- Home »
Cybersecurity vulnerabilities and intrusions pose risks for every hospital and its reputation. While there are significant benefits for care delivery and organizational efficiency from the expanded use of networked technology, Internet-enabled medical devices and electronic databases for clinical, financial and administrative operations, networked technology and greater connectivity also increase exposure to possible cybersecurity threats that require hospitals to evaluate and manage new risks. Hospitals can prepare and manage such risks by viewing cybersecurity not as a novel issue but rather by making it part of the hospital’s existing governance, risk management and business continuity framework. Hospitals also will want to ensure that the approach they adopted remains flexible and resilient to address threats that are likely to be constantly evolving and multi-pronged.
Leadership Matters: Managing Cybersecurity Risk in Health Care, April 6 – Washington DC ─ Loews Madison Hotel
Cybersecurity training tailored specifically for hospital and health system CEOs offered by the AHA, together with BDO Consulting USA
- Practical Guidance for Health Care Governing Boards on Compliance Oversight (Resource for Trustees Recommended by Margaret Dahl)
- Presentation slides
- Center for Internet Security
- The Center for Internet Security - Critical Security Controls
A Message about Phishing for Employees
(shared with permission of Virtua, an AHA health system member located in New Jersey)
A message from the AHA on cybersecurity: What hospitals need to know about ransomware, AHA News, February 22, 2016
Factsheet: Hospitals Implementing Cybersecurity Measures, January 2016
A message from the AHA on cybersecurity: For Better Cybersecurity, Share and Share Alike, AHA News, February 2, 2015
A message from the AHA: Considering Unique Cybersecurity Risks of Medical Devices is Critical, AHA News, December 4, 2014
Comment Letters and Other Policy-Related Documents
Tools to Assist with Gap Analysis
National Institute of Standards and Technology’s (NIST) Framework to Reduce Cyber Risks to Critical Infrastructure
Framework being developed to help owners and operators of critical infrastructure identify, assess and manage the risk of cyber threats
Healthcare Sector Cybersecurity Framework Implementation Guide
This Guide was developed by HITRUST, the Healthcare and Public Health (HPH) Sector Coordinating Council (SCC) and Government Coordinating Council (GCC) to assist healthcare organizations in implementing the NIST Framework.
HITRUST Common Security Framework (CSF) is comprehensive and flexible framework of prescriptive and scalable security controls developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations.
DHS’ Control Systems Security Program (CSSP)
Assists owners of networks and industrial control systems (ICS) in assessing and strengthening their organization’s cybersecurity posture through a tiered system including the Cyber Security Evaluation Tool (CSET®) and onsite consultation options
Cyber Security Evaluation Tool CSET 7.1 - latest version from DHS’s ICS-CERT (issued Feb. 22, 2016) – a free to the public desktop software tool that provides a systematic approach for evaluating an organization’s cybersecurity posture
Details how the National Infrastructure Protection Plan risk management framework is implemented for the unique characteristics and risk landscape of the health care and public health sector.
Opportunities for Information Sharing
National Health Information Sharing and Analysis Center (NH-ISAC) InfraGard
Public/private partnership between the FBI and U.S. businesses that focuses on threats that could disrupt the national critical infrastructure
- HITRUST Cyber Threat XChange (CTX) - Now free for basic level subscription.
HITRUST CTX automates collection, analysis and distribution of cyber threats information
- To receive HITRUST C3 Alerts or participate in the monthly cyber threat briefings, register at http://www.hitrustalliance.net/cyberupdates/
HITRUST encourages participating hospitals to provide feedback directly to the Alliance about the effectiveness of the content and format of these C3 Alerts and monthly threat briefings.
- Monthly Cyber Threat Briefings are held every third Thursday of every month.
- HITRUST Monthly Cyber Threat Briefing - March 2016
- HITRUST Monthly Cyber Threat Briefing - February 2016
Critical Infrastructure Cyber Community Voluntary Program (C³ Voluntary Program)
Created to help support and promote use of the Cybersecurity Framework developed by NIST
Background – Establishing the National Cybersecurity Initiative
Resources for Implementing the President’s Executive Order
Incentives to Support Adoption of the Cybersecurity Framework By Private-Sector Organizations
The Voluntary Critical Infrastructure Cybersecurity Program is being created to provide incentives for private sector organization that are part of the cirtical infrastructure to adopt the NIST Framework
See specific recommendations from:
Department of Justice and Federal Trade Commission: Antitrust Policy Statement on Sharing of Cybersecurity Information
Policy Statement indicates that both FTC and DOJ do not view the antitrust laws as a barrier to sharing cybersecurity information, even among competitors.
Resources Specific for the Healthcare and Public Health Critical Infrastructure Sector
Other Relevant Resources
Protecting PHI in the Cloud - Security Awareness Video
Health Information Management Systems Society (HIMSS) resources:
- National Cyber Security Awareness Month resources
- Resources about Information security and privacy
- A HIMSS Virtual Briefing - Cybercrime, Privacy and Security: The Race to Protect Patient Information
November 12, 2014 | 11 AM - 1:45 PM CT
- Series to be updated to address cybersecurity issue
The Securities and Exchange Commission’s (SEC) guidance for publicly traded hospitals (October 2011)
Recommends disclosure to the public of both cybersecurity vulnerabilities and intrusions
AHA Members-only Resources
Important Cybersecurity Alerts
OCR Fact Sheet: Ransomware and HIPAA (July 12, 2016)
Health Care-Related Messages
HITRUST Cyber Threat Intelligence and Incident Coordination Center Alert: Bash/Shellshock Vulnerability (9/25/14)
FBI Private Industry Notification: Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain (4/8/14)
FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks (2013)
U.S. Department of Homeland Security Alert: Medical Devices Hard-Coded Passwords (2013)
Warning that an estimated 300 medical devices from 40 vendors could be vulnerable to hacking and potentially exploited to change critical settings and/or modify device firmware