responsibilities; Core Capabilities; and Coordinating Structures and Integration. Additional guidance is provided in the appendices.
Login to rate, favorite, and comments on the article
Ransomware Resources
The author provides a brief introduction and overview of ransomware, how it can be used to infect mobile and desktop devices, and the importance of security and regularly backing up patient and facility data.
Login to rate, favorite, and comments on the article
The authors discuss steps facilities can take to prevent and mitigate the effects of a ransomware attack.
Login to rate, favorite, and comments on the article
The authors illustrate the actual and projected rise of ransomware attacks on all industries, and share related preparedness and response strategies for healthcare facilities.
Login to rate, favorite, and comments on the article
This presentation highlights the threat, some early examples, operational impacts on healthcare, emerging trends, and strategies for protecting from and detecting threats.
Login to rate, favorite, and comments on the article
This bulletin includes an overview of Locky ransomware, how it has traditionally been delivered, and mitigation steps for healthcare facilities.
Login to rate, favorite, and comments on the article
This factsheet provides an overview of ransomware and shares how the variants Locky and Samas were recently used to compromise healthcare networks.
Login to rate, favorite, and comments on the article
Risk and Threat
Anti-Phishing Work Group. (2020).
APWG.
The Anti-Phishing Working Group (AFWG) is a coalition whose goal is to unify “the global response to cybercrime across industry, government, and law enforcement sectors and NGO communities.” Their website includes links to helpful resources, reporting mechanisms, programming options, and the like.
Login to rate, favorite, and comments on the article
This tool—available in Excel—can help healthcare institutions identify their risks, assess their cybersecurity preparedness, and inform related risk management plans and strategies.
Login to rate, favorite, and comments on the article
Nearly 300 individuals from the healthcare field completed this cybersecurity survey, and 87% indicated that information security had gained ground as a business priority over the past year. Sixty-four percent of respondents reported incidents committed by external actors (e.g., hackers or scam artists). Approximately 20% of these events led to the loss of patient, financial, or operational data.
Login to rate, favorite, and comments on the article
This infographic—based on findings from the 2015 Healthcare Information and Management Systems Society survey—shows that survey respondents chose cybersecurity and network security as the two areas that have seen the greatest amount of improvement.
Login to rate, favorite, and comments on the article
Healthcare Information and Management Systems Society survey respondents listed ten cybersecurity threats they will be challenged by in the future. Some of these threats include: phishing attacks, known software vulnerabilities, denial of service attacks, and negligent insiders.
Login to rate, favorite, and comments on the article
InfraGard is a partnership between the private sector and the Federal Bureau of Investigation, and includes members from businesses, academic institutions, state and local law enforcement agencies, and other participants who represent 16 critical infrastructures (including emergency services and healthcare and public health). Interested parties can apply to join online, and the open-access part of the webpage includes links to state and local chapters and a calendar of events.
Login to rate, favorite, and comments on the article
This volunteer-run webpage was created in 2001 and features free warning and analysis to Internet users while working closely with Internet service providers to combat cyberattacks. The webpage features daily “Stormcasts” and links to articles, patches, podcasts, tools, and other helpful information.
Login to rate, favorite, and comments on the article
In a vendor-sponsored survey, 38% of healthcare information technology respondents indicated that they use cloud file sharing services (for patient records and medical data). Just 40% of U.S. respondents (and 20% of European respondents) reported having related restrictive policies.
Login to rate, favorite, and comments on the article
According to the author, the third annual “Benchmark Study on Patient Privacy and Data Security" found that 94 % of hospitals reported experiencing data breaches over the past two years (involving medical files, billing, and insurance records). Many breaches are a result of preventable incidents (e.g., loss of equipment, employee errors). The associated cost to healthcare facilities is staggering
Login to rate, favorite, and comments on the article
Findings from the Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data highlighted that, so far in 2016, half of data breaches in healthcare are due to criminal activity. The other half are due to mistakes.
Login to rate, favorite, and comments on the article
The Office for Civil Rights issues periodic newsletters share knowledge about the various security threats and vulnerabilities that currently exist in the healthcare sector, helping stakeholders understand what security measures can be taken to decrease the possibility of being exposed by these threats, and how to reduce breaches of electronic protected health information.
Login to rate, favorite, and comments on the article
According to the author, hospitals make “good” targets because delays in paying ransom could result in the death of a patient or lawsuit. Lack of staff training on cybersecurity awareness was another reason experts listed.
Login to rate, favorite, and comments on the article
Agencies and Organizations
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article
Login to rate, favorite, and comments on the article