Return to the main Resources page
Regulations, Standards, and Laws
HIPAA Guidance and Tools
Guidance from NIST
Document Retention Guidelines
• The HHS OCR Q1 2022 Cybersecurity Newsletter provides a good overview of Defending Against Common Cyber-Attacks. Common threats (such as Phishing) and mitigations are discussed, with a list of resources. See the March 17, 2022 OCR newsletter at: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-first-quarter-2022/index.html and a March 18, 2022 article in HIPAA Journal at: https://www.hipaajournal.com/ocr-hipaa-security-rule-compliance-can-prevent-and-mitigate-most-cyberattacks/
• The HHS OCR October 2022 Cybersecurity Newsletter focuses on HIPAA Security Rule Security Incident Procedures, providing a good overview of incident handling preparation and execution, including steps in:
- Forming a security incident response team
- Identifying security incidents
- Responding to security incidents
- Mitigating harmful effects of a security incident
- Documenting the security incident
- Understanding your breach reporting obligations
The newsletter is available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-october-2022/index.html
• The Healthcare Supply Chain Association (HSCA) in late 2021 has published two documents for medical device manufacturers, healthcare delivery organizations, and service providers: Medical Device and Service Cybersecurity: Key Considerations for Manufacturers & Healthcare Delivery Organizations, and Recommendations for Medical Device Cybersecurity Terms and Conditions. Included are 50 requirements statements (search for “should”), 18 of which (the ones in the last two sections) are very good requirements to convince procurement to include in all RFPs and contracts for medical devices and services.
The guidance includes important notifications, such as warrantee and lifecycle information, partnerships to resolve security incidents in a timely fashion, as well as breach/incident sharing with the appropriate ISAOs without non-disclosure provisions.
Healthcare providers will need to push on their suppliers to ensure they are complying with appropriate security practices prior to signing contracts. Suppliers need to make sure the providers understand the needed security when deploying their products and services. Then healthcare providers need to actively assess their protections regularly.
See: https://www.supplychainassociation.org/wp-content/uploads/2021/12/Cybersecurity-Key-Considerations-FINAL.pdf and https://www.supplychainassociation.org/wp-content/uploads/2021/12/HSCA-Recommended-Cybersecurity-TsCs-FINAL.pdf
• The US Department of Energy has released documents relating to the Cybersecurity Capability Maturity Model (C2M2) Program, which is designed for the energy sector but is useful in any context. It provides a useful framework for evaluating your cybersecurity preparedness and identifying where to focus security efforts. Version 1.1 (February 2014) is currently available, and version 2.0 is now in draft form. See: https://www.energy.gov/ceser/energy-security/cybersecurity-capability-maturity-model-c2m2-program
• On July 29, 2021, the US National Security Agency (NSA) published Guidance on Wireless Device Security for people traveling or working remotely. The cybersecurity information sheet “describes how to identify potentially vulnerable connections and protect common wireless technologies, and lists steps users can take to help secure their devices and data.” See https://media.defense.gov/2021/Jul/29/2002815141/-1/-1/0/CSI_SECURING_WIRELESS_DEVICES_IN_PUBLIC.PDF and for a related article in BleepingComputer, see: https://www.bleepingcomputer.com/news/security/nsa-shares-guidance-on-how-to-secure-your-wireless-devices/
• On July 16, 2021, HHS OCR shared information from the Cybersecurity and Infrastructure Security Agency (CISA), announcing the StopRansomware.gov website, the U.S. Government’s One-Stop Location to Stop Ransomware, a whole-of-government approach that gives one central location for ransomware resources and alerts. The Web site assists organizations understand the threat of ransomware, mitigate risk, and in the event of an attack, know what steps to take next. The site is an interagency resource that provides ransomware protection, detection, and response guidance that includes ransomware alerts, reports, and resources from CISA, the FBI, and other federal partners. See: https://www.cisa.gov/stopransomware
On September 21, 2021, HHS OCR published to its list-serve a list of Ransomware Resources for HIPAA Regulated Entities available to assist in preventing, detecting, and mitigating breaches of unsecured protected health information caused by hacking and ransomware.
The list includes links to more than a dozen HHS Health Sector Cybersecurity Coordination Center Threat Briefs; HHS Resources on Section 405(d) of the Cybersecurity Act of 2015; OCR Guidance on Ransomware, Cybersecurity, and Risk Analysis; the HHS Security Risk Assessment Tool; CISA and FBI Ransomware Guides and Resources; and OCR Cybersecurity Newsletters.
The list is available at https://www.databreaches.net/ransomware-resources-for-hipaa-regulated-entities/ and at https://cchipaa.com/blog/f/ocr-provides-ransomware-resources
• On May 26, 2017, Healthcare Informatics reported that the ECRI Institute has released a new guidance article, Ransomware Attacks: How to Protect Your Medical Device Systems, with recommendations to help hospitals identify and protect against ransomware attacks. The report provides recommendations for adapting general cybersecurity principles to the particular requirements of medical device systems, including a list of immediate do's and don'ts for quickly responding to emerging threats. The Healthcare Informatics article is available at: https://www.healthcare-informatics.com/news-item/cybersecurity/ecri-institute-publishes-guidance-protecting-medical-devices-ransomware and the ECRI guidance, published May 18, 2017 is available at: https://www.ecri.org/components/HDJournal/Pages/Ransomware-Attacks-How-to-Protect-Your-Systems.aspx
• On July 13, 2016, Health Data Management reported (see: http://www.healthdatamanagement.com/news/fbi-sees-rising-cyber-threats-to-healthcare-organizations) that the FBI issued guidance on best practices for protecting healthcare data, re-emphasizing some well-known precautions, but also including others that may not be widely used. The FBI suggests that healthcare organizations:
• Enhance employee awareness about malware threats and train appropriate individuals on information security principles and techniques.
• Patch the operating system, software and firmware on devices. All endpoints should be patched as vulnerabilities are discovered. This precaution can be made easier through a centralized patch management system.
• Ensure anti-virus and anti-malware solutions are set to automatically update and that regular scans are conducted.
• Manage the use of privileged accounts by implementing the principle of least privilege. No users should be assigned administrative access unless absolutely needed.
• Those with a need for administrator accounts should only use them when necessary; they should operate with standard user accounts at all other times.
• Configure access controls with least privilege in mind. If a user only needs to read specific files, he or she should not have “write” access to those files, directories or shares.
• Disable macro scripts from office files transmitted via e-mail.
• Implement software restriction policies or other controls to prevent the execution of programs in common malware locations.
• Regularly back up data and verify the integrity of those backups.
• Secure backups and ensure that backups are not connected to the computers and networks they are backing up. Examples might be securing backups in the cloud or physically storing them offline.
• Implement application whitelisting. Only allow systems to execute programs known and permitted by security policy.
• Use virtualized environments to execute operating systems or specific programs.
• Categorize data based on organizational value and implement physical/logical separation of networks and data for different organization units. For example, sensitive research or business data should not reside on the same server or network segment as an organization’s e-mail environment.
• Require user interaction for end user applications communicating with Web sites uncategorized by the network proxy or firewall. Examples include requiring users to type information or enter a password when their system communicates with an uncategorized Web site.
• On May 16, 2016, Health Data Management magazine’s Web site published a very useful, practical guide to preventing ransomware attacks by such means as:
• Developing a plan for an end-user awareness program and implementing it across the hospital
• Reviewing the server backup processes and evaluating users' network drive permissions
• Auditing user privilege roles
• Disabling macro scripts from MS Office files
• Reviewing monthly patch management processes and inbound spam and malware protection
• Installing a next-generation firewall and advanced endpoint protection
Go to the site, copy the entire list, and get to work, right now. See: http://www.healthdatamanagement.com/opinion/how-healthcare-providers-can-prevent-ransomware-attacks
• On April 15, 2016, The Federal Trade Commission (FTC) announced a new web-based tool to help developers of health-related mobile apps understand what federal laws and regulations might apply to them, developed the tool in conjunction with OCR, the HHS Office of National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA).
Based on the developer’s answers to a series of questions about the app, the guidance tool will point the developer toward information about federal laws that might apply, including the FTC Act, the FTC’s Health Breach Notification Rule, HIPAA, and the Federal Food, Drug and Cosmetics Act (FD&C Act).
Developers seeking more information about how the HIPAA Rules might apply to their apps should visit OCR’s health app developer portal. One new resource on the portal is Health App Use Scenarios and HIPAA, which analyzes whether HIPAA applies to a range of example health app scenarios and offers questions to consider in determining when HIPAA’s regulations cover a particular health app.
See: http://www.hhs.gov/hipaa/for-professionals/special-topics/developer-portal/index.html
• In March 2015, the PCI Security Standards Council released a new Information Supplement: Penetration Testing Guidance, including a useful explanation of the difference between a penetration test and a vulnerability scan, as well as descriptions of test components, tester qualifications, and methodology, with a few case studies. While the guidance is focused on payment card information protection, it is easy to apply to health information protection. See: https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
• The US Office of Personnel Management released in April 2011 a Guide to Telework in the Federal Government that provides an overall program for handling remote workers. It's probably a bit more detailed than most healthcare organizations need, but does cover the bases pretty well, despite the lack of use of words like "privacy" and "confidentiality" (although "security" does appear). See: http://www.telework.gov/guidance_and_legislation/telework_guide/telework_guide.pdf
• epic.org publishes the fantastic EPIC Online Guide to Practical Privacy Tools which lists all the practical technical tools you could ever ask for to be used in securing information at rest and in transit. See: http://epic.org/privacy/tools.html
• SANS is provides the CIS Critical Security Controls - Version 6.0, as of January 2016. The list includes 20 critical controls to have in place to prevent the vast majority of potential security issues in any organization. If you implement these top 20 controls, you can eliminate the vast majority of all your risks to security. Do this now! The CAG is available at: https://www.sans.org/critical-security-controls/
• Sans also provides additional resources developed for the October 2015 Cyber Security Awareness Month: visit http://cyberaware.securingthehuman.org/ to access dozens of tools, videos and articles all related to security awareness. Five of the most popular resources include:
1. Securing Your Kids Handout - https://cyberaware.securingthehuman.org/securing-your-kids/
2. Top 3 Takeaways from 2015 Security Awareness Report - https://cyberaware.securingthehuman.org/2015-security-awareness-report-takeaways/
3. Security Awareness Planning Kit - https://cyberaware.securingthehuman.org/security-awareness-planning-kit/
4. How to Use Mobile Apps Securely - https://cyberaware.securingthehuman.org/use-mobile-apps-securely/
5. How to Use Social Media Securely - https://cyberaware.securingthehuman.org/use-social-media-securely/
Visit http://cyberaware.securingthehuman.org/ today to get the latest tools and tips, and be sure to check out the Tip of the Day section: https://cyberaware.securingthehuman.org/security-awareness-tip-of-the-day/
• In April of 2016 Verizon Enterprise Solutions released the 2016 Data Breach Investigations Report, pulling together incident data from around the world to reveal insights based on over 100,000 incidents from 82 countries, including analysis of 2,260 confirmed data breaches. Highlights include:
- 89% of breaches had a financial or espionage motive
- Over 85% of all of security incidents fit into just nine categories
- The biggest risks you face and what attacks look like
- Practical steps you can take today to better protect your data
Healthcare was listed as a top industry for issues in the categories of Insider and Privilege Misuse, Miscellaneous Errors, Physical Theft and Loss, and Everything Else. As to the issue of Physical Theft and Loss, they offer the following haiku:
Employees lose things
Bad guys also steal your stuff
Full disk encryption
This is one of the most useful, practical, readable guides to dealing with current security and data breach issues and should be required reading in every IT department. See: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/insiders/
• On January 19, 2016, HIMSS launched its Healthcare Cybersecurity Community for its members, provides a forum where healthcare constituents can discuss and learn about advancing the state of cybersecurity in the healthcare industry. Participation in the community includes monthly discussions via WebEx with healthcare cybersecurity thought-leaders and discussion with peers in the healthcare sector. In addition, members of the Healthcare Cybersecurity Community can engage and dialogue with each other through a dedicated ListServ. See: http://www.himss.org/get-involved/community/cybersecurity.
How to join the community (you must be a member of HIMSS):
1. Log into the HIMSS member portal at https://marketplace.himss.org/My-Account/Participation
2. Under the “My Involvement” tab, click on the "Edit Participations” button.
3. Select "Healthcare Cybersecurity Community" and click on the “Save” button.
After you have completed steps 1 through 3, you will be automatically added to the HIMSS Healthcare Cybersecurity Community itself as well as the ListServ.
• On January 15, 2016 the US Food and Drug Administration (FDA) announced draft guidance on important steps medical device manufacturers should take to continually address cybersecurity risks to keep patients safe and better protect the public health. The draft guidance details the agency’s recommendations for monitoring, identifying and addressing cybersecurity vulnerabilities in medical devices once they have entered the market. The announcement is available at: http://www.fda.gov/NewsEvents/Newsroom/PressAnnouncements/ucm481968.htm and the guidance, posted January 22, 2016, is available at: http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/UCM482022.pdf
• On February 23, 2016 the Computer Incident Response Center Luxembourg (CIRCL) released TR-41 Crypto Ransomware - Proactive defenses and incident response, a guide to defending and recovering from Crypto Ransomware attacks. The guidance provides actionable measures to prevent and repel ransomware incidents. Highly recommended reading for all! See: https://www.circl.lu/pub/tr-41/
• The Department of Homeland Security has published the latest version of its Handbook for Safeguarding Sensitive Personally Identifiable Information, a very understandable, digestible guide prepared for DHS staff, contractors, etc. that is a great guide for anyone protecting information. If it's good enough for Homeland Security, it must be a good place to start for your own guide! The Handbook is at: http://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_spii_handbook.pdf
• In July 2013, the Australian Defence Signals Directorate released information security advice that is useful for healthcare security professionals to consider as they discover and plan for mitigation of information security risks. One of the guides, Top 4 Strategies to Mitigate Targeted Cyber Intrusions, available at http://www.dsd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm provides ways to eliminate 85% of all threats. Another of the guides focuses on Assessing Security Vulnerabilities and Patches, and is available at http://www.dsd.gov.au/publications/csocprotect/assessing_security_vulnerabilities_and_patches.htm. A third guide, released in April of 2013, discusses Additional Security Considerations and Controls for Virtual Private Networks; see http://www.dsd.gov.au/publications/csocprotect/addtional_security_considerations_and_controls_for_vpn.htm. These guides are written for the use of all levels of the Australian government but are compact, easy to understand, and provide a great foundation for security. All of the guides are available on the Web pages listed above, and as downloadable .pdf files on those pages. Highly recommended.
• Osterman Research provides a very informative set of white papers concerning information security and data retention, and e-mail archiving in particular, free of charge via their web site at http://www.ostermanresearch.com/downloads.htm .
• California's Department of Consumer Affairs, Office of Privacy Protection has publishedRecommended Practices on Notice of Security Breach Involving Personal Information, with recommendations in three parts – protection and prevention, preparation for notification, and notification. This is an excellent guide that sets a floor for what should be done in any information security program, and explains the California law, similar to that of many other states. Updated in January 2012 to include the latest information, regulations, and legislation. http://www.privacy.ca.gov/business/recom_breach_prac.pdf
• The New York State Consumer Protection Board has issued a Business Privacy Guide, How to Handle Personal Information and Limit the Prospects of Identity Theft, a sixteen page guide to understanding what personal information is maintained or recorded, key New York State and Federal laws, and actions to take to prepare for and respond to a breach, including a sample breach reporting form. The guide is available at: http://www.nysconsumer.gov/pdf/the_new_york_business_guide_to_privacy.pdf
• The International Security Breach Notification Survey, prepared by Foley & Lardner LLP and Eversheds LLP in November 2009, is a comprehensive guide to state, national, and international security breach notification laws, useful as a guide to any business that may suffer a breach of information security. The report is available at: http://www.mekabay.com/infosecmgmt/security_breach_laws.pdf
• The FTC has released a useful guide related to information security. Protecting Personal Information: A Guide for Business is built around five simple phrases:
• TAKE STOCK. Know what personal information you have in your files and on your computers.
• SCALE DOWN. Keep only what you need for business.
• LOCK IT. Protect the information you keep.
• PITCH IT. Properly dispose of what you no longer need.
• PLAN AHEAD. Create a plan to respond to security incidents.
The press release announcing this publication is at: http://www.ftc.gov/opa/2007/03/businessguidance_pii.htm
The guide itself can be found at:
http://www.ftc.gov/bcp/edu/pubs/business/privacy/bus69.pdf
• The FCC has a page dedicated to Cybersecurity for Small Business that provides several useful resources, including a Small Biz CyberPlanner (now in version 2.0) for developing a customized cyber security planning guide, and a useful one-page Cybersecurity Tip Sheet, available at: http://www.fcc.gov/cyberforsmallbiz
• The SANS Security Policy Project offers A Short Primer For Developing Security Policies as well as samples of several policies and guidance in policy development and deployment, available at: http://www.sans.org/resources/policies/
• SANS also provides computer-based information security training services to organizations through the SANS Securing The Human Program, designed to mitigate the risks associated with the weak link of any security plan, the people. It's not free, but it's excellent. See: http://www.securingthehuman.org/enduser/index
• A useful set of HIPAA security policies implemented by New York University is available at http://www.nyu.edu/its/policies/#hipaa. While this is not necessarily a complete set of HIPAA security policies (some that are needed for HIPAA are covered in other, non-HIPAA policies), it does provide a good level of detail and many of the concepts are directly transferable to other organizations.
• Apple in May 2012 released an unprecedented Guide to iOS Security detailing how iOS devices (iPhones, iPads) can be used securely. Users and especially system administrators who are responsible for information security where iOS devices are used should take a look at how iOS security works and what can be done to ensure secure usage, encryption, remote wiping, etc. See: http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf
• A January 18, 2010 article in Computerworld provides a useful summary of smart phone security issues, including a good list of ten common smart phone risks, at: http://www.computerworld.com/s/article/345297/Smartphones_Need_Smart_Security
• Social Media are a growing part of the communication landscape and must be considered in policies and procedures to protect patients, staff, and organizations from harm. A good overview article in HealthLeaders Media May 4, 2010 is at http://www.healthleadersmedia.com/content/TEC-250519/Four-Steps-to-the-Next-Step-in-Your-Social-Media-Evolution and a May 11, 2010 HealthLeaders Media article on social media policies is at http://www.healthleadersmedia.com/content/TEC-250829/Five-Tips-to-Guide-Your-Hospitals-Social-Media-Policy.html . A set of links to publicly available social media policies at a number of facilities is provided by Ed Bennett in his blog at: http://ebennett.org/hsnl/hsmp/#ixzz0nYPOlVNj . For information on social media policies and the NLRB, see: https://www.nlrb.gov/news-outreach/fact-sheets/nlrb-and-social-media, https://www.clarkmortenson.com/wp-content/uploads/2015/10/Acceptable_Social_Media_Policies.pdf, and https://www.socialgameslaw.com/2018/01/boeing-nlra-rights-social-media-policies.html
• The HHS Agency for Healthcare Research and Quality (AHRQ) has created the Health Information Security and Privacy Collaboration (HISPC), described at http://healthit.ahrq.gov/privacyandsecurity with goals and outcomes, including the Health Information Security and Privacy Collaboration Toolkit, available at http://healthit.ahrq.gov/privacyandsecuritytoolkit. This initiative is oriented toward assisting regional and state-level health information exchanges; one useful product for all healthcare organizations is the IT Privacy and Security Primer, which may be downloaded directly at http://tinyurl.com/3yby3j.
• EDT (Ensconce Data Technology) has published a very useful White Paper on Hard Drive Decommissioning that is freely available (without registration) at: http://edt.rakacreative.com/assets/documents/edt_digital_shredder.pdf (Please note that Jim Sheldon-Dean and Lewis Creek Systems have no financial interest in EDT whatsoever.)
• VeriSign Global Security Consulting Services has published an excellent White Paper: Lessons Learned: Top Reasons for PCI Audit Failure and How To Avoid Them that is freely available (without registration) at https://www.verisign.com/static/PCI_REASONS.pdf (Please note that Jim Sheldon-Dean and Lewis Creek Systems have no financial interest in VeriSign whatsoever.)
Return to the main Resources page
Regulations, Standards, and Laws
HIPAA Guidance and Tools
Guidance from NIST
Document Retention Guidelines