Health Information Cybersecurity
In today’s digital world, protecting personal and organizational information is more important than ever. In response to community feedback, we’ve gathered a selection of trusted cybersecurity resources to help you stay safe online. While these resources are not developed or maintained by our office, we are sharing them to support awareness, education, and best practices in digital security.
These resources provide the foundational rules and guidelines that healthcare organizations must follow.
HHS.gov HIPAA Resources: The U.S. Department of Health and Human Services (HHS) provides a wealth of information on HIPAA, including the Privacy, Security, and Breach Notification Rules. U.S. Department of Health & Human Services. (n.d.). HIPAA home. https://www.hhs.gov/hipaa/index.html
- HIPAA Security Rule Guidance: This section offers educational materials on how to implement security standards for electronic Protected Health Information (ePHI). U.S. Department of Health & Human Services, Office for Civil Rights. (2024, October 24). Security Rule Guidance Material. https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html
- Cybersecurity Guidance: This area includes video presentations, checklists, and guides to help covered entities and business associates defend against cyber-attacks, including ransomware. U.S. Department of Health & Human Services, Office for Civil Rights. (2024, October 24). Cybersecurity guidance material. https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecu…
- Security Risk Assessment (SRA) Tool: The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) provide this tool to help organizations of all sizes assess their security risks and comply with HIPAA requirements. Office of the National Coordinator for Health Information Technology. (n.d.). Security Risk Assessment Tool. U.S. Department of Health & Human Services. https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk…
CISA Healthcare & Public Health (HPH) Sector Cybersecurity: The Cybersecurity and Infrastructure Security Agency (CISA) works with HHS to provide tools and resources specifically for the healthcare sector. Cybersecurity and Infrastructure Security Agency. (n.d.). Healthcare and public health cybersecurity. U.S. Department of Homeland Security. https://www.cisa.gov/topics/cybersecurity-best-practices/healthcare
- HPH Sector Cybersecurity Performance Goals (CPGs): These are a voluntary set of prioritized cybersecurity practices to help organizations strengthen their cyber preparedness. U.S. Department of Health & Human Services. (2023). Healthcare and Public Health Sector‐Specific Cybersecurity Performance Goals. https://hhscyber.hhs.gov/documents/cybersecurity-performance-goals.pdf
- Cybersecurity Tools and Services: CISA offers a variety of resources, from incident response planning to guidance on tackling ransomware. Cybersecurity and Infrastructure Security Agency. (n.d.). Free Cybersecurity Services & Tools. U.S. Department of Homeland Security. https://www.cisa.gov/resources-tools/resources/free-cybersecurity-servi…
NIST Cybersecurity Framework (CSF): The National Institute of Standards and Technology (NIST) provides a comprehensive framework for managing and reducing cybersecurity risk. National Institute of Standards and Technology. (n.d.). Cybersecurity Framework. U.S. Department of Commerce. https://www.nist.gov/cyberframework
- NIST SP 800-66 Rev. 2: This publication, titled "Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide," provides a crosswalk between the NIST Framework and the HIPAA Security Rule, helping organizations align their security practices. Marron, J. (2024, February). Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (NIST SP 800-66r2). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-66r2
These resources go beyond compliance to offer practical, actionable steps for improving cybersecurity posture.
CIS Controls (Center for Internet Security): These are a prioritized, simplified set of best practices developed by a community of experts. They're a great starting point for organizations with limited resources, as they are divided into implementation groups based on an organization's size and data sensitivity. Center for Internet Security. (n.d.). CIS Critical Security Controls. https://www.cisecurity.org/controls
- Control 3 (Data Protection): This control focuses on securing data through encryption and access controls.
- Control 14 (Security Awareness and Skills Training): This emphasizes the importance of a security awareness program to increase employee knowledge of threats like phishing and malware.
- Control 17 (Incident Response Management): This highlights the need for a formal incident response plan to quickly detect, analyze, and mitigate security incidents.
SANS Institute Resources: SANS is a leading organization for cybersecurity training and research. SANS Institute. (n.d.). Cybersecurity Resources. https://www.sans.org/security-resources
- Policy Templates: They offer free, downloadable templates for security policies, which can be an excellent starting point for organizations that need to formalize their internal procedures. SANS Institute. (2025, April 15). Cybersecurity policies and standards: Information security policy templates. https://www.sans.org/information-security-policy
- White Papers and Webinars: These resources provide insights into emerging threats and best practices for defense.
AMA's Cybersecurity Resources: The American Medical Association (AMA) provides physician-focused resources, including checklists and guides for small practices to help them understand and comply with HIPAA rules. American Medical Association. (2025, July 21). Physician cybersecurity. https://www.ama-assn.org/practice-management/sustainability/physician-c…
HHS Cybersecurity Newsletter Archive: The Office for Civil Rights (OCR) publishes quarterly newsletters that identify emerging or prevalent security issues and best practices to safeguard Protected Health Information (PHI). These are excellent, easily digestible resources to share with users to keep them informed.U.S. Department of Health & Human Services, Office for Civil Rights. (n.d.). Cybersecurity newsletters archive. https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecu…