Health Information Security Resources
Below are links to free resources for security-related issues. Bookmark this page and check back periodically; as more resources are discovered, this page will be updated.
These links and samples are being provided as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by KFMC. If we can help, please contact the KFMC Practice Transformation Team.
Security Rule—Federal Register
- Administrative Safeguards (PDF)
- Physical Safeguards (PDF)
- Security Standards—General Rules (PDF)
- Technical Safeguards (PDF)
Cybersecurity
- OCR Recognized Security Practices—US Department of Health & Human Services Office of Civil Rights (video)
- HHS 405(d) Aligning Health Care Industry Security Approaches Resources—US Department of Health & Human Services
- Cyber Essentials Toolkits—Department of Homeland Security
- Guide to Privacy and Security of Electronic Health Information—The Office of the National Coordinator for Health Information Technology
- Cyber Essentials Infographic—Department of Homeland Security (PDF)
- Cybersecurity for Business Resources—Guides and resources for businesses from the National Cyber Security Alliance
- Cyber Security Planning Guide—Federal Communications Commission (PDF)
- Cybersecurity Is Everyone’s Job—Guidebook from the National Institute of Standards and Technology that outlines what employees should do to protect their organization from cyber threats, based on an employee’s business role (PDF)
- Cybersecurity for Small Businesses—Free resources from the Federal Trade Commission including cybersecurity basics, physical security, phishing, vendor security, cyber insurance, remote access and more; videos, quizzes, materials, employer guides
- Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients—US Department of Health & Human Services, Healthcare & Public Health Sector Coordinating Councils guidelines for small healthcare practices and medium to large healthcare organizations
- Securing Electronic Health Records on Mobile Devices (SP 1800-1)—National Institute of Standards and Technology
- SAFER Guides – Nine guides of recommended practices to optimise the safety and safe use of EHRs from the Office of the National Coordinator for Health Information Technology (ONC)
Cyber Threat Resources
- Cyber Security Guidance Material—Office of Civil Rights, US Department of Health and Human Services resources for HIPAA Security Rule
- Phishing Guidance: Stopping the Attack Cycle at Phase One—Cybersecurity Infrastructrure and Security Agency (CSA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) (PDF)
- COVID-19 Email Phishing Against US Healthcare Providers—Office of Civil Rights, US Department of Health and Human Services FBI Alert with attack indicators and recommended actions (PDF)
- Selecting and Safely Using Collaboration Services for Telework—National Security Agency criteria considerations including encryption, multi-factor authentication, sharing features of collaborative software such as WebEx®, GoToMeeting®, Microsoft Teams®, Zoom® and other tools (PDF)
- COVID-19 VTC Exploitation—US Department of Health and Human Services, Health Sector Cybersecurity Coordination Center white paper on exploitation, mitigation and remediation of vulnerabilities in video teleconferencing applications (PDF)
- COVID-19 Cyber Threats—US Department of Health and Human Services, Health Sector Cybersecurity Coordination Center brief on increased malicious activity and methods used by threat actors (PDF)
Security Training
- Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Connection Technologies for Telehealth—US Department of Health and Human Services
- Telehealth Privacy and Security Tips for Patients—US Department of Health and Human Services
- Knowledge on Demand—US Department of Health & Human Services Cybersecurity Education
- OCR Security Monthly Newsletters Archive—Past newsletters from the Office for Civil Rights (OCR), US Department of Health & Human Services
- Sign up for notifications on the OCR Privacy and Security ListServs
- OUCH! Monthly Security Awareness Newsletter—Sign up for a monthly newsletter provided by the SANS Institute or access past issues
- HIPAA Training and Resources—US Department of Health & Human Services links to privacy and security training resources
- Resources for Small and Midsize Businesses—United States Computer Emergency Readiness Team (US-CERT) from the Department of Homeland Security links to free resources
- Scams and Your Small Business: A Guide for Business—Federal Trade Commission
Privacy-Security Incidents/Breaches
- Technical and Non-Technical Evaluation Security Walk-Through Checklist (PDF)
- Ransomware and HIPAA—US Department of Health & Human Services Guidance regarding considerations involved in ransomware attacks and breach reporting requirements
- Data Breach Response—Federal Trade Commission video. Learn the steps to take and who to contact if personal information is exposed.
- HIPAA – Breach Response—US Department of Health & Human Services guidance regarding breach notification requirements
- Sample Security Incident Response Report Form—American Health Information Management Association
- Model Breach Notification Letter: Content and Format—American Health Information Management Association
- Computer Security Incident Handling Guide (SP 800-61)—National Institute of Standards and Technology
- Security Breach Notification Laws—National Conference of State Legislatures contains links to state laws dealing with your obligations in case of a data breach
- Notice of Breach of Health Information—Federal Trade Commission (PDF)
Business Associate Agreements
- Business Associate Agreement Template (Microsoft Word)
- Business Associates—US Department of Health & Human Services information regarding application of the Privacy and Security Rules to covered entity’s business associates, including direct liability of business associates under HIPAA enforcement actions
- Fax Service Providers—”HIPAA Conduit Fax Service Providers are Not HIPAA Compliant,” Concord Technologies, January 19, 2016
- Sample Business Associate Agreement Provisions—US Department of Health & Human Services
- Do you need a business associates agreement with your landlord?—PBI Real Estate Institute, Chapter from The Medical & Healthcare Facility Lease: Legal and Business Handbook (American Health Lawyers Association), 2011 (PDF)
Policies and Procedures
- Security Standards: Organizational, Policies and Procedures and Documentation Requirements—White Paper from the US Department of Health & Human Services describing the documentation requirements of the HIPAA Security Rule (PDF)
- Information Systems Policies and Procedures Template—Sample templates for policies and procedures relating to information systems security; if used, these templates should be customized for your systems and environment (Microsoft Word)
- Information Security Policy Templates—Sample templates for policies and procedures for information security provided by the SANS Institute
- Mobile Devices and Health Information Security—HealthIT.gov website with links for managing and securing mobile devices
Cloud Computing Environment
- Top 10 Questions for Cloud Security—Health Information and Management Systems Security (PDF)
- Cloud Computing Acceptable Use Policy Template—Health Information and Management Systems Security (PDF)
- Navigating HIPAA While Moving to the Cloud—Health Information and Management Systems Security (PDF)
- Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144)—National Institute of Standards and Technology
Disaster Preparedness and Recovery Plan
- Technical Resources, Assistance Center, and Information Exchange (TRACIE), Healthcare Emergency Preparedness Information Gateway — US Department of Health and Human Services, Administration for Strategic Preparedness and Response
- Plan Template and Checklists—Council on Foundations (PDF)
- Small Practice Business Continuity Plan/Emergency Operations—Template from Western Victoria (Australia) Primary Health Network covers most situations that could interrupt usual practice operations (Microsoft Word)
- Emergency Preparedness Rule—Centers for Medicare and Medicaid Services requirements for Medicare and Medicaid participating providers and suppliers links
- Medical Office Emergency Preparedness Plan Checklist—Medical Group Management Association (PDF)
- Business Impact Analysis template (SP 800-34)—National Institute of Standards and Technology sample template for conducting a Business Impact Analysis on information systems (Microsoft Word)
- Business Impact Analysis Questionnaire—Information Systems Audit and Control Association Business Impact Analysis for all business processes of a facility or department (Microsoft Word)
Security Risk Assessment and Security Rule Implementation
- Introductory Resource Guide for Implementing HIPAA Security Rule (SP 800-66)—National Institute of Standards and Technology
- Guide for Conducting Risk Assessments (SP 800-30)—National Institute of Standards and Technology
- How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks—October 2023 video provided by the US Department of Health and Human Services
