Health Information Security Resources

Below are links to free resources for security-related issues. Bookmark this page and check back periodically; as more resources are discovered, this page will be updated.

These links and samples are being provided as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by KFMC. If we can help, please contact the KFMC Practice Transformation Team.

Security Rule—Federal Register

Cybersecurity

OCR Recognized Security Practices—US Department of Health & Human Services Office of Civil Rights (video)
HHS 405(d) Aligning Health Care Industry Security Approaches Resources—US Department of Health & Human Services
Cyber Essentials Toolkits—Department of Homeland Security
Guide to Privacy and Security of Electronic Health Information—The Office of the National Coordinator for Health Information Technology
Cyber Essentials Infographic—Department of Homeland Security (PDF)
Cybersecurity for Business Resources—Guides and resources for businesses from the National Cyber Security Alliance
Security and Privacy Enhancing Best Practices—Online Trust Alliance
Cyber Security Planning Guide—Federal Communications Commission (PDF)
Cybersecurity Is Everyone’s Job—Guidebook from the National Institute of Standards and Technology that outlines what employees should do to protect their organization from cyber threats, based on an employee’s business role (PDF)
Cybersecurity for Small Businesses—Free resources from the Federal Trade Commission including cybersecurity basics, physical security, phishing, vendor security, cyber insurance, remote access and more; videos, quizzes, materials, employer guides
Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients—US Department of Health & Human Services, Healthcare & Public Health Sector Coordinating Councils
Securing Electronic Health Records on Mobile Devices (SP 1800-1)—National Institute of Standards and Technology
SAFER Guides – Nine guides of recommended practices to optimise the safety and safe use of EHRs from the Office of the National Coordinator for Health Information Technology (ONC)

Cyber Threat Resources

Cyber Attack Quick Response Checklist—Office of Civil Rights, US Department of Health and Human Services (PDF) Infographic (GIF)
COVID-19 Email Phishing Against US Healthcare Providers—Office of Civil Rights, US Department of Health and Human Services FBI Alert with attack indicators and recommended actions (PDF)
Selecting and Safely Using Collaboration Services for Telework—National Security Agency criteria considerations including encryption, multi-factor authentication, sharing features of collaborative software such as WebEx®, GoToMeeting®, Microsoft Teams®, Zoom® and other tools (PDF)
COVID-19 VTC Exploitation—US Department of Health and Human Services, Health Sector Cybersecurity Coordination Center white paper on exploitation, mitigation and remediation of vulnerabilities in video teleconferencing applications (PDF)
COVID-19 Cyber Threats—US Department of Health and Human Services, Health Sector Cybersecurity Coordination Center brief on increased malicious activity and methods used by threat actors (PDF)

Security Training

Knowledge on Demand—US Department of Health & Human Services Cybersecurity Education
OCR Security Monthly Newsletters Archive—Past newsletters from the Office for Civil Rights (OCR), US Department of Health & Human Services
Sign up for notifications on the OCR Privacy and Security ListServs
OUCH! Monthly Security Awareness Newsletter—Sign up for a monthly newsletter provided by the SANS Institute or access past issues
HIPAA Training and Resources—US Department of Health & Human Services links to privacy and security training resources
Resources for Small and Midsize Businesses—United States Computer Emergency Readiness Team (US-CERT) from the Department of Homeland Security links to free resources
Scams and Your Small Business: A Guide for Business—Federal Trade Commission

Privacy-Security Incidents/Breaches

Technical and Non-Technical Evaluation Security Walk-Through Checklist (PDF)
Fact Sheet: Ransomware and HIPAA—US Department of Health & Human Services Guidance regarding considerations involved in ransomware attacks and Breach reporting requirements (PDF)
Data Breach Response—Federal Trade Commission video. Learn the steps to take and who to contact if personal information is exposed.
2017 Cyber Incident & Breach Response Guide—Online Trust Alliance (PDF)
Sample Security Incident Response Report Form—American Health Information Management Association
Model Breach Notification Letter: Content and Format—American Health Information Management Association
Computer Security Incident Handling Guide (SP 800-61)—National Institute of Standards and Technology
Security Breach Notification Laws—National Conference of State Legislatures contains links to state laws dealing with your obligations in case of a data breach

Business Associate Agreements

Business Associate Agreement Template (Microsoft Word)
Business Associates—US Department of Health & Human Services information regarding application of the Privacy and Security Rules to covered entity’s business associates, including direct liability of business associates under HIPAA enforcement actions
Fax Service Providers—”HIPAA Conduit Fax Service Providers are Not HIPAA Compliant,” Concord Technologies, January 19, 2016
Sample Business Associate Agreement Provisions—US Department of Health & Human Services
Do you need a business associates agreement with your landlord?—PBI Real Estate Institute, Chapter from The Medical & Healthcare Facility Lease: Legal and Business Handbook (American Health Lawyers Association), 2011 (PDF)

Policies and Procedures

Security Standards: Organizational, Policies and Procedures and Documentation Requirements—White Paper from the US Department of Health & Human Services describing the documentation requirements of the HIPAA Security Rule (PDF)
Information Systems Policies and Procedures Template—Sample templates for policies and procedures relating to information systems security; if used, these templates should be customized for your systems and environment (Microsoft Word)
Information Security Policy Templates—Sample templates for policies and procedures for information security provided by the SANS Institute
Mobile Devices and Health Information Security—HealthIT.gov website with links for managing and securing mobile devices

Cloud Computing Environment

Top 10 Questions for Cloud Security—Health Information and Management Systems Security (PDF)
Cloud Computing Acceptable Use Policy Template—Health Information and Management Systems Security (PDF)
Navigating HIPAA While Moving to the Cloud—Health Information and Management Systems Security (PDF)
Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144)—National Institute of Standards and Technology

Disaster Preparedness and Recovery Plan

Plan Template and Checklists—Council on Foundations (PDF)
Small Practice Business Continuity Plan/Emergency Operations—Template from Western Victoria (Australia) Primary Health Network covers most situations that could interrupt usual practice operations (Microsoft Word)
Emergency Preparedness Rule—Centers for Medicare and Medicaid Services requirements for Medicare and Medicaid participating providers and suppliers links
Medical Office Emergency Preparedness Plan Checklist—Medical Group Management Association (PDF)
Working Without Technology: How Hospitals and Healthcare Organizations Can Manage Communication Failure—Healthcare & Public Health Sector Coordinating Councils’ recommendations for preparing for, and responding to, communication failures (PDF)
Business Impact Analysis template (SP 800-34)—National Institute of Standards and Technology sample template for conducting a Business Impact Analysis on information systems (Microsoft Word)
Business Impact Analysis Questionnaire—Information Systems Audit and Control Association Business Impact Analysis for all business processes of a facility or department (Microsoft Word)

Security Risk Assessment and Security Rule Implementation

Introductory Resource Guide for Implementing HIPAA Security Rule (SP 800-66)—National Institute of Standards and Technology
Guide for Conducting Risk Assessments (SP 800-30)—National Institute of Standards and Technology