Skip Ribbon Commands
Skip to main content
Skip over global navigation links
U.S. Department of Health and Human Services

Cybersecurity Reports and Tools

Managing Cyber Threats and Risks

  • Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP): The HICP aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the healthcare industry. It seeks to aid healthcare and public health organizations to develop meaningful cybersecurity objectives and outcomes that enhance patient care. The document focuses on a number of threats, including email phishing attacks; ransomware attacks; loss or theft of equipment or data; insider, accidental or data loss; and attacks against connected medical devices that may affect patient safety. The publication includes a main document, two technical volumes, and resources and templates.

  • Security Risk Assessment Tool: Security Risk Assessment Tool is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program.

  • Health Care Industry Cybersecurity (HCIC) Task Force (TF): Report on Improving Cybersecurity in the Health Care Industry: This report provides detailed recommendations that will collectively help federal agencies work with their partners in the healthcare industry to increase healthcare security. These recommendations are centered around six imperatives and related action items for implementing the recommendations. Once implemented, the recommendations will increase security for the health care industry’s organizations, networks, and associated medical devices. This report was developed by the Health Care Industry Cybersecurity Task Force, which was called for in the Cybersecurity Act of 2015, Section 405(c). The CSA 405(d) Task Group was cognizant of the imperatives and recommendations of the HCIC TF as it underwent the development of the HICP publication.

Cybersecurity for Medical Devices

  • FDA: Medical Devices and Cybersecurity: The FDA provides recommendations for mitigating and managing cybersecurity threats associated with medical devices and product-specific safety communications related to cybersecurity vulnerabilities.

Incident Reporting and Response

  • CMS Risk Management Handbook: Incident Response: This chapter describes standard operating procedures that facilitate the implementation of security controls associated with the Incident Response (IR) family of controls taken from the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations and tailored to the CMS environment in the CMS ARS. Use the Incident Report Template to facilitate documenting and reporting computer security incidents.


  • Fact Sheet: Ransomware and HIPAA: This fact sheet describes ransomware attack prevention and recovery from a healthcare sector perspective, including the role HIPAA has in assisting HIPAA covered entities and business associates to prevent and recover from ransomware attacks, and how HIPAA breach notification processes should be managed in response to a ransomware attack.

HIPAA Covered Entities: Additional Recommendations and Requirements

  • This page last reviewed: February 12, 2019