NEW:

Cybersecurity Learning Bundle
Menu +

Cybersecurity Learning Bundle

Menu
Image of a lock sitting atop a circuitboard

This page provides resources related to each of eight cybersecurity priority areas that together support the essential and enhanced goals of the Department of Health and Human Services’ Cybersecurity Performance Goals, designed to help healthcare organizations address common vulnerabilities by setting a floor of safeguards that will better protect them from cyber attacks, improve response when events occur, and minimize residual risk.

Using the Ready-Set-Go approach, you can:

  • Ready: Gain a background understanding of the changing cybersecurity landscape.
  • Set: Learn about the cybersecurity priority areas through a series of videos.
  • Go: Access cybersecurity resources and tools to adopt or adapt to meet your needs.

READY: Introduction to Cybersecurity

Effective cybersecurity is critical to protecting patient data and ensuring the continuity of quality, affordable health care for millions of Americans served by community health centers. However, implementing robust cybersecurity measures to safeguard patient information faces a number of challenges, including:

  • Resource constraints: Many community health centers operate with limited budgets and IT resources, making it difficult to implement comprehensive cybersecurity measures.
  • Evolving cyber threats: The landscape of cyber threats targeting networks and systems to capture data is constantly changing, challenging health centers to keep their defenses of the same up-to-date.
  • Complex regulatory environment: Health centers must navigate intricate regulations like HIPAA and the 21st century Cures Act while balancing security needs with patient care accessibility.
  • Diverse technology ecosystem: The wide array of medical devices, networking equipment, electronic health records, and other systems used in health centers creates a large attack surface that needs protection.

The priority areas below have been identified as critical to supporting cybersecurity strategies and protecting patient data in community health centers; this learning bundle aims to provide information related to each topic area as a means to equip health center staff with the basic knowledge to dig deeper into additional resources collected by the Clearinghouse.

Read More About Our Cybersecurity Model

While the six-step NIST Cybersecurity Framework provides a comprehensive and widely-recognized approach to cybersecurity risk management, our eight-priority model has been specifically tailored to address the unique needs and challenges of community health centers, with a particular focus on patient data protection. This customized approach allows us to:

  • Emphasize areas of critical importance to healthcare, such as Medical Device Security and Compliance & Risk Management, which are particularly relevant given the sensitive nature of patient data and the stringent regulatory environment in healthcare.
  • Address the specific resource constraints and operational realities of community health centers, providing more targeted guidance in areas like Security Awareness & Training and Access Management & Authentication.
  • Highlight the importance of Data Security as a standalone category, reflecting the paramount importance of protecting patient information in healthcare settings.
  • Incorporate cybersecurity governance aspects that are crucial for healthcare organizations, such as policy development and oversight, which may not be as explicitly addressed in the more general NIST framework.
  • Provide a more intuitive and accessible structure for healthcare professionals who may not have extensive cybersecurity backgrounds, making it easier for them to understand and implement necessary security measures.

By- adapting and extending the NIST framework in this way, we've created a model that speaks directly to the cybersecurity needs of community health centers, ensuring that patient data protection remains at the forefront of their security efforts.

Additional Learning Videos:

About the NIST Model: https://vimeo.com/manage/videos/1009291234

Six Steps: https://rise.articulate.com/share/EoEyUoRfNo9c6liF9C6D2DVupXbereta

NIST: https://rise.articulate.com/share/DQYMdkQjK3RJZifFoGqhT8MYrPNKEerj

NTTAP Workforce Partners

The National Training and Technical Assistance Partners (NTTAPs) provide a deep understanding of health center cybersecurity. Read more about these partners below:

  • Health Information Technology, Evaluation, and Quality (HITEQ) Center

    The HITEQ Center is a HRSA-funded National Training and Technical Assistance Partner (NTTAPs) that collaborates with HRSA partners including Health Center Controlled Networks, Primary Care Associations and other NTTAPs to engage health centers in the optimization of health IT to address key health center needs through:

    • A national website with health center-focused resources, toolkits, training, and a calendar or related events.
    • Learning collaboratives, remote trainings, and on-demand technical assistance on key content areas.
  • National Association of Community Health Centers (NACHC)

    The National Association of Community Health Centers (NACHC) was founded in 1971 to “promote efficient, high quality, comprehensive health care that is accessible, culturally and linguistically competent, community directed, and patient centered for all.” NACHC represents community health centers across the country. Community Health Centers serve as the primary medical home for 30 million people at over 14,000 sites across America.


SET: Learn Based on Cybersecurity Priority Areas

1. Security Awareness and Training

Summary: Security awareness and training are essential for protecting patient data in community health centers. This area focuses on regularly educating all staff members and patients about cybersecurity risks and best practices. It includes topics such as phishing awareness, safe data handling, mobile device security, and social engineering defense. Effective security awareness programs help create a culture of cybersecurity within the health center, reducing the risk of data breaches caused by human error. 

Resources: 

2. Access Management and Authentication

Summary: The process of access management and authentication is an integral component of an overall cybersecurity plan. This component deals with implementing strong access controls to ensure only authorized personnel can access sensitive data and systems. It covers multi-factor authentication, role-based access control, password policies, and regular access audits. Proper access management helps maintain the confidentiality and integrity of patient data.  

Resources: 

3. Data Security and Privacy

Summary: Data security and privacy are fundamental to protecting patient information in community health centers. This area focuses on securing patient data through encryption and other security measures, both when stored and transmitted. It addresses data encryption, data classification, privacy impact assessments, and secure data disposal. Strong data security practices help health centers comply with regulations and maintain patient trust.  

Resources:  

4. Network and Endpoint Security

Summary: Network and endpoint security are vital and sometimes the first level of defense for defending community health centers against cyber threats. This component covers securing all devices and networks used in the health center to prevent unauthorized access and malware infections. It includes regular software patching, antivirus solutions, network segmentation, and secure remote access. Effective network and endpoint security create a strong defense against various cyber attacks targeting healthcare organizations.  

Resources:  

5. Incident Response and Recovery

Summary: Incident response and recovery are critical for minimizing the impact of cybersecurity incidents on patient care in community health centers. This area focuses on developing and maintaining plans to quickly detect, respond to, and recover from security breaches. It covers incident response plan development, regular drills, communication protocols, and data backup and recovery procedures. A well-prepared incident response strategy helps health centers maintain continuity of care during cyber incidents.

Resources:  

6. Medical Device Security

Summary: Medical device security addresses the unique challenges posed by network-connected medical devices in community health centers. This component deals with managing the security risks associated with these specialized devices that are critical to patient care. It covers device inventory management, patch management, network segmentation, and coordination with device manufacturers on security issues. Proper medical device security helps prevent compromises that could impact patient safety and data privacy.  

Resources:  

7. Compliance and Risk Management

Summary: Compliance and risk management ensure community health centers meet regulatory requirements while continuously assessing and managing cybersecurity risks. This area focuses on maintaining compliance with regulations like HIPAA, conducting regular risk assessments, documenting security practices, and managing third-party vendor risks. A robust compliance and risk management program helps health centers avoid penalties and maintain patient trust.  

Resources:  

8. Cybersecurity Governance

Summary: Cybersecurity governance provides the framework for guiding and overseeing cybersecurity efforts across the community health center. This component deals with establishing leadership, policies, and procedures to ensure a comprehensive approach to cybersecurity. It covers cybersecurity policy development, defining roles and responsibilities, aligning cybersecurity with organizational goals, and regular review of security strategies. Effective cybersecurity governance helps ensure that patient data protection remains a priority throughout the organization.  

Resources:  


GO: Additional Cybersecurity Resources

Translate Knowledge to Practice with Tools: Healthcare and Public Health Cybersecurity Toolkit (Cybersecurity and Infrastructure Security Agency). This federal resource consolidates strategic resources, including:  

  • CISA’s Cyber Hygiene Services, which use vulnerability scanning to help secure against known vulnerabilities, reduces the risk of cyberattacks and encourages the adoption of best practices.   
  • HHS’s Health Industry Cybersecurity Practices, which was developed with industry, outlines effective cybersecurity practices healthcare organizations of all sizes can adopt to become more cyber resilient.  
  • HHS and the HSCC’s HPH Sector Cybersecurity Framework Implementation Guide which helps organizations assess and improve their level of cyber resiliency and provide suggestions on how to link cybersecurity with their overall information security and privacy risk management activities. 
     

Have feedback on this learning bundle or want to share a resource? Connect with us.

This project is supported by the Health Resources and Services Administration (HRSA) of the U.S. Department of Health and Human Services (HHS) as part of an award totaling $6,625,000 with 0 percentage financed with non-governmental sources. The contents are those of the author(s) and do not necessarily represent the official views of, nor an endorsement, by HRSA, HHS, or the U.S. Government. For more information, please visit HRSA.gov.