Cybersecurity vulnerabilities and intrusions pose risks for every hospital and its reputation.  While there are significant benefits for care delivery and organizational efficiency from the expanded use of networked technology, Internet-enabled medical devices and electronic databases for clinical, financial and administrative operations, networked technology and greater connectivity also increase exposure to possible cybersecurity threats that require hospitals to evaluate and manage  new risks. Hospitals can prepare and manage such risks by viewing cybersecurity not as a novel issue but rather by making it part of the hospital’s existing governance, risk management and business continuity framework.  Hospitals also will want to ensure that the approach they adopted remains flexible and resilient to address threats that are likely to be constantly evolving and multi-pronged.


AHA Resources

Webinar Replay: Hospital Leaders’ Guide to Cybersecurity Risk Management and Response, October 5, 2016

Audiocast: Cybersecurity as a Leadership Issue, Conversation with Virtua’s Pres./CEO Rich Miller, September 2016

Webinar Replay: Cybersecurity Risk Management and Response: Lessons for Health Care from Other Critical Infrastructure Sectors, June 9, 2016

Webinar Replay: What Health Care Leaders Need to Know to Adopt and Use NIST’s Cybersecurity Framework in Health Care, May 12, 2016
Replay – Town Hall Cybersecurity Webcast held on April 25, 2016

Audiocast: Ransomware - Emerging Cybersecurity Risk for Health Care Organizations, February 2016

A message from the AHA on cybersecurity:  What hospitals need to know about ransomware, AHA News, February 22, 2016

Audiocast: Cybersecurity education as a tool for risk management/reduction in health care organizations, February 2016

Factsheet: Hospitals Implementing Cybersecurity Measures, January 2016 

A message from the AHA on cybersecurity:  For Better Cybersecurity, Share and Share Alike, AHA News, February 2, 2015

A message from the AHA: Considering Unique Cybersecurity Risks of Medical Devices is Critical, AHA News, December 4, 2014

Audiocast Series - Cyber 911:  Responding to a Cybersecurity Breach, December 2014

Replay for Town Hall Interactive Webcast held November 12, 2014

Cybersecurity and Hospitals: What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response (August 2014)

Cybersecurity and Hospitals: Four Questions Every Hospital Leader Should Ask In Order To Prepare for and Manage Cybersecurity Risks

Top Six Actions to Manage Hospital Cybersecurity Risks

AHA Member Webinar Series – Cybersecurity for Healthcare Leaders 
AHA Regulatory Advisory: Cybersecurity Framework for Improving Critical Infrastructure 

Comment Letters and Other Policy-Related Documents

AHA Views on the Framework for Improving Critical Infrastructure Cybersecurity, February 9, 2016

AHA to FDA Re: Collaborative Approaches for Medical Device and Healthcare Cybersecurity, November 21, 2014

AHA Comments to Dept. of Commerce Re: The Preliminary Cybersecurity Framework

Tools to Assist with Gap Analysis

National Institute of Standards and Technology’s (NIST) Framework to Reduce Cyber Risks to Critical Infrastructure 
Framework being developed to help owners and operators of critical infrastructure identify, assess and manage the risk of cyber threats

Crosswalk between the NIST Framework and the HIPAA Security Rule from the HHS Office for Civil Rights (OCR)

Healthcare Sector Cybersecurity Framework Implementation Guide
This Guide was developed by HITRUST, the Healthcare and Public Health (HPH) Sector Coordinating Council (SCC) and Government Coordinating Council (GCC) to assist healthcare organizations in implementing the NIST Framework.

HITRUST Common Security Framework (CSF) is comprehensive and flexible framework of prescriptive and scalable security controls developed to address the multitude of security, privacy and regulatory challenges facing healthcare organizations.

DHS’ Control Systems Security Program (CSSP)
Assists owners of networks and industrial control systems (ICS) in assessing and strengthening their organization’s cybersecurity posture through a tiered system including the Cyber Security Evaluation Tool (CSET®) and onsite consultation options

Cyber Security Evaluation Tool CSET 7.1 - latest version from DHS’s ICS-CERT (issued Feb. 22, 2016) – a free to the public desktop software tool that provides a systematic approach for evaluating an organization’s cybersecurity posture

Sector-Specific Plan
Details how the National Infrastructure Protection Plan risk management framework is implemented for the unique characteristics and risk landscape of the health care and public health sector. 

Opportunities for Information Sharing

Healthcare and Public Health Sector Coordinating Council (HPH SCC)

National Health Information Sharing and Analysis Center (NH-ISAC)  InfraGard
Public/private partnership between the FBI and U.S. businesses that focuses on threats that could disrupt the national critical infrastructure

Health Information Trust Alliance (HITRUST)

Critical Infrastructure Cyber Community Voluntary Program (C³ Voluntary Program)
Created to help support and promote use of the Cybersecurity Framework developed by NIST

The Homeland Security Information Network

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)

Background – Establishing the National Cybersecurity Initiative

Fact Sheet: Cybersecurity National Action Plan

President’s Executive Order on Improving Critical Infrastructure Cybersecurity

Presidential Policy Directive 21:  Critical Infrastructure Security and Resilience

The White House’s Cybersecurity Office

Resources for Implementing the President’s Executive Order

Incentives to Support Adoption of the Cybersecurity Framework By Private-Sector Organizations
The Voluntary Critical Infrastructure Cybersecurity Program is being created to provide incentives for private sector organization that are part of the cirtical infrastructure to adopt the NIST Framework
See specific recommendations from:

Department of Justice and Federal Trade Commission: Antitrust Policy Statement on Sharing of Cybersecurity Information
Policy Statement indicates that both FTC and DOJ do not view the antitrust laws as a barrier to sharing cybersecurity information, even among competitors.

Resources Specific for the Healthcare and Public Health Critical Infrastructure Sector

The Exchange Newsletter: 2016 Volume I, Issue 2

Cybersecurity and Healthcare Facilities Video

FDA Resources about Medical Device Cybersecurity

Department of Homeland Security (DHS) - Cybersecurity Resources

Healthcare and Public Health Sector: Background and General Information

Other Relevant Resources

Protecting PHI in the Cloud - Security Awareness Video
Health Information Management Systems Society (HIMSS) resources:

Centers for Medicare & Medicaid Services (CMS) - Information Security Policies for Hospitals

  • Series to be updated to address cybersecurity issue

The Securities and Exchange Commission’s (SEC) guidance for publicly traded hospitals (October 2011)
Recommends disclosure to the public of both cybersecurity vulnerabilities and intrusions



AHA Members-only Resources

Important Cybersecurity Alerts

ASPR/CIP HPH Cyber Notice:  Phishing Attacks Exploiting Hurricane Matthew Event Advisory (Oct. 2016)

OCR Warning: Hackers Using Popular File-transfer Process to Commandeer Computers (Oct. 2016)

Cyber Incident Reporting Quick Reference Guide (2016)

OCR Fact Sheet: Ransomware and HIPAA (July 12, 2016)

Ransomware: What It Is and What To Do About It (Resource from HHS, DHS and DOJ) (June 20, 2016)

New spear phishing scheme targeting payroll and human resource professionals (Mar. 1, 2016)

  See US-CERT Security Tip
ST15-001 for information on tax-themed phishing

OCR Offers Advice to Assist HIPAA-Covered Entities Avoid Ransomware (Feb. 3, 2016)

FDA Guidance for Manufacturers: Cybersecurity for Networked Medical Devices Containing Off-The-Shelf (OTS) Software (July 2015)

Vulnerabilities of Hospira LifeCare PCA3 and PCA5 Infusion Pump Systems: FDA Safety Communication (May 13, 2015)

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)

Health Care-Related Messages

OSSI Cyber Threat Intelligence Program Product for the Healthcare and Public Health Sector (June 2016)

DHS issues alert related to end of support for Windows 2003 Operating System (11/10/14)

HITRUST Cyber Threat Intelligence and Incident Coordination Center Alert:  Bash/Shellshock Vulnerability (9/25/14)

DHS issues guidance on Internet Explorer vulnerability (4/30/14)

FBI Private Industry Notification: Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain (4/8/14)

FDA Safety Communication:  Cybersecurity for Medical Devices and Hospital Networks (2013)  

U.S. Department of Homeland Security AlertMedical Devices Hard-Coded Passwords (2013)
Warning that an estimated 300 medical devices from 40 vendors could be vulnerable to hacking and potentially exploited to change critical settings and/or modify device firmware

About AHA


Member Constituency Sections

Key Relationships

News Center

Performance Improvement

Advocacy Issues

Products & Services


Research & Trends


155 N. Wacker Dr.
Chicago, Illinois 60606

800 10th Street, N.W.
Two CityCenter, Suite 400
Washington, DC 20001-4956