Skip to Main Content
Forgot your password?
Don't have an account? Create Account
x
Forgot your password?
Don't have an account? Create Account

IT Security Resources for Essential Hospitals

Over the past decade, the U.S. health care system has experienced a rapid increase in adoption of health information technology (IT). Nearly all nonfederal, acute-care hospitals had adopted a certified electronic health record (EHR) system by 2015.

Health IT can improve the sharing of information with patients, patient outcomes, and providers’ transmission of important data to public health departments. As hospitals increasingly rely on health IT, the risk of cybersecurity breaches also increases. In 2015, the health information of more than 113 million individuals was breached, compared with fewer than 4 million individuals from 2011 to 2014.

Recent ransomware attacks on hospitals and other businesses exemplify this threat to hospital information systems, including both EHRs and administrative systems. The U.S. Computer Emergency Readiness Team defines ransomware as a type of malware that infects computers and restricts access to files until a ransom is paid. Malware often is spread through attachments and links in phishing emails, which masquerade as emails from a familiar source.

Cybersecurity threats have increased the focus on securing health IT systems, training staff on IT security, and developing contingency plans. As hospitals increase their use of health IT, it is imperative they take appropriate precautions to prevent attacks on all elements of their IT systems.

America’s Essential Hospitals has established this resource page to connect its members with cybersecurity resources that focus on preventing and responding to IT attacks. Visit this page regularly for new and updated information.

General IT Security Resources

Title Source Date
Healthcare and Public Health Sector Cybersecurity Framework Implementation Guide HHS March, 2023
Advisory on Trickbot Malware and Ryuk Ransomware Activity  CISA October 2020
Ransomware Guide CISA September 2020
DHS Emergency Directive on Microsoft Vulnerabilities

  • DHS directive on vulnerabilities in Microsoft Windows operating systems, urging immediate action to install Microsoft patch to mitigate risk of exposure.
 DHS January 2020
Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients

  • The HICP, mandated by the Cybersecurity Act of 2015, examines cybersecurity threats and vulnerabilities that affect the healthcare industry.
  • It explores five current threats and presents ten practices to mitigate those threats and  includes two technical volumes: one for small health care organizations and one for medium and large health care organizations.
 HHS December 2018
Fact Sheet on Phishing Vulnerabilities of Healthcare Information Technology Systems DHS/ODNI August 2018
Report on Phishing Vulnerabilities of Healthcare Information Technology Systems DHS/ODNI August 2018
Threat Intelligence Briefing on FIN7 HHS August 2018
Intelligence Briefing Update on NetSpectre HHS August 2018
Threat Intelligence Briefing on Malware Loaders HHS August 2018
Report on Widespread Processor Vulnerabilities  HHS January 2018
Executive Order 13800 Update Issue 1 DHS July 2017
“Hidden Cobra” – North Korea’s DDoS Botnet Infrastructure DHS June 2017
Microsoft Vulnerabilities Microsoft June 2017
Healthcare Organization and Hospital Discussion Guide For Cybersecurity HHS June 2017
HIPAA and Ransomware Fact Sheet HHS June 2017
 Report on Improving Cybersecurity in the Health Care Industry HHS June 2017
 Quick-Response Checklist from the HHS, Office for Civil Rights (OCR) HHS June 2017

WannaCry Ransomware Attack Resources

Title Source Date
HHS Update: International Cyber Threat to Healthcare Organizations

  • Where to find the most up-to-date information from the U.S. government
  • How to prevent email-based ransomware attacks
  • What HHS is doing to secure our systems
 HHS May 2017
HHS Update #2: International Cyber Threat to Healthcare Organizations

  • Where to find the latest Microsoft security information
  • ASPR TRACIE: Healthcare Cybersecurity Best Practices
  • How to request an unauthenticated scan of your public IP addresses from DHS
  • What to do if you are the victim of ransomware or have cyber threat indicators to share
 HHS May 2017
 HHS Update #3: International Cyber Threat to Healthcare Organizations

  • Receive health care intelligence through InfraGard participation
  • DHS support for private sector cyber incident table top exercises
  HHS May 2017
 HHS Update #4: International Cyber Threat to Healthcare Organizations

  • HHS Office of Civil Rights Guidance on HIPAA, specific to WannaCry
  • CISA protections for private sector information sharing
  • Why to connect with your local fusion center
  • FDA’s Public Workshop — Cybersecurity of Medical Devices
  HHS May 2017
 HHS Update #5: International Cyber Threat to Healthcare Organizations

  • HHS ASPR’s online After Action collection mechanism
  • Process for victim reporting and indicator sharing
  • FDA’s medical device FAQ based on “Daily Sector Call” feedback
  HHS May 2017

 

America’s Essential Hospitals regularly compiles resource pages to inform our members and other stakeholders about timely issues.

Previous Next
Close
Test Caption
Test Description goes like this