Cybersecurity Reports and Tools

Managing Cyber Threats and Risks

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP): The HICP aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the healthcare industry. It seeks to aid healthcare and public health organizations to develop meaningful cybersecurity objectives and outcomes that enhance patient care. The document focuses on a number of threats, including email phishing attacks; ransomware attacks; loss or theft of equipment or data; insider, accidental or data loss; and attacks against connected medical devices that may affect patient safety. The publication includes a main document, two technical volumes, and resources and templates.

Security Risk Assessment Tool: Security Risk Assessment Tool is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program.

Health Care Industry Cybersecurity (HCIC) Task Force (TF): Report on Improving Cybersecurity in the Health Care Industry: This report provides detailed recommendations that will collectively help federal agencies work with their partners in the healthcare industry to increase healthcare security. These recommendations are centered around six imperatives and related action items for implementing the recommendations. Once implemented, the recommendations will increase security for the health care industry’s organizations, networks, and associated medical devices. This report was developed by the Health Care Industry Cybersecurity Task Force, which was called for in the Cybersecurity Act of 2015, Section 405(c). The CSA 405(d) Task Group was cognizant of the imperatives and recommendations of the HCIC TF as it underwent the development of the HICP publication.

FDA: Medical Devices and Cybersecurity: The FDA provides recommendations for mitigating and managing cybersecurity threats associated with medical devices and product-specific safety communications related to cybersecurity vulnerabilities.

CMS Risk Management Handbook: Incident Response: This chapter describes standard operating procedures that facilitate the implementation of security controls associated with the Incident Response (IR) family of controls taken from the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations and tailored to the CMS environment in the CMS ARS. Use the Incident Report Template to facilitate documenting and reporting computer security incidents.

Fact Sheet: Ransomware and HIPAA: This fact sheet describes ransomware attack prevention and recovery from a healthcare sector perspective, including the role HIPAA has in assisting HIPAA covered entities and business associates to prevent and recover from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack.

Privacy, Security and HIPAA: Learn about the federal policies and regulations that are in place to help protect patient privacy and guide the nation’s adoption of health information technology.

Quick Response Guide: My entity just experienced a cyber-attack! What do we do now? This guide explains, in brief, the steps for a HIPAA covered entity or its business associate to take in response to a cyber-related security incident.

Cyber-Attack Quick Response Infographic: At-a-glance guide to the major steps of responding to a cyber-incident for a HIPAA covered entity.

HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework: The Cybersecurity Framework provides a voluntary, risk-based approach—based on existing standards, guidelines, and practices—to help HIPAA covered entities understand, communicate, and manage cybersecurity risks.