This page provides resources related to each of eight cybersecurity priority areas that together support the essential and enhanced goals of the Department of Health and Human Services’ Cybersecurity Performance Goals, designed to help healthcare organizations address common vulnerabilities by setting a floor of safeguards that will better protect them from cyber attacks, improve response when events occur, and minimize residual risk.
Using the Ready-Set-Go approach, you can:
- Ready: Gain a background understanding of the changing cybersecurity landscape.
- Set: Learn about the cybersecurity priority areas through a series of videos.
- Go: Access cybersecurity resources and tools to adopt or adapt to meet your needs.
READY: Introduction to Cybersecurity
Effective cybersecurity is critical to protecting patient data and ensuring the continuity of quality, affordable health care for millions of Americans served by community health centers. However, implementing robust cybersecurity measures to safeguard patient information faces a number of challenges, including:
- Resource constraints: Many community health centers operate with limited budgets and IT resources, making it difficult to implement comprehensive cybersecurity measures.
- Evolving cyber threats: The landscape of cyber threats targeting networks and systems to capture data is constantly changing, challenging health centers to keep their defenses of the same up-to-date.
- Complex regulatory environment: Health centers must navigate intricate regulations like HIPAA and the 21st century Cures Act while balancing security needs with patient care accessibility.
- Diverse technology ecosystem: The wide array of medical devices, networking equipment, electronic health records, and other systems used in health centers creates a large attack surface that needs protection.
The priority areas below have been identified as critical to supporting cybersecurity strategies and protecting patient data in community health centers; this learning bundle aims to provide information related to each topic area as a means to equip health center staff with the basic knowledge to dig deeper into additional resources collected by the Clearinghouse.
Read More About Our Cybersecurity Model
While the six-step NIST Cybersecurity Framework provides a comprehensive and widely-recognized approach to cybersecurity risk management, our eight-priority model has been specifically tailored to address the unique needs and challenges of community health centers, with a particular focus on patient data protection. This customized approach allows us to:
- Emphasize areas of critical importance to healthcare, such as Medical Device Security and Compliance & Risk Management, which are particularly relevant given the sensitive nature of patient data and the stringent regulatory environment in healthcare.
- Address the specific resource constraints and operational realities of community health centers, providing more targeted guidance in areas like Security Awareness & Training and Access Management & Authentication.
- Highlight the importance of Data Security as a standalone category, reflecting the paramount importance of protecting patient information in healthcare settings.
- Incorporate cybersecurity governance aspects that are crucial for healthcare organizations, such as policy development and oversight, which may not be as explicitly addressed in the more general NIST framework.
- Provide a more intuitive and accessible structure for healthcare professionals who may not have extensive cybersecurity backgrounds, making it easier for them to understand and implement necessary security measures.
By- adapting and extending the NIST framework in this way, we've created a model that speaks directly to the cybersecurity needs of community health centers, ensuring that patient data protection remains at the forefront of their security efforts.
Additional Learning Videos:
About the NIST Model: https://vimeo.com/manage/videos/1009291234
Six Steps: https://rise.articulate.com/share/EoEyUoRfNo9c6liF9C6D2DVupXbereta
NIST: https://rise.articulate.com/share/DQYMdkQjK3RJZifFoGqhT8MYrPNKEerj
SET: Learn Based on Cybersecurity Priority Areas
Security Awareness and Training- Start Here. Focused Clearinghouse Learning Videos:
- Know What You Have
- Employee Training: Best Practices
- Psychology of Risky Behavior
- Avoid Being an Easy Target
- Verifying If Your Credentials Have Been Stolen
- Dig Deeper. Extended Clearinghouse Learning Videos and Resources:
- Promoting Cybersecurity Awareness for Patients
- Considerations for Sustaining a Culture of Cybersecurity: Part I
- Considerations for Sustaining a Culture of Cybersecurity: Part II
- Go Beyond. General External Resources:
Summary: The process of access management and authentication is an integral component of an overall cybersecurity plan. This component deals with implementing strong access controls to ensure only authorized personnel can access sensitive data and systems. It covers multi-factor authentication, role-based access control, password policies, and regular access audits. Proper access management helps maintain the confidentiality and integrity of patient data.
Resources:
- Start Here. Focused Clearinghouse Learning Videos:
- Dig Deeper. Extended Clearinghouse Learning Videos and Resources:
- Creating and Managing Strong Passwords at Your Health Center
- Sensitive Information and the Electronic Patient Record
- Go Beyond. General External Resources:
Summary: Data security and privacy are fundamental to protecting patient information in community health centers. This area focuses on securing patient data through encryption and other security measures, both when stored and transmitted. It addresses data encryption, data classification, privacy impact assessments, and secure data disposal. Strong data security practices help health centers comply with regulations and maintain patient trust.
Resources:
- Start Here. Focused Clearinghouse Learning Videos:
- Dig Deeper. Extended Clearinghouse Learning Videos and Resources:
- Encrypting Data at Rest on Servers: Implications for Health Centers
- Predictive Analytics, Assessing Vulnerability, and Community Referrals
- Go Beyond. General External Resources:
Summary: Network and endpoint security are vital and sometimes the first level of defense for defending community health centers against cyber threats. This component covers securing all devices and networks used in the health center to prevent unauthorized access and malware infections. It includes regular software patching, antivirus solutions, network segmentation, and secure remote access. Effective network and endpoint security create a strong defense against various cyber attacks targeting healthcare organizations.
Resources:
- Start Here. Focused Clearinghouse Learning Videos:
- Back Up and Recover
- Prevent Phishing and Malware
- HITEQ Highlights Cybersecurity Ask Me Anything
- Vetting 3rd Party Vendors
- Dig Deeper. Extended Clearinghouse Learning Videos and Resources:
- Cybersecurity Checklist for Health Center Staff Working Remotely
- Electronic Patient Engagement Tools: Adaptation for Use in COVID-19 Vaccination Rollout
- Health Center Defense Against the Dark Web Presentation
- Go Beyond. General External Resources:
Summary: Incident response and recovery are critical for minimizing the impact of cybersecurity incidents on patient care in community health centers. This area focuses on developing and maintaining plans to quickly detect, respond to, and recover from security breaches. It covers incident response plan development, regular drills, communication protocols, and data backup and recovery procedures. A well-prepared incident response strategy helps health centers maintain continuity of care during cyber incidents.
Resources:
- Start Here. Focused Clearinghouse Learning Videos:
- Dig Deeper. Extended Clearinghouse Learning Videos and Resources:
- Strategic Cybersecurity Breach Protection and Incident Response
- Ransomware Guidance Presentation for Health Centers
- Improving Health Center Cybersecurity: Risk Assessment, Breach Defense, Mitigation and Response
- Health Center Resilience in the Face of Cyber Adversity
- Go Beyond. General External Resources:
Summary: Medical device security addresses the unique challenges posed by network-connected medical devices in community health centers. This component deals with managing the security risks associated with these specialized devices that are critical to patient care. It covers device inventory management, patch management, network segmentation, and coordination with device manufacturers on security issues. Proper medical device security helps prevent compromises that could impact patient safety and data privacy.
Resources:
- Start Here. Focused Clearinghouse Learning Videos:
- Dig Deeper. Extended Clearinghouse Learning Videos and Resources:
- Strategic Cybersecurity Investments: Leveraging American Rescue Plan Funding to Enhance Infrastructure and Services
- Health Center Security & Compliance System Implementation Guide
- Go Beyond. General External Resources:
Summary: Compliance and risk management ensure community health centers meet regulatory requirements while continuously assessing and managing cybersecurity risks. This area focuses on maintaining compliance with regulations like HIPAA, conducting regular risk assessments, documenting security practices, and managing third-party vendor risks. A robust compliance and risk management program helps health centers avoid penalties and maintain patient trust.
Resources:
- Start Here. Focused Clearinghouse Learning Videos:
- Protect Email and Reputation
- Factor Analysis of Information Risk (FAIR)
- Cyber Insurance: The Basics
- Cyber Insurance: Best Practices
- Shopping for Cybersecurity
- NIST and
- Risk Management Key Concepts
- Dig Deeper. Extended Clearinghouse Learning Videos and Resources:
- Health Center Security & Compliance System Implementation Guide
- The Health Center CIO’s Guide to HIPAA Compliant Text Messaging
- Cyber Security Trends, HIPAA and Insurance
- Cyber Insurance & HIPAA Breaches Tip Sheet
- Go Beyond. General External Resources:
Summary: Cybersecurity governance provides the framework for guiding and overseeing cybersecurity efforts across the community health center. This component deals with establishing leadership, policies, and procedures to ensure a comprehensive approach to cybersecurity. It covers cybersecurity policy development, defining roles and responsibilities, aligning cybersecurity with organizational goals, and regular review of security strategies. Effective cybersecurity governance helps ensure that patient data protection remains a priority throughout the organization.
Resources:
- Start Here. Focused Clearinghouse Learning Videos:
- Dig Deeper. Extended Clearinghouse Learning Videos and Resources:
- Health IT and Cybersecurity Positions and Salaries
- A Guide to Essential Cybersecurity Tasks for Health Centers
- Go Beyond. General External Resources:
GO: Additional Cybersecurity Resources
Translate Knowledge to Practice with Tools: Healthcare and Public Health Cybersecurity Toolkit (Cybersecurity and Infrastructure Security Agency). This federal resource consolidates strategic resources, including:
- CISA’s Cyber Hygiene Services, which use vulnerability scanning to help secure against known vulnerabilities, reduces the risk of cyberattacks and encourages the adoption of best practices.
- HHS’s Health Industry Cybersecurity Practices, which was developed with industry, outlines effective cybersecurity practices healthcare organizations of all sizes can adopt to become more cyber resilient.
- HHS and the HSCC’s HPH Sector Cybersecurity Framework Implementation Guide which helps organizations assess and improve their level of cyber resiliency and provide suggestions on how to link cybersecurity with their overall information security and privacy risk management activities.