Topic Collection Cover Page

Cybersecurity
Topic Collection
March 4, 2024

Topic Collection: Cybersecurity

Recent cyberattacks on healthcare facilities have had significant effects on every aspect of patient care and operational continuity. They highlight the need for healthcare organizations of all sizes and types to implement cybersecurity best practices and conduct robust planning to improve cyber incident response and consequence management. As the number of cyberattacks on the healthcare sector increases, practitioners, facility executives, information technology professionals, and emergency managers must remain current on threats to their facilities and systems, as well as have robust downtime procedures to protect patients and staff. The resources in this Topic Collection can help stakeholders better protect against, mitigate, respond to, and recover from cyberattacks to ensure patient safety and operational continuity. This Topic Collection was updated in August 2022.

Select examples/widely publicized cyberattacks are cited here due to the major impact they had on healthcare operations and clinical care delivery; however, it is important to note that references to these incidents are not exhaustive. As the number and severity of incidents continues to grow, we encourage you to regularly review the information and alerts available on the following federal sites:

-HHS Healthcare and Public Health Sector: Highlights-Cybersecurity Edition

-HHS 405(d): Subscribe to the Post

-CISA: National Cyber Awareness System-Bulletins, Alerts Subscription             

Each resource in this Topic Collection is placed into one or more of the following categories (click on the category name to be taken directly to that set of resources). Resources marked with an asterisk (*) appear in more than one category.

Sections Navigation

Toggle Open/Close

Must Reads

Administration for Strategic Preparedness and Response. (2023). HPH Sector Cybersecurity Framework Implementation Guide. U.S. Department of Health and Human Services.
This implementation guide provides specific steps that health care organizations can take immediately to manage cyber risks to their information technology systems. It provides recommendations, best practices, and resources to help the public and private health care sectors prevent cybersecurity incidents.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
ASPR TRACIE. (2022). Cybersecurity Resource Page.
Recent cyberattacks on healthcare facilities have had significant effects on every aspect of patient care and organizational continuity. They highlight the need for healthcare organizations of all sizes and types to implement cybersecurity best practices and conduct robust planning and exercising for cyber incident response and consequence management. As the number of cyberattacks on this sector increases, healthcare practitioners, facility executives, information technology professionals, and emergency managers must remain current on the ever-changing nature and type of threats to their facilities, systems, patients, and staff. These resources can help stakeholders better protect against, mitigate, respond to, and recover from cyber threats, ensuring patient safety and operational continuity.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Connolly, J.L., Christey, S.M., Daldos, R., et al. (2018). Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.
This playbook presents a framework that can be used by healthcare organizations and stakeholders to plan for and respond to cybersecurity attacks on medical devices. It includes supplemental information specific to regional cyber preparedness and recommendations for conducting a hazard vulnerability analysis, asset inventory, and incident reporting.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (n.d.). Resources for Business. (Accessed 8/16/2022.) U.S. Department of Homeland Security.
This webpage (known by the acronym US-CERT) features links to cybersecurity resources for businesses (e.g., healthcare facilities) grouped into the following categories: Resources to Identify, Resources to Protect, Resources to Detect, and Resources to Recover. A specific link to the National Cyber Awareness System (https://www.cisa.gov/uscert/ncas) provides a single point of access for all current cybercrime information, including alerts, tips, bulletins, and analytic reports.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (2023). Shields Up.
Russia’s invasion of Ukraine has included cyberattacks on Ukrainian critical infrastructure, which could have implications for cybersecurity in other parts of the world, including the U.S. This resource from the Cybersecurity and Infrastructure Security Agency (CISA) helps organizations prevent and respond to cyberattacks. The website contains guidance for organizations, corporate leaders, individuals, and ransomware response.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Healthcare and Public Health Sector Coordinating Council. (n.d.). Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. (Accessed 8/16/2022.) U.S. Department of Health and Human Services.
This webpage provides direct access to the main guidance documents, a four-volume publication, that provides an overview of current HSCC cybersecurity threats faced by the healthcare and public health (HPH) sector. In addition, it links to Technical Volume 1 that outlines cyber safety practices for small healthcare organizations; Technical Volume 2 that discusses cybersecurity practices for medium to large healthcare organizations, and other resources and template materials that can be used to develop policies and procedures via a cybersecurity toolkit.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
Healthcare and Public Health Sector Coordinating Council, Cybersecurity Working Group. (2022). HSCC Publications.
This webpage lists working group recommended cybersecurity publications by date and includes links to resources on operational continuity, telehealth and telemedicine cybersecurity, health industry tactical response, and information sharing.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Health Sector Cybersecurity Coordination Center (HC3). (2022). HC3 Products.
This health sector page provides access to HC3 and partner threat briefs, sector alerts, joint threat bulletins, and other cyber-related resources to help organizations maintain situational awareness of current cyber vulnerabilities and threats.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office for Civil Rights. (n.d.). HIPAA Security Rule Guidance Material. (Accessed 8/16/2022.)
This webpage assists healthcare professionals find information about the HIPAA Security Rule and provides links to other standards and resources on safeguarding electronic protected health information.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office for Civil Rights and Office of the National Coordinator for Health Information Technology. (2022). Security Risk Assessment (SRA) Tool.
The Security Risk Assessment tool was designed to help guide healthcare providers in small to medium-sized offices conduct risk assessments of their organizations’ HIPAA compliance. This webpage contains a user guide and tutorial video. Users can download the 156 question app to their computers or iPads.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office of Information Security. (n.d.). 405(d) Resource Library. (Accessed 3/11/2024.)
This webpage provides access to all the task group products, publications, and guidance material on health sector cyber-related materials, including cybersecurity practices for small, medium, and large healthcare organizations; phishing, malware, and ransomware factsheets; cyberthreat infographics; healthcare industry cybersecurity quick start guides; and security considerations and infographics for medical devices. Many 405(d) resources are also available in Spanish: https://405d.hhs.gov/spanish
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Food and Drug Administration, Center for Devices and Radiological Health. (2021). Best Practices for Communicating Cybersecurity Vulnerabilities to Patients.
This document was developed to assist healthcare professionals, industry partners, and federal partners communicate information about cybersecurity vulnerabilities. It contains best practices and tips for creating clear, concise, and easy to consume messaging to patients and the public.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments

Education and Training

Cybersecurity and Infrastructure Security Agency. (n.d.). CISA Tabletop Exercises Packages (CTEPS). (Accessed 8/16/2022.)
The CISA resources provided on this page can assist stakeholders and partners with conducting their own training exercises on a variety of cybersecurity scenarios including ransomware, insider threats, and phishing scams.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (n.d.). Cybersecurity Training and Exercises. (Accessed 8/16/2022.)
This webpage provides a variety of cyber-related training and education resources for federal employees, private industry professionals, and critical infrastructure operators (e.g., certification prep courses, cyber defense skills, and incident response training).
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (n.d.). Pragmatic Cyber Security Webinar Series. (Accessed 12/21/2021.)
This series of webinars outlines the challenges faced by owners/operators of critical infrastructure and national critical functions and strategies for mitigating and overcoming them.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (n.d.). Web-Based CISA Training. (Accessed 8/18/2022.)
This webpage includes links to the CISA Virtual Learning Portal, scheduled web-based, and instructor-led, cybersecurity training programs geared toward industrial control system protection.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (2020). COVID-19 Recovery CISA Tabletop Exercise Package (CTEP).
This package of materials assists stakeholders in assessing their recovery and business continuity plans related to organizational recovery from the COVID-19 pandemic.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Grance, T., Nolan, T., Burke, K., et al. (2006). Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities (NIST SP 800-84.). National Institute of Standards and Technology, U.S. Department of Commerce.
This guide can help staff in healthcare facilities design, develop, conduct, and evaluate cybersecurity tests, training, and exercise events.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
Health Sector Coordinating Council Cybersecurity Working Group. (2023). Cybersecurity for the Clinician (Video Training Series). (Free registration required.)
The “Cybersecurity for the Clinician” video training series is comprised of eight videos, for a total of 47 minutes (eligible for one credit hour). Speakers explain in easy, non-technical language what clinicians and students in the medical profession need to understand about how cyber attacks can affect clinical operations and patient safety, and how to help keep healthcare data, systems and patients safe from cyber threats.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
Health- Information Sharing and Analysis Center (H-ISAC). (n.d.). Health Industry Cybersecurity Practices- Videos. (Accessed 8/16/2022.)
This resource provides information on cost-effective strategies that can be use by a range of healthcare organizations to reduce cybersecurity risks. Practical guidance includes training videos on email protection, asset management, endpoint protection, and network management, among others that are available towards the bottom of the webpage.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
National Computer Forensics Institute (NCFI). (n.d.). NCFI Courses. (Accessed 8/16/2022.)
The NCFI is a federally funded training center established to educate state and local officials in cyber-related crime investigations, trends, and investigative methods. Courses include training on ransomware investigations, business email compromise, and incidence response cyber team coordination for first responders, law enforcement, and local government personnel.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
National Initiative for Cybersecurity Careers and Studies. (2022). NICCS Education and Training Catalog. U.S. Department of Homeland Security.
From this webpage, visitors can search for offered trainings by focus area, offering entity, level of training, location of training, and other factors as well as access various on-line training sites.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
National Institute of Standards and Technology. (2022). Federal Information Security Educators (FISSEA).
This organization’s webpage provides information on federal information security training and cybersecurity awareness programs, including upcoming events and past programs.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
National Institute of Standards and Technology. (2022). National Initiative for Cybersecurity Education (NICE Framework).
The NICE initiative was developed as a partnership between government, academia, and private industry to promote cybersecurity education, training, and workforce development. This webpage provides links to information on the framework, cybersecurity training and how to get involved in network efforts. The ‘Online Learning Content’ page includes links to professional development training, tools, and various specific cybersecurity educational materials.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
National Institute of Standards and Technology, National Cybersecurity Center of Excellence (NCCoE). (2021). NCCoE Learning Series Fireside Chat: Improving the Cybersecurity Posture of Healthcare Delivery Organizations.
This webinar recording examines guidance on securing critical technical aspects of the healthcare environment such as EHR, medical devices, telehealth, patient monitoring, and PACS systems, and highlights best practices for engaging the public and private sector.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
SANS Institute. (2021). Health Care Security Resources.
This resource for information security training includes links to webcasts, online trainings and livestream videos, educational whitepapers, and more for the healthcare sector.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S Department of Health and Human Services, Office of the Chief Information Officer. (2020). Security Awareness Training.
This website includes a comprehensive list of the (OCIO) information security and role-based training resources that includes topics such as phishing, executive and managerial training, and IT administration.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office for Civil Rights. (2020). HIPAA Training & Resources.
These training and resource materials were developed to help entities implement privacy and security protections. This webpage includes videos and slides from state attorneys general training and educational programs for healthcare providers.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office for Civil Rights. (2023). HHS Policy for Rules of Behavior for Use of Information & IT Resources.
These rules apply to government employees, contractors, and other system users and must be read by all new users prior to accessing HHS data, systems, or networks. The policies may serve as a helpful template for private sector entities.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Homeland Security, Office of Infrastructure Protection. (2013). DHS Cyber Tabletop Exercise (TTX) for the Healthcare Industry [Exercise Materials].
Healthcare organizations can download this zip file which contains a package of materials that can help them plan and organize a cyber tabletop exercise.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
University of California San Francisco, Stanford Center of Excellence in Regulatory Science and Innovation (CERSI). (n.d.). Cybersecurity Seminar Series. (Accessed 8/16/2022.)
This monthly speaker series is comprised of one-hour lectures on an array of cybersecurity topics including medical device security, biomedical engineering and manufacturing safety, and regulatory information.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Valderrama, A., Lee, S., Batts, D., et al. (2016). Healthcare Organization and Hospital Discussion Guide For Cybersecurity. Centers for Disease Control and Prevention.
Healthcare facility staff can use this document--presented as a discussion-based exercise--to identify their cybersecurity challenges, needs, and strengths.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments

Guidance

Administration for Strategic Preparedness and Response. (2023). HPH Sector Cybersecurity Framework Implementation Guide. U.S. Department of Health and Human Services.
This implementation guide provides specific steps that health care organizations can take immediately to manage cyber risks to their information technology systems. It provides recommendations, best practices, and resources to help the public and private health care sectors prevent cybersecurity incidents.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
American Hospital Association. (2021). Cybersecurity and Risk Advisory.
This webpage is sponsored by the American Hospital Association and includes links to resources (e.g., webinars, tools, and fact sheets) stakeholders can use to protect their healthcare facilities.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
American Hospital Association and American Medical Association. (2020). Working from Home during COVID-19 Pandemic.
This document provides information to physicians on protecting their computers, mobile devices, home network, and medical devices from cyber threats while working from home.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
ASPR TRACIE. (2016). The Exchange, Issue 2: Cybersecurity and Cyber Hygiene. United States Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response.
This issue of the newsletter focuses on cybersecurity events and cyber hygiene.
Rate:
Favorite:
2
You must Login to add a comment
  • This item doesn't have any comments
* ASPR TRACIE. (2022). Healthcare System Cybersecurity: Readiness & Response Considerations (Document).
This resource can help healthcare facilities, and the systems they may be a part of, understand the roles and responsibilities of stakeholders before, during, and after a cyber incident.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Bhuyan, S., Kabir, U., Escareno, J.M., et al. (2019). Transforming Healthcare Cybersecurity from Reactive to Proactive: Current Status and Future Recommendations.
This paper reviews the major cyber threats facing healthcare organizations, the role of cyber attackers, cyber defenders, developers, and end-users in cybersecurity. It includes recommendations for policy makers and healthcare organizations to mitigate these threats.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cawthra, J., Grayson, N., Pulivarti, R., et al. (2022). Securing Telehealth Remote Patient Monitoring Ecosystem (SP 1800-30). National Institute of Standards and Technology, U.S. Department of Commerce.
This practice guide provides insight into vulnerabilities associated with Remote Patient Monitoring (RPM) systems within healthcare organizations. Collaborating with telehealth and technology partners, and healthcare leadership, NIST identified risks and solutions for improving telehealth cybersecurity practices.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cawthra, J., Hodges, B., Kuruvilla, J., et al. (2020). Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector (SP 1800-24). National Institute of Standards and Technology, U.S. Department of Commerce.
The PACS ecosystem was analyzed to identify risks and vulnerabilities, as well as standards available to safeguard systems, using commercially available tools, to improve resilience and patient privacy.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Cichonski, P., Millar, T., Grance, T., and Scarfone, K. (2021). Computer Security Incident Handling Guide (NIST SP 800-61). National Institute of Standards and Technology, U.S. Department of Commerce.
This publication can help agencies establish computer security incident response capabilities and ensure that incidents are handled efficiently and effectively. Note: NIST resource details show this publication was last updated in 2021, though not reflected in the document
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (n.d.). Resources for Business. (Accessed 8/16/2022.) U.S. Department of Homeland Security.
This webpage (known by the acronym US-CERT) features links to cybersecurity resources for businesses (e.g., healthcare facilities) grouped into the following categories: Resources to Identify, Resources to Protect, Resources to Detect, and Resources to Recover. A specific link to the National Cyber Awareness System (https://www.cisa.gov/uscert/ncas) provides a single point of access for all current cybercrime information, including alerts, tips, bulletins, and analytic reports.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Cybersecurity and Infrastructure Security Agency. (n.d.). Resources for State, Local, Tribal, and Territorial Government. (Accessed 3/31/2023.)
This CISA webpage provides direct links to resources relevant for SLTT cyber planning needs. These include geographic specific resources by state, best practice (case studies), and an SLTT cyber toolkit to assist in understanding the threat environment, evaluating current programs, and understanding the five Cybersecurity Framework Function Areas.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Cybersecurity and Infrastructure Security Agency. (n.d.). Stop Ransomware. (Accessed 8/16/22.)
This CISA resource page is the government’s “one-stop-shop” for ransomware information, guidance, and available services. The site specifically provides links to critical ransomware guides, checklists, alerts, and factsheets. It includes information on who to contact and how to report an incident, trainings, current campaigns, and other partner/stakeholder information.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (2022). Sharing Cyber Event Information: Observe, Act, Report.
This tip sheet provides information on sharing of cyber-related events in accordance with CISA requirements. It contains guidance to clarify what type of information should be shared, with whom, under what circumstances, and what to expect once an incident is reported.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Cybersecurity and Infrastructure Security Agency. (2023). Shields Up.
Russia’s invasion of Ukraine has included cyberattacks on Ukrainian critical infrastructure, which could have implications for cybersecurity in other parts of the world, including the U.S. This resource from the Cybersecurity and Infrastructure Security Agency (CISA) helps organizations prevent and respond to cyberattacks. The website contains guidance for organizations, corporate leaders, individuals, and ransomware response.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Federal Bureau of Investigation. (n.d.). Internet Crime Complaint Center IC3. (Accessed 8/16/22.)
This FBI cybercrime homepage outlines how, when, and who to report a cyber incident to, links to additional resources such as annual reports, industry alerts, and ransomware information, as well as answers FAQs.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Federal Communications Commission, Department of Homeland Security, National Cyber Security Alliance, Chamber of Commerce. (n.d.). Cybersecurity Planning Guide. (Accessed 8/16/2022)
This planning guide, created in partnership with other agencies and subject matter experts, was designed to assist small businesses, with limited cybersecurity resources, incorporate cyber preparedness and risk assessment activities into their organizations. It includes a list of action items, policy considerations, and best practices.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Filkins, B. (2014). Health Care Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon. SANS Institute.
The project team analyzed a year’s worth of healthcare intelligence data and provide an overview of the sector’s vulnerabilities (including the “Internet of Things” and challenges related to compliance). The author shares three case studies that demonstrate how healthcare networks were attacked and concludes with preparedness tips useful to both information technology professionals and emergency planners.
Rate:
Favorite:
2
You must Login to add a comment
  • This item doesn't have any comments
Filkins, B. (2014). New Threats Drive Improved Practices: State of Cybersecurity in Health Care Organizations. SANS Institute.
The author presents results from a SANS 2014 State of Cybersecurity in Health Care Organizations survey. Overall, 41% of respondents ranked current data breach detection strategies as ineffective and more than half found the “negligent insider” to be the primary threat to security.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Gerard, P., Kapadia, N., Acharya, J., et al. (2013). Cybersecurity in Radiology: Access of Public Hot Spots and Public Wi-Fi and Prevention of Cybercrimes and HIPAA Violations. (Abstract only.) American Journal of Roentgenology. 201(6): 1186-1189.
The authors list steps that can be taken to protect sensitive information while transferring medical information over public and home networks. They emphasize the importance of these steps and strategies as the role of information technology in modern radiology practice increases.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Health Sector Cybersecurity Coordination Center (HC3). (2019). A Cost Analysis of Healthcare Sector Data Breaches.
This report highlights the cost of data breaches on healthcare facilities and how these costs are computed. Steps for mitigating risks are included, along with links to related resources.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Healthcare & Public Health Sector Coordinating Councils. (2020). Management Checklist for Teleworking Surge During the COVID-19 Response.
This checklist assists healthcare enterprise managers in implementing a telework strategy that enables an uninterrupted workflow, supports patient care and facility operations, and protects against cyberthreats.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Healthcare & Public Health Sector Coordinating Councils. (2023). Health Industry Cybersecurity Tactical Crisis Response Guide (HIC-TCR).
This guide offers tactics for the healthcare system to address cyberthreats, focused on education and outreach, enhanced prevention techniques, enhanced detection and response, and taking care of the team.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Healthcare and Public Health Sector Coordinating Council. (n.d.). Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. (Accessed 8/16/2022.) U.S. Department of Health and Human Services.
This webpage provides direct access to the main guidance documents, a four-volume publication, that provides an overview of current HSCC cybersecurity threats faced by the healthcare and public health (HPH) sector. In addition, it links to Technical Volume 1 that outlines cyber safety practices for small healthcare organizations; Technical Volume 2 that discusses cybersecurity practices for medium to large healthcare organizations, and other resources and template materials that can be used to develop policies and procedures via a cybersecurity toolkit.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
* Healthcare and Public Health Sector Coordinating Council, Cybersecurity Working Group. (2016). Healthcare Sector Cybersecurity Framework Implementation Guide.
This guide was developed in consultation with the Healthcare and Public Health (HPH) Sector Coordinating Council and Government Coordinating Council, along with input from other sector members and the U.S. Department of Homeland Security Critical Infrastructure Cyber Community. The goal of the guide is to help HPH Sector organizations understand and use the HITRUST Risk Management Framework—consisting of the HITRUST CSF, CSF Assurance Program, and supporting methodologies—to implement the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity in the HPH Sector and meet its objectives for critical infrastructure protection.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Healthcare and Public Health Sector Coordinating Council, Cybersecurity Working Group. (2020). Health Industry Cybersecurity Supply Chain Risk Management Guide (HIC-SCRiM).
This guide can help smaller to mid-sized healthcare organizations manage supply chain cybersecurity risk.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Healthcare and Public Health Sector Coordinating Council, Cybersecurity Working Group. (2022). HSCC Publications.
This webpage lists working group recommended cybersecurity publications by date and includes links to resources on operational continuity, telehealth and telemedicine cybersecurity, health industry tactical response, and information sharing.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
Healthcare Information and Management Systems Society. (2019). Overview of 405d Publication-Cybersecurity Practices: Managing Threats and Protecting Patients. U.S Department of Health and Human Services, Cybersecurity Program.
These slides from the 2019 HIMSS global conference provide an overview of the 405d HHS cybersecurity program. The presentation highlights partnerships, outlines the top five cyber threats and ten best practices for resilience, and summarizes how to prioritize threats within the healthcare sector.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
HHS 4D. (2024). Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP 2023 Edition).
This report outlines the primary cybersecurity threats facing the health care sector and can help organizations of all sizes access resources and best practices geared towards preparing for and responding to threats that can impact patient safety.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Independent Security Evaluators. (2016). Securing Hospitals: A Research Study and Blueprint.
The authors describe research conducted on a variety of hospital and healthcare-related infrastructures and systems; identify industry-specific challenges; and create a blueprint for improving healthcare facility security.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Johnson, C., Badger, L., and Waltermire, D., et al. (2016). Guide to Cyber Threat Information Sharing (NIST SP 800-150). National Institute of Standards and Technology, U.S. Department of Commerce.
This publication can help cyber professionals in the healthcare system establish and participate in cyber threat information sharing relationships. It contains information on developing information sharing goals, identifying threat sources, engaging with existing information sharing communities, and effectively using threat information, which can help health systems share threat information in a structured fashion.
Rate:
Favorite:
2
You must Login to add a comment
  • This item doesn't have any comments
National Rural Health Resource Center. (2020). Cybersecurity Toolkit for Rural Hospitals and Clinics.
The toolkit can help rural healthcare facilities develop a cybersecurity program focused on awareness, assessment, implementation & remediation, and education.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
National Security Agency. (2022). Cybersecurity Technical Report: Network Infrastructure Security Guide.
This document provides updated guidance on securing networks against changing and evolving vulnerabilities, specifically it outlines new security features and methods to be considered. It reviews the Zero Trust model, improper system configurations, authentication, and security maintenance- among others.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Perakslis, E.D. and Stanley, M. (2016). A Cybersecurity Primer for Translational Research, Science Translational Medicine. Science Translational Medicine. 8(322): 2.
The authors discuss recent healthcare-related data breaches and how they could have been prevented. They also highlight the differences between compliance and security (and how they overlap)—particularly in the research arena—and share tips for improving cybersecurity.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Tully, J., Selzer, J., Phillips, J., et al.. (2020). Healthcare Challenges in the Era of Cybersecurity. (Abstract only.) Health Security. 18(3):228-231.
This paper discusses the expansion of technology into healthcare operations, the challenges associated with such integration, and future recommendations for mitigation of growing cyber threats against health systems.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services. (2023). Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services.
This paper provides an overview of HHS’ proposed framework to help the health care sector address cybersecurity threats and protect patients while focusing on four steps: 1) Establish voluntary cybersecurity performance goals for the healthcare sector; 2) Provide resources to incentivize and implement these cybersecurity practices; 3) Implement an HHS-wide strategy to support greater enforcement and accountability; and 4) Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office for Civil Rights. (n.d.). HIPAA Security Rule Guidance Material. (Accessed 8/16/2022.)
This webpage assists healthcare professionals find information about the HIPAA Security Rule and provides links to other standards and resources on safeguarding electronic protected health information.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office for Civil Rights. (2021). Cyber Security Guidance Material. U.S. Department of Health and Human Services.
This website includes educational materials specifically designed to give HIPAA covered entities and business associate’s insight into how to respond to a cyber-related security incidents for professionals. This includes a cybersecurity checklist, infographic, ransomware guidance, NIST cyber framework information, and links to the Office of Civil Rights (OCR) cyber awareness newsletters.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office of Information Security. (n.d.). 405(d) Resource Library. (Accessed 3/11/2024.)
This webpage provides access to all the task group products, publications, and guidance material on health sector cyber-related materials, including cybersecurity practices for small, medium, and large healthcare organizations; phishing, malware, and ransomware factsheets; cyberthreat infographics; healthcare industry cybersecurity quick start guides; and security considerations and infographics for medical devices. Many 405(d) resources are also available in Spanish: https://405d.hhs.gov/spanish
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Justice, Cybersecurity Unit. (2015). Best Practices for Victim Response and Reporting of Cyber Incidents.
This document provides planning and response guidance based on lessons learned by federal prosecutors while handling cyber investigations and prosecutions. The authors drafted the document with smaller organizations (with fewer resources) in mind, but larger organizations should also find it useful.
Rate:
Favorite:
4
You must Login to add a comment
  • This item doesn't have any comments
U.S. Secret Service. (n.d.). Financial and Cyber Crimes Investigations, Preparing for a Cyber Incident. (Accessed 8/16/2022.)
This website provides links to several quick reference guides developed by U.S. Secret Service experts to help organizations before, during, and after a cyber incident. These resources include an introductory guide to understanding cybercrimes, ransomware, reporting cyber incidents, and business email compromises.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments

Incident Management

Bartock, M., Cichonski, J., Souppaya, M., et al. (2016). Guide for Cybersecurity Event Recovery (NIST SP 800-84). National Institute of Standards and Technology, U.S. Department of Commerce.
The authors provide guidance for cyber attack recovery planning and emphasize the importance of learning from past events and developing, testing, and improving recovery planning. This document includes an example scenario that demonstrates guidance and informative metrics that may be helpful for improving information systems resilience.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
* Cichonski, P., Millar, T., Grance, T., and Scarfone, K. (2021). Computer Security Incident Handling Guide (NIST SP 800-61). National Institute of Standards and Technology, U.S. Department of Commerce.
This publication can help agencies establish computer security incident response capabilities and ensure that incidents are handled efficiently and effectively. Note: NIST resource details show this publication was last updated in 2021, though not reflected in the document
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Cybersecurity and Infrastructure Security Agency. (2021). Cybersecurity Incident and Vulnerability Response Playbooks: Operational Procedures for Planning and Conducting Cybersecurity Incident and Vulnerability Response Activities in FCEB Information Systems.
This CISA resource contains two playbooks, one for incident response and the other for vulnerability response. Each one contains standards and protocol to help identify, coordinate, remediate, and recover from possible cyber incidents as well as identified vulnerabilities known to affect federal agencies, their systems, data, and networks.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Healthcare and Public Health Sector Coordinating Council. (2022). Operational Continuity – Cyber Incident (OCCI).
This cyber incident checklist can be used as a template for operational staff and executives in healthcare to respond to and recover from a large-scale extended cyberattack. Recommendations can be tailored to an organizations size and level of operational complexity and role-based modules can align with current Incident Command System plans.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Department of Defense, Defense Technical Information Center, Information Analysis Center. (2022). DOD Cybersecurity Policy Chart.
This chart presents cybersecurity-related policies, legal authorities, and documents in a color-coded schema for quick reference to identify relevant strategies and resources that can help prepare for and respond to cyber threats. While created by and for the Department of Defense, the information can be applied to healthcare and other critical infrastructure.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
The White House. (2021). Executive Order – Improving the Nation’s Cybersecurity.
This executive order (14028), aims to improve federal efforts to identify, deter, detect, protect against, and respond to increasingly ‘sophisticated malicious cyber campaigns. Key points include removing barriers to information sharing between government and private sector; modernizing and strengthening cybersecurity standards within the Federal government; improving software supply chain security; standardizing cybersecurity response playbooks; and improving investigation and remediation capabilities.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* U.S. Department of Health and Human Services, Office for Civil Rights. (2020). HIPAA for Professionals: The Security Rule.
Cybersecurity professionals can locate information about HIPAA rules, guidance on compliance, the Office for Civil Rights’ enforcement activities, frequently asked questions, and more on this webpage.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
United States Congress. (2022). Strengthening American Cybersecurity Act of 2022- S.3600.
This legislative package, a combination of three bills (the Federal Information Security Modernization Act, the Cyber Incident Reporting Act; and the Federal Secure Cloud Improvement and Jobs Act) focuses on improving cyber incident reporting obligations, modernizing cyber capabilities, and securing cloud adoption. Importantly, new reporting requirements would mandate reporting of any substantial cyber incidents by all federal civilian agencies to CISA within 72 hours.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments

Lessons Learned

American Hospital Association. (n.d.). Cybersecurity: Lessons Learned from Ransomware Attack with UVM Health. (Accessed 8/16/2022.)
This recording captures a discussion with the University of Vermont Medical Center president, Chief Operating Officer and Chief Medical Information Officer on lessons learned during a major ransomware attack on their facility in the Fall of 2020.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
ASPR TRACIE. (2016). Cybersecurity and Healthcare Facilities. U.S. Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response.
Cybersecurity is a critical issue facing the ASPR TRACIE audience. In this webinar, a distinguished panel of experts describe lessons learned from recent experiences, planning considerations, and steps the federal government is taking to address cybersecurity and cyber hygiene.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
ASPR TRACIE. (2021). Healthcare System Cybersecurity Response: Experiences and Considerations (Webinar).
Speakers from healthcare facilities share their experiences and tangible lessons learned from responding to cybersecurity incidents.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
ASPR TRACIE. (2022). Healthcare Cybersecurity Select Lessons Learned.
This ASPR TRACIE TA response includes information on high-profile healthcare cyberattacks over the past five years in the U.S., to include resources and details on the associated impacts and lessons learned for clinical care delivery.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Becker’s Hospital Review. (2018). When Cyberattacks Hit, Disaster Recovery is Not Enough. (Free registration required.)
This e-book is based on a roundtable discussion with nine hospital and healthcare IT leaders to better understand data management strategies, cyber recovery and resilience, gaps in backup and recovery methods, as well as factors impacting healthcare system cyber vulnerabilities.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
CyberPeace Institute. (2021). Playing with Lives: Cyberattacks on Healthcare are Attacks on People.
This report focuses on how cyberattacks on health systems impact people and society. It consolidates information on a variety of threats from ransomware to cyber espionage, discusses how COVID-19 has added to the complexities of cybersecurity, and includes recommendations for mitigation of threats based on current initiatives.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (n.d.). Cyber Storm: Securing Cyber Space. (Accessed 8/16/2022.)
Cyber Storm is the U.S. Department of Homeland Security’s biennial cybersecurity exercise. This webpage includes highlights and lessons learned from exercises and links for more information.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Ghafur, S., Kristensen, S., Honeyford, K., et al. (2019). A Retrospective Impact Analysis of the WannaCry Cyberattack on the NHS. NPJ Digital Medicine 2(98).
This paper summarizes the large-scale effects of the WannaCry cyberattack on the U.K National Health Service and the overarching lessons learned that have become relevant to health systems across the globe. It highlights economic, operational, and strategic outcomes including disruptions to clinical care, financial losses, and workforce impacts.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Koppel, R., Smith, S., Blythe, J., and Kothari, V. (2015). Workarounds to Computer Access in Healthcare Organizations: You Want my Password or a Dead Patient? (Abstract only.) Studies in Health Technology and Informatics. 208: 215-220.
The authors examine the methods some healthcare providers use to circumvent cybersecurity. These “creative, flexible, and motivated” employees did not have criminal intention—they were presumably focused on providing patient care in a fast-paced environment.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Mehrtak, M., SeyedAlinaghi, S., MohsseniPour, M., et al. (2021). Security Challenges and Solutions Using Healthcare Cloud Computing. Journal of Medicine and Life 14(4):448–461.
This systematic review examined 930 full text studies, from 2015 to 2020, to identify the most common cloud security issues impacting healthcare systems. The researchers included a breakdown of these issues as well as potential solutions that were most frequently cited.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Okereafor, K., Adebola, O. (2021). Healthcare Cybersecurity Lessons from COVID. (Free download) International Journal in IT and Engineering 9(4): 1-11.
This paper provides a high-level overview of the impacts of the COVID-19 pandemic on cybersecurity in the healthcare industry and highlights the vulnerabilities that were a result of modified behaviors during a chaotic pandemic. It highlights key challenges and includes best practices and lessons learned to improve healthcare security in the future.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S Department of Health and Human Services, Office of the Chief Information Officer. (2022). Lessons Learned from the HSE Cyber Attack.
This HHS slide deck reviews the 2021 cyberattack against the Health Service Executive (HSE), Ireland’s publicly funded healthcare system. Information included in the summary details the impacts caused by the Conti ransomware attack, subsequent disruptions to health system operations, and key findings and challenges associated with response and recovery.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Verizon. (2016). 2016 Data Breach Investigations Report.
In this report, Verizon examined more than 100,000 security incidents affecting various industries, including healthcare. They found that of the 166 healthcare breaches, 115 had confirmed data loss, 32% were caused by stolen assets, and 23% were a result of privilege misuse. The report also found reuse of credentials to be a healthcare-specific risk. Victim demographics, vulnerabilities, phishing, and incident classification patterns are discussed, as well as an entire appendix devoted to “attack graphs.”
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments

Medical Devices

Armstrong, D.G. Kleidermacher, D.N., Klonoff, D.C., and Slepian, M.J. (2015). Cybersecurity Regulation of Wireless Devices for Performance and Assurance in the Age of "Medjacking.". Journal of Diabetes Science and Technology. 10(2): 435-438.
The authors outline a framework for securing wireless health devices to minimize the occurrence of “medjacking,” or the hacking medical devices.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Chase, M., Christey Coley, S., Connolly, J., et al. (2022). Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook. Mitre Corporation.
This playbook provides information on preventing and mitigating cybersecurity incidents for medical devices. It includes a framework for health care organizations, as well as tools, techniques, and resources, and has been revised to be in alignment with Hospital Incident Command.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Connolly, J.L., Christey, S.M., Daldos, R., et al. (2018). Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.
This playbook presents a framework that can be used by healthcare organizations and stakeholders to plan for and respond to cybersecurity attacks on medical devices. It includes supplemental information specific to regional cyber preparedness and recommendations for conducting a hazard vulnerability analysis, asset inventory, and incident reporting.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Health- Information Sharing and Analysis Center (H-ISAC). (n.d.). Medical Device Manufacturing Security. (Accessed 8/17/2022.)
This reference page provides a list of quicklinks to major medical device manufacturer’s product security websites. Manufacturers are listed by name with corresponding URLs to product security information.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Healthcare and Public Health Sector Coordinating Council. (2022). Medtech Vulnerability Communications Toolkit (MVCT).
This toolkit provides guidance for disclosing vulnerabilities in medical devices with a focus on communicating to patients. It includes a template and best practices such as categorizing the vulnerability, terminology to be used, and workflows/processes to be considered.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Klonoff, D.C. (2015). Cybersecurity for Connected Diabetes Devices. Journal of Diabetes Science and Technology. 9(5):1143-7.
The author provides an overview of the “CIA Triad” for information security, where C stands for confidentiality, I stands for integrity, and A stands for availability. The author explains how a cybersecurity standard designed specifically for connected diabetes devices will improve device safety and increase security.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Kramer, D.B. and Fu, K. (2017). Cybersecurity Concerns and Medical Devices Lessons From a Pacemaker Advisory. (Subscription Required.) JAMA Network 318(21):2077-2078.
This paper outlines vulnerabilities associated with increased medical device use in wireless communication and remote monitoring. It details several cyber incidents and highlights considerations in preparing for future incidents, and the importance of engaging stakeholders public and private sector.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Kramer, D.B., Baker, M., Ransford, B., et al. (2012). Security and Privacy Qualities of Medical Devices: An Analysis of FDA Postmarket Surveillance. PLoS One. 7(7):e40200.
The authors evaluated recalls and adverse events related to security and privacy risks of medical devices and found “sharp inconsistencies” in the way individual providers secured devices. The authors challenged manufacturers and regulators to consider the security and privacy elements of their devices and systems and to build the ability to collect cybersecurity threat indicators into their medical devices.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office of Information Security. (n.d.). 405(d) Program and Task Group Medical Device Fact Sheet, Poster, and Threat Series Slides. (Accessed 8/17/2022.)
These three individual resources (https://405d.hhs.gov/Documents/Five-Threat-Series-Medical-Devices-R.pdf; https://405d.hhs.gov/Documents/405d-Five-Threats-Attacks-Connected-Devices-Poster.pdf; and https://405d.hhs.gov/Documents/5-Threats-Series-Threat-5-Attacks-Against-Connected-Medical-Devices-Powerpoint-Updated-R.pdf) provide access to an informational medical device poster to be used as a visual aid for staff, a fact sheet listing impacts and considerations in case of a connected medical device attack, and slides covering the 5 main medical device threats and data loss, among others.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Food and Drug Administration. (n.d.). The FDA's Role in Medical Device Cybersecurity. (Accessed 8/19/2022.)
Myths and facts about medical device cybersecurity are shared in this table geared towards manufacturers and providers.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Food and Drug Administration. (2018). Content of Premarket Submissions for Management of Cybersecurity in Medical Devices: Guidance for Industry and Food and Drug Administration Staff. U.S. Department of Health and Human Services.
This guidance provides recommendations to consider and information to include in FDA medical device premarket submissions for effective cybersecurity management. Effective cybersecurity management is intended to reduce the risk to patients by decreasing the likelihood that device functionality is intentionally or unintentionally compromised by inadequate cybersecurity.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Food and Drug Administration. (2018). Postmarket Management of Cybersecurity in Medical Devices.
This guidance can help manufacturers and healthcare providers manage cybersecurity in medical devices, particularly those that are networked.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
U.S. Food and Drug Administration. (2021). Cybersecurity.
This webpage highlights the U.S. Food and Drug Administration's efforts to secure medical devices. It includes links to helpful resources, including webinars and guidance documents.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Food and Drug Administration. (2022). Tips for Clinicians: Keeping Your Patients’ Connected Medical Devices Safe.
This video describes steps clinicians can take to ensure their patients’ medical devices and privacy are protected. It includes questions health care providers should ask manufacturers of medical devices, and when to contact the manufacturer.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Food and Drug Administration. (2023). Cybersecurity.
This website provides updates on cybersecurity requirements for medical devices. It includes a timeline of how the Consolidated Appropriations Act updated these requirements, information on mitigating cybersecurity risks, and links to cybersecurity reports and whitepapers for medical devices.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Food and Drug Administration, Center for Devices and Radiological Health. (2021). Best Practices for Communicating Cybersecurity Vulnerabilities to Patients.
This document was developed to assist healthcare professionals, industry partners, and federal partners communicate information about cybersecurity vulnerabilities. It contains best practices and tips for creating clear, concise, and easy to consume messaging to patients and the public.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Williams, P.A. and Woodward, A.J. (2015). Cybersecurity Vulnerabilities in Medical Devices: A Complex Environment and Multifaceted Problem. Medical Devices. 8:305-16.
The authors review the factors that can contribute to cybersecurity vulnerabilities in medical devices and provide guidance regarding protection mechanisms, mitigations, and processes.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments

Plans, Tools, and Templates

Administration for Strategic Preparedness and Response. (2023). RISC Toolkit 2.0. U.S. Department of Health and Human Services.
The Risk Identification and Site Criticality (RISC) Toolkit is an objective, data-driven all-hazards risk assessment that can be used by public and private organizations within the Healthcare and Public Health Sector to inform emergency preparedness planning, risk management activities, and resource investments. The RISC Toolkit provides owners/operators in the HPH Sector with nationally recognized standards-based evaluation criteria in an easy-to-follow, guided format.
Rate:
Favorite:
1
You must Login to add a comment
  • Tony Barker Great tool that has very effective resource links. Makes the HVA process evidence based and provides an excellent format for use. Thank you to the development team!
    12/12/2018 12:56:36 PM
* ASPR TRACIE. (2022). Healthcare System Cybersecurity: Readiness & Response Considerations (Document).
This resource can help healthcare facilities, and the systems they may be a part of, understand the roles and responsibilities of stakeholders before, during, and after a cyber incident.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Connolly, J.L., Christey, S.M., Daldos, R., et al. (2018). Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.
This playbook presents a framework that can be used by healthcare organizations and stakeholders to plan for and respond to cybersecurity attacks on medical devices. It includes supplemental information specific to regional cyber preparedness and recommendations for conducting a hazard vulnerability analysis, asset inventory, and incident reporting.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (n.d.). Assessments: Cyber Resilience Review (CRR). (Accessed 8/19/2022.)
This website explains the (free) cyber resilience review process and lists benefits and variables measured. It also explains the cyber security evaluation tool and its benefits. Important links for getting started and requesting reviews are also included.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Cybersecurity and Infrastructure Security Agency. (n.d.). Resources for State, Local, Tribal, and Territorial Government. (Accessed 3/31/2023.)
This CISA webpage provides direct links to resources relevant for SLTT cyber planning needs. These include geographic specific resources by state, best practice (case studies), and an SLTT cyber toolkit to assist in understanding the threat environment, evaluating current programs, and understanding the five Cybersecurity Framework Function Areas.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (2016). The National Cyber Incident Response Plan (NCIRP).
This plan applies to significant cyber incidents that have the potential to cause significant harm to national security interests, foreign relations, economy, or public health and safety. Sections include Roles and Responsibilities; Core Capabilities; and Coordinating Structures and Integration. Additional guidance is provided in the appendices.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Cybersecurity and Infrastructure Security Agency. (2021). Cybersecurity Incident and Vulnerability Response Playbooks: Operational Procedures for Planning and Conducting Cybersecurity Incident and Vulnerability Response Activities in FCEB Information Systems.
This CISA resource contains two playbooks, one for incident response and the other for vulnerability response. Each one contains standards and protocol to help identify, coordinate, remediate, and recover from possible cyber incidents as well as identified vulnerabilities known to affect federal agencies, their systems, data, and networks.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Federal Communications Commission. (n.d.). Cyberplanner. (Accessed 8/17/2022.)
This FCC tool, designed to assist small businesses with limited cybersecurity resources, is an online resource to help smaller businesses develop customized cybersecurity plans. It includes step-by-step guidance and links to additional cybersecurity resources and tip sheets.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Federal Communications Commission, Department of Homeland Security, National Cyber Security Alliance, Chamber of Commerce. (n.d.). Cybersecurity Planning Guide. (Accessed 8/16/2022)
This planning guide, created in partnership with other agencies and subject matter experts, was designed to assist small businesses, with limited cybersecurity resources, incorporate cyber preparedness and risk assessment activities into their organizations. It includes a list of action items, policy considerations, and best practices.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Health Sector Coordinating Council Cybersecurity Working Group. (2024). Health Industry Cybersecurity Strategic Plan 2024-2029.
This plan was created for organizations throughout the healthcare ecosystem to help them implement foundational cybersecurity programs that address the operational, technological, and governance challenges posed by significant healthcare industry trends over the next five years.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Healthcare & Public Health Sector Coordinating Councils. (2020). Management Checklist for Teleworking Surge During the COVID-19 Response.
This checklist assists healthcare enterprise managers in implementing a telework strategy that enables an uninterrupted workflow, supports patient care and facility operations, and protects against cyberthreats.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Healthcare & Public Health Sector Coordinating Councils. (2023). Health Industry Cybersecurity – Coordinated Healthcare Incident Response Plan (CHIRP).
This template aims to prepare health care organizations for the operational impacts of a cybersecurity incident by bringing together separate components of emergency plans. It contains information on command center synchronization, incident identification, communication strategy, containment strategy, and the interim solution request process.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Healthcare and Public Health Sector Coordinating Council. (2018). Health Industry Cybersecurity Practices: Resources and Templates.
This Health Sector Coordinating Council document provides resources and materials that healthcare organizations can use during the development of cybersecurity policies and procedures. It consists of a glossary of terms, roadmaps, toolkits, and templates for securing devices, cyber incident reporting, and access control protocol.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Healthcare and Public Health Sector Coordinating Council. (2022). Operational Continuity – Cyber Incident (OCCI).
This cyber incident checklist can be used as a template for operational staff and executives in healthcare to respond to and recover from a large-scale extended cyberattack. Recommendations can be tailored to an organizations size and level of operational complexity and role-based modules can align with current Incident Command System plans.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Healthcare and Public Health Sector Coordinating Council, Cybersecurity Working Group. (2016). Healthcare Sector Cybersecurity Framework Implementation Guide.
This guide was developed in consultation with the Healthcare and Public Health (HPH) Sector Coordinating Council and Government Coordinating Council, along with input from other sector members and the U.S. Department of Homeland Security Critical Infrastructure Cyber Community. The goal of the guide is to help HPH Sector organizations understand and use the HITRUST Risk Management Framework—consisting of the HITRUST CSF, CSF Assurance Program, and supporting methodologies—to implement the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity in the HPH Sector and meet its objectives for critical infrastructure protection.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Energy. (2021). Cybersecurity Capability Maturity Model (C2M2).
The C2M2 tool, developed in 2012, was created to assist organizations with evaluating and improving their cybersecurity capabilities. The 2021 C2M2 Version 2.0 update addresses emerging technologies and the evolving cyber threat landscape.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office for Civil Rights. (2016). HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework.
This document maps paths between two seminal healthcare cybersecurity documents. It can help healthcare planners use the Cybersecurity Framework as a “common language” and identify gaps to boost compliance with the Security Rule.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* U.S. Department of Health and Human Services, Office for Civil Rights and Office of the National Coordinator for Health Information Technology. (2022). Security Risk Assessment (SRA) Tool.
The Security Risk Assessment tool was designed to help guide healthcare providers in small to medium-sized offices conduct risk assessments of their organizations’ HIPAA compliance. This webpage contains a user guide and tutorial video. Users can download the 156 question app to their computers or iPads.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response. (2021). National Health Security Strategy. U.S. Department of Health and Human Services.
The goal of the National Health Security Strategy (NHSS) is to strengthen and sustain communities’ abilities to prevent, protect against, mitigate the effects of, respond to, and recover from disasters and emergencies. This webpage includes links to the full text of the strategy, an overview, the NHSS Implementation Plan, the NHSS Evaluation of Progress, and an NHSS Archive.
Rate:
Favorite:
3
You must Login to add a comment
  • This item doesn't have any comments

Ransomware Resources

Carnegie Mellon University, Software Engineering Institute. (2017). Ransomware: Best Practices for Prevention and Response.
This blog post, written in the aftermath of the “WannaCry” ransomware attack, provides key best practices and lessons learned for preventing and responding to a ransomware attack.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (n.d.). Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches. (Accessed 8/17/2022.)
This factsheet provides an overview of the impacts of ransomware, a summary of recent attacks, and includes a preparedness checklist with links to guidance on cyber hygiene and vulnerability testing. It also outlines best practices for protecting sensitive and personal information and responding to ransomware-caused data breaches.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Cybersecurity and Infrastructure Security Agency. (n.d.). Stop Ransomware. (Accessed 8/16/22.)
This CISA resource page is the government’s “one-stop-shop” for ransomware information, guidance, and available services. The site specifically provides links to critical ransomware guides, checklists, alerts, and factsheets. It includes information on who to contact and how to report an incident, trainings, current campaigns, and other partner/stakeholder information.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (2016). Ransomware and Recent Variants.
This factsheet provides an overview of ransomware and shares how the variants Locky and Samas were recently used to compromise healthcare networks.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (2022). 2021 Trends Show Increased Globalized Threat of Ransomware.
This Alert (AA22-040A) summarizes recent ransomware threats and activity identified domestically and abroad. It includes technical details, mitigation techniques, response guidance, and additional resources.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and U.S. Department of Health and Human Services. (2020). Ransomware Activity Targeting the Healthcare and Public Health Sector: Alert (AA20-302A).
The coauthored joint cybersecurity advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware. Recent updates include information on Conti, TrickBot, and BazarLoader, as well as new IOCs and Yara Rules for detection.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Federal Bureau of Investigation. (n.d.). Internet Crime Complaint Center IC3- Ransomware. (Accessed 8/17/22.)
This FBI cybercrime homepage answers FAQs, outlines how, when, and who you should report a cyber incident to, and links to additional resources such as annual reports, industry alerts, and ransomware information.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Health Sector Cybersecurity Coordination Center (HC3). (n.d.). Prepare, React, and Recover from Ransomware. (Accessed 8/17/22.)
This infographic presents ransomware-related cybersecurity information in an easy to reference and format that can be used in trainings and exercises to increase awareness on preparing for, reacting to, and recovering from a cyber incident.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Institute for Security and Technology. (2021). Combating Ransomware, A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force.
This framework, developed by over 60 experts across industry, academia, and government, is part of a public-private anti-ransomware campaign to increase awareness and resilience. The framework includes a breakdown of priority ransomware issues, current mitigation efforts, key recommendations, and an overview of the framework’s call to action.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
National Institute of Standards and Technology. (n.d.). Data Integrity Recovering from Ransomware and Other Destructive Events (NIST SP 1800-26). (Accessed 8/17/2022.)
This webpage is a comprehensive list of NIST data integrity and data breach security guidance documents. It provides information on potential targets of data corruption, including ransomware, malware, and insider threats. It includes information on resources and tools that support vulnerability detection, response efforts, and practical safety measures to minimize damage from loss of data.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
National Institute of Standards and Technology. (2021). Tips and Tactics for Dealing with Ransomware.
This webpage includes quick reference guides, best practices, videos, and factsheets on preventive measures to help organizations prepare for ransomware attacks and links to additional cyber awareness tips.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
National Institute of Standards and Technology. (2022). Ransomware Protection and Response.
This webpage provides links and access to collective NIST ransomware resources including, risk management guidance, a Quick Start Guide, videos, tip sheets, and infographics, as well as information on the Ransomware Risk Management cybersecurity framework.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
National Institute of Standards and Technology, Computer Security Resource Center. (2022). Getting Started with Cybersecurity Risk Management: Ransomware.
This quick start guide is meant to help organizations prepare to counter ransomware attacks that are based on the NIST Cybersecurity Framework’s five key functions that include Identifying, Protecting, Detecting, Responding, and Recovering. It is applicable to smaller organizations and those with limited resources.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Souppaya, M. and Scarfone, K. (2013). Guide to Malware Incident Prevention and Handling for Desktops and Laptops (NIST SP 800-83, Rev.1). National Institute of Standards and Technology, U.S. Department of Commerce.
The authors provide recommendations that can help an organization prevent, prepare for, respond to, and recover from malware incidents, especially widespread ones. Several types of malware are addressed (e.g., worms, viruses, and Trojan horses) and Appendix B provides malware incident handling scenarios that can help identify strengths and gaps in a facility’s cybersecurity plans.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office of Information Security. (2022). The Impact of Ransomware on Healthcare. 405(d) Post:Volume XV).
This newsletter highlights the impacts of ransomware on the healthcare sector since 2021. It outlines key issues, statistics, and solutions that include links to additional sources of information on cybersecurity resilience efforts.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office of the Chief Information Officer. (2019). HC3 Intelligence Briefing Update Ransomware Threat to State & Local Governments.
This presentation highlights key aspects of ransomware threats, early examples of attacks, operational impacts on healthcare, emerging trends, and strategies for protecting from and detecting vulnerabilities.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office of the Chief Information Officer. (2021). Conti Ransomware and the Health Sector.
This threat briefing reviews key aspects of the Conti ransomware attacks on the health sector, recent high-profile attacks, and description of impacts to hospital operations via real-world examples.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Secret Service, Cybercrime Investigations. (2021). Preparing for a Cyber Incident, a Guide to Ransomware.
This short factsheet provides a general overview of ransomware threats and characteristics, a short list of prevention measures, and a checklist for response efforts.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments

Risk and Threat

American Hospital Association. (n.d.). Cybersecurity and Risk Advisory Services. (Accessed 8/17/2022.)
This webpage contains information on AHA cyber services aimed at helping members increase resiliency against growing threats.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
American Hospital Association. (n.d.). Resources- FBI TLP Alerts. (Accessed 8/17/2022.)
This AHA webpage contains a chronological list of all FBI Traffic Light Protocol reports and notifications on cyber threats and vulnerabilities.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Anti-Phishing Work Group. (2021). APWG.
The Anti-Phishing Working Group (AFWG) is a coalition whose goal is to unify “the global response to cybercrime across industry, government, and law enforcement sectors and NGO communities.” Their website includes links to helpful resources, reporting mechanisms, programming options, and the like.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
Carnegie Mellon University, Software Engineering Institute. (2022). Vulnerability Notes Database.
This webpage includes information on recently published vulnerabilities, including technical details, remediation information, and lists of affected vendors. It also has search capabilities, links to archived vulnerability information, and guidance for reporting an incident.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (n.d.). Bad Practices. (Accessed 8/17/2022.)
This webpage is a collection of CISA identified risky behaviors that could impact critical infrastructure and national security. The catalog is periodically updated and also links directly to a CISA GitHub page where discussions on vulnerabilities and risks can be found.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (n.d.). Free Cybersecurity Services and Tools: Cyber Hygiene Vulnerability Scanning. (Accessed 8/21/2023.)
This CISA webpage provides information on how to access their free cyber hygiene services that include scanning, testing, and assessments.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (n.d.). Known Exploited Vulnerabilities Catalog. (Accessed 8/17/2022.)
This webpage houses information on the KEV catalog, a federal “living list” of frequently abused vulnerabilities that are of significant risk to the national enterprise. This includes links to the list itself, criteria for adding vulnerabilities, and information on mitigation, workarounds, and prioritizing threats.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. (n.d.). National Cyber Awareness System. (Accessed 8/17/22.)
This CISA information page is a single point of access for all current Federal cybercrime information including alerts, tips, bulletins, and analysis reports. It also contains up to date information on security topics, threats, and vulnerabilities that can be found by date in the “Alerts” and “Bulletins” sections.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Cybersecurity and Infrastructure Security Agency. (2023). Shields Up.
Russia’s invasion of Ukraine has included cyberattacks on Ukrainian critical infrastructure, which could have implications for cybersecurity in other parts of the world, including the U.S. This resource from the Cybersecurity and Infrastructure Security Agency (CISA) helps organizations prevent and respond to cyberattacks. The website contains guidance for organizations, corporate leaders, individuals, and ransomware response.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Cybersecurity and Infrastructure Security Agency, Federal Bureau of Investigation, and U.S. Department of Health and Human Services. (2020). Ransomware Activity Targeting the Healthcare and Public Health Sector: Alert (AA20-302A).
The coauthored joint cybersecurity advisory describes the tactics, techniques, and procedures (TTPs) used by cybercriminals against targets in the Healthcare and Public Health (HPH) Sector to infect systems with ransomware. Recent updates include information on Conti, TrickBot, and BazarLoader, as well as new IOCs and Yara Rules for detection.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Drew, S., Eftekhari, P. (2019). An Analysis of Responses to Senator Warner’s Health Sector Cybersecurity Inquiries. Institute for Critical Infrastructure Technology.
This analysis is based on publicly available responses from twelve healthcare organization and four federal agencies that were answering a letter from Senator Warren regarding short-term and long-term strategies for increasing cyber resiliency and decreasing vulnerabilities across the healthcare sector. The paper outline’s key themes and takeaways such as the need for streamlined collaboration, considerations for emerging cyber legislation, and the need for a standardized national cyber strategy.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Emergency Care Research Institute (ECRI). (2022). Special Report: Top Ten Health Technology Hazards for 2022.
This report provides insight on the major safety issues affecting the use of medical devices and systems in the healthcare industry. Some of these include disruptions to healthcare delivery impacting patient safety, supply chain concerns, telehealth workflows, and Wi-Fi ”dead zones” endangering patient care.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Federal Bureau of Investigation, Internet Crime Complaint Center IC3. (2022). FBI IC3 Industry Alerts.
This FBI cybercrime page contains a chronological list of all cyber alerts, reports, and advisories that have been released by the agency and its task force partners. These include Joint Cybersecurity Advisories, private industry notifications, and FBI cyber division Flash Reports, all of which contain information on current vulnerabilities and attack risks.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Health Sector Cybersecurity Coordination Center (HC3). (2021). Sector Alert: Picture Archiving Communication Systems (PACS) Vulnerabilities.
This alert summarizes known vulnerabilities identified in PACS systems and servers since 2019 and includes guidance on mitigation and resources to reference more for more in-depth information.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
* Healthcare and Public Health Sector Coordinating Council. (n.d.). Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. (Accessed 8/16/2022.) U.S. Department of Health and Human Services.
This webpage provides direct access to the main guidance documents, a four-volume publication, that provides an overview of current HSCC cybersecurity threats faced by the healthcare and public health (HPH) sector. In addition, it links to Technical Volume 1 that outlines cyber safety practices for small healthcare organizations; Technical Volume 2 that discusses cybersecurity practices for medium to large healthcare organizations, and other resources and template materials that can be used to develop policies and procedures via a cybersecurity toolkit.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
Healthcare Information and Management Systems Society. (2020). HIMSS Cybersecurity Survey.
The 2020 cybersecurity survey provides insight into the landscape of U.S. healthcare organizations based on feedback from 168 U.S.-based industry professionals. It discusses the most common and significant security incidents, major threat actors and target areas, as well as where healthcare sector resilience gaps exist and can be improved.
Rate:
Favorite:
1
You must Login to add a comment
  • This item doesn't have any comments
InfraGard. (n.d.). InfraGard: Partnership for Prevention. (Accessed 8/17/2022.)
InfraGard is a partnership between the private sector and the Federal Bureau of Investigation, and members from businesses, academia, state and local law enforcement who represent 16 critical infrastructures (including emergency services and healthcare and public health) to facilitate information sharing on emerging technology and threats. Interested parties can apply to join online, and the open-access part of the webpage includes links to state and local chapters and a calendar of events.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Institute for Critical Infrastructure Technology. (2019). An Insight into the Current Security Posture of Healthcare IT: A National Security Concern.
This project, conducted in tandem with Carnegie Mellon University, aimed to assess the cybersecurity readiness level of the healthcare sector across healthcare IT, supply chain security, and emerging technology domains. The final report, presented to HHS, VA, and private sector experts during a government summit, included a summary of disruptions and potential threats to health information systems, security threats to connected devices, and a comparison of cybersecurity frameworks.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Internet Storm Center. (2021). Internet Storm Center (ISC).
This volunteer-run webpage was created in 2001 and features free warning and analysis to Internet users while working closely with Internet service providers to combat cyberattacks. The webpage features daily “Stormcasts” and links to articles, patches, podcasts, tools, and other helpful information.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
MITRE. (2021). ATT&CK.
This resource is an opensource repository (or ‘knowledge base’) of known adversarial threat tactics and techniques collected by experts. It contains a matrix of tactics, techniques, sub-techniques, and defense evasions, among others, that break down methods used by cyber criminals to infiltrate systems.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
MITRE. (2022). Health Cyber: Resource Library.
This repository page is an easy way to navigate a variety of cyber-related healthcare resources collected from federal, private, and MITRE-produced data. Users can navigate by resource type (i.e., analyst note, official report, tool, website), user role, date, title, or organization type.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
National Institute of Standards and Technology. (2021). National Vulnerability Database.
This database is a federal repository of ‘standards-based vulnerability management data’ using the Security Content Automation Protocol (SCAP). It includes security checklists, security-related software flaws, misconfigurations, product names, and impact metrics.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Skahill, E., West, D.M. (2021). Why Hospitals and Healthcare Organizations Need to Take Cybersecurity More Seriously. Brookings Institute.
This article highlights recent cyberattacks on major infrastructure such as the health sector and outlines the operational and financial impacts experienced. It underscores the major challenges facing the healthcare industry, including updated statistics and data, as well as recommendations for preventing future attacks.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Health Sector Cybersecurity Coordination Center (HC3). (2022). HC3 Products.
This health sector page provides access to HC3 and partner threat briefs, sector alerts, joint threat bulletins, and other cyber-related resources to help organizations maintain situational awareness of current cyber vulnerabilities and threats.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office for Civil Rights. (2021). OCR Cyber Awareness Newsletters. (Bottom Page)
The Office for Civil Rights issues periodic newsletters share knowledge about the various security threats and vulnerabilities that currently exist in the healthcare sector, helping stakeholders understand what security measures can be taken to decrease the possibility of being exposed by these threats, and how to reduce breaches of electronic protected health information.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office of Information Security. (2021). The Evolution of Ryuk.
This slide deck provides an overview of one of the largest medical cyberattacks in history. It includes a summary of the initial attacks, new variant and vulnerabilities, as well as describes impacts and best practice prevention methods for healthcare facilities.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office of Information Security. (2021). Threats in Healthcare Cloud Computing.
This slide deck provides an overview of HHS cloud computing guidance for the healthcare sector and is targeted for a technical and non-technical audience. It reviews cloud services, cloud models, and their associated risks, and vulnerabilities as well as preparedness and response activities.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office of Information Security. (2022). Log4J Vulnerabilities and the Health Sector.
This slide deck contains an overview of Log4j vulnerabilities that may impact the health sector. It includes a summary of known compromises, timeline of major vulnerability events, and best practices relevant to healthcare.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments

Agencies and Organizations

American Hospital Association. Center for Health Innovation. Cybersecurity & Digital Health.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Anti-Phishing Work Group.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Carnegie Mellon University. Software Engineering Institute.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cyber Health Working Group.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. Cybersecurity Best Practices.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. Healthcare and Public Health Sector.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Cybersecurity and Infrastructure Security Agency. U.S. Computer Emergency Response Team (US-CERT).
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Domestic Security Alliance Council. DSAC Cyber Resources.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Federal Bureau of Investigation. Cyber Crime.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Health Information Sharing and Analysis Center.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Health Information Trust Alliance.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Healthcare and Public Health Sector Coordinating Council (HSCC). Cybersecurity Working Group (CWG).
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Healthcare Information and Management Systems Society. HIMSS Cybersecurity and Privacy.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
HealthcareITNews. Privacy and Security.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
HIPAA Journal.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Institute for Critical Infrastructure Technology. ICIT Health Sector.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Institute for Security and Technology.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
MITRE. Health Cyber.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
National Council of Information Sharing and Analysis Centers (ISACs).
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
National Institute of Standards and Technology. Information Technology- Cybersecurity.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
Ponemon Institute. Ponemon Library.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
SANS Institute. Internet Storm Center.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S Department of Health and Human Services. Office of the Chief Information Officer. OCIO Cybersecurity.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services. Health Sector Cybersecurity Coordination Center (HC3).
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office for Civil Rights. HIPAA for Professionals.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response. Health Care Industry Cybersecurity Task Force.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Food and Drug Administration. Medical Devices. Digital Health Center of Excellence.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
U.S. Secret Service. Cyber Investigations.
Rate:
Favorite:
You must Login to add a comment
  • This item doesn't have any comments
This Topic Collection was updated in August 2022. It was was comprehensively reviewed in May 2016 by the following subject matter experts (listed in alphabetical order):

Bryan Cline, Ph.D., Vice President, Standards & Analytics, Health Information Trust Alliance; Scott Cormier, Vice President, Emergency Management, EC, and Safety, Medxcel; Steve Curren, MSFS, Director, Division of Resilience, Office of Emergency Management, HHS ASPR; Andrea Geiger, Health Information Privacy and Security Specialist, U.S. Department of Health and Human Services, Office for Civil Rights; John Hick, MD, HHS ASPR and Hennepin County Medical Center; Iliana Peters, Senior Health Information Privacy Specialist, U.S. Department of Health and Human Services, Office for Civil Rights; Patrick Pilch, CPA, MBA, Managing Director and National Healthcare Advisory Leader, BDO; Shahryar Shaghaghi, MS, Technology Advisory Services National Leader and Head of International Cybersecurity, BDO; and Staff from the Office of Information Security, HHS.
footer

Enter your email address to receive important announcements and updates through the ASPR TRACIE Listserv.