1

Health Information Cybersecurity

In today’s digital world, protecting personal and organizational information is more important than ever. In response to community feedback, we’ve gathered a selection of trusted cybersecurity resources to help you stay safe online. While these resources are not developed or maintained by our office, we are sharing them to support awareness, education, and best practices in digital security.

These resources provide the foundational rules and guidelines that healthcare organizations must follow.

HHS.gov HIPAA Resources: The U.S. Department of Health and Human Services (HHS) provides a wealth of information on HIPAA, including the Privacy, Security, and Breach Notification Rules. U.S. Department of Health & Human Services. (n.d.). HIPAA home. https://www.hhs.gov/hipaa/index.html

CISA Healthcare & Public Health (HPH) Sector Cybersecurity: The Cybersecurity and Infrastructure Security Agency (CISA) works with HHS to provide tools and resources specifically for the healthcare sector. Cybersecurity and Infrastructure Security Agency. (n.d.). Healthcare and public health cybersecurity. U.S. Department of Homeland Security. https://www.cisa.gov/topics/cybersecurity-best-practices/healthcare

NIST Cybersecurity Framework (CSF): The National Institute of Standards and Technology (NIST) provides a comprehensive framework for managing and reducing cybersecurity risk. National Institute of Standards and Technology. (n.d.). Cybersecurity Framework. U.S. Department of Commerce. https://www.nist.gov/cyberframework

  • NIST SP 800-66 Rev. 2: This publication, titled "Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide," provides a crosswalk between the NIST Framework and the HIPAA Security Rule, helping organizations align their security practices. Marron, J. (2024, February). Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (NIST SP 800-66r2). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-66r2

These resources go beyond compliance to offer practical, actionable steps for improving cybersecurity posture.

CIS Controls (Center for Internet Security): These are a prioritized, simplified set of best practices developed by a community of experts. They're a great starting point for organizations with limited resources, as they are divided into implementation groups based on an organization's size and data sensitivity. Center for Internet Security. (n.d.). CIS Critical Security Controls. https://www.cisecurity.org/controls

  • Control 3 (Data Protection): This control focuses on securing data through encryption and access controls.
  • Control 14 (Security Awareness and Skills Training): This emphasizes the importance of a security awareness program to increase employee knowledge of threats like phishing and malware.
  • Control 17 (Incident Response Management): This highlights the need for a formal incident response plan to quickly detect, analyze, and mitigate security incidents.

SANS Institute Resources: SANS is a leading organization for cybersecurity training and research. SANS Institute. (n.d.). Cybersecurity Resources. https://www.sans.org/security-resources

  • Policy Templates: They offer free, downloadable templates for security policies, which can be an excellent starting point for organizations that need to formalize their internal procedures. SANS Institute. (2025, April 15). Cybersecurity policies and standards: Information security policy templates. https://www.sans.org/information-security-policy
  • White Papers and Webinars: These resources provide insights into emerging threats and best practices for defense.

AMA's Cybersecurity Resources: The American Medical Association (AMA) provides physician-focused resources, including checklists and guides for small practices to help them understand and comply with HIPAA rules. American Medical Association. (2025, July 21). Physician cybersecurity. https://www.ama-assn.org/practice-management/sustainability/physician-c…

HHS Cybersecurity Newsletter Archive: The Office for Civil Rights (OCR) publishes quarterly newsletters that identify emerging or prevalent security issues and best practices to safeguard Protected Health Information (PHI). These are excellent, easily digestible resources to share with users to keep them informed.U.S. Department of Health & Human Services, Office for Civil Rights. (n.d.). Cybersecurity newsletters archive. https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecu…