You may be trying to access this site from a secured browser on the server. Please enable scripts and reload this page.
Turn on more accessible mode
Turn off more accessible mode
Skip Ribbon Commands
Skip to main content
Turn off Animations
Turn on Animations
SharePoint
Sign In
Follow
Save the Date: Fireside Chat Series
Cybersecurity Act of 2015 Section 405(d) Task Group
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
Cybersecurity Reports and Tools
Currently selected
How to Get Involved
Five Cybersecurity Threats Weekly Series
Site Contents
Skip over global navigation links
Office of the Assistant Secretary for Preparedness and Response
Preparedness
Emergency
About ASPR
Public Health Emergency - Leading a Nation Prepared
It looks like your browser does not have JavaScript enabled. Please turn on JavaScript and try again.
PHE Home
>
Preparedness
>
Planning
>
Aligning Health Care Industry Cybersecurity Approaches
>
Cybersecurity Reports and Tools
Cybersecurity Reports and Tools
Main Content
Managing Cyber Threats and Risks
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP)
: The HICP aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the healthcare industry. It seeks to aid healthcare and public health organizations to develop meaningful cybersecurity objectives and outcomes that enhance patient care. The document focuses on a number of threats, including email phishing attacks; ransomware attacks; loss or theft of equipment or data; insider, accidental or data loss; and attacks against connected medical devices that may affect patient safety. The publication includes a main document, two technical volumes, and resources and templates.
Security Risk Assessment Tool:
Security Risk Assessment Tool is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program.
Health Care Industry Cybersecurity (HCIC) Task Force (TF): Report on Improving Cybersecurity in the Health Care Industry
:
This report provides detailed recommendations that will collectively help federal agencies work with their partners in the healthcare industry to increase healthcare security. These recommendations are centered around six imperatives and related action items for implementing the recommendations. Once implemented, the recommendations will increase security for the health care industry’s organizations, networks, and associated medical devices. This report was developed by the Health Care Industry Cybersecurity Task Force, which was called for in the Cybersecurity Act of 2015, Section 405(c). The CSA 405(d) Task Group was cognizant of the imperatives and recommendations of the HCIC TF as it underwent the development of the HICP publication.
Cybersecurity for Medical Devices
FDA: Medical Devices and Cybersecurity
:
The FDA provides recommendations for mitigating and managing cybersecurity threats associated with medical devices and product-specific safety communications related to cybersecurity vulnerabilities.
Incident Reporting and Response
CMS Risk Management Handbook: Incident Response
:
This chapter describes standard operating procedures that facilitate the implementation of security controls associated with the Incident Response (IR) family of controls taken from the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4
Security and Privacy Controls for Federal Information Systems and Organizations
and tailored to the CMS environment in the CMS ARS. Use the
Incident Report Template
to facilitate documenting and reporting computer security incidents.
Ransomware
Fact Sheet: Ransomware and HIPAA
: This fact sheet describes ransomware attack prevention and recovery from a healthcare sector perspective, including the role HIPAA has in assisting HIPAA covered entities and business associates to prevent and recover from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack.
HIPAA Covered Entities: Additional Recommendations and Requirements
Privacy, Security and HIPAA
: Learn about the federal policies and regulations that are in place to help protect patient privacy and guide the nation’s adoption of health information technology.
Quick Response Guide: My entity just experienced a cyber-attack! What do we do now?
This guide explains, in brief, the steps for a HIPAA covered entity or its business associate to take in response to a cyber-related security incident.
Cyber-Attack Quick Response Infographic:
At-a-glance guide to the major steps of responding to a cyber-incident for a HIPAA covered entity.
HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework
: The Cybersecurity Framework provides a voluntary, risk-based approach—based on existing standards, guidelines, and practices—to help HIPAA covered entities understand, communicate, and manage cybersecurity risks.
Right Box1 Content
Cybersecurity Act of 2015, Section 405(d)
Health Industry Cybersecurity Practices
About the CSA 405(d) Task Group
Cybersecurity Reports and Tools
Get Involved
Right Box2 Content
This page last reviewed: February 12, 2019