Regardless of size, structure, or budget, providers can leverage free or low-cost industry resources to improve healthcare cybersecurity.


Link to article in HealthIT Security:

Jill McKeon

Assistant Editor


 – The healthcare sector continues to face unprecedented levels of cyberattacks and data breaches. From state-sponsored threat actors to known vulnerabilities and phishing campaigns, the industry is up against a variety of dynamic threats.

Luckily, there is no shortage of available solutions to help healthcare organizations detect threats, manage identities, and mitigate risk. But under-resourced organizations with limited budgets and staff may find it challenging to procure the funds to implement the latest and greatest technology.

To Greg Garcia, executive director of the Healthcare Sector Coordinating Council (HSCC), cybersecurity doesn’t have to cost much. Basic cyber hygiene and employee training and awareness are just a few examples of low-cost strategies that can make a big impact on an organization’s security posture.

“This industry, in the past five to seven years, has really awakened to the fact that we can’t put blinders on, we can’t deny the inevitable, and we can’t keep it to ourselves,” Garcia said during an interview with HealthITSecurity.

“There are many reasons for competition, but cybersecurity is not one of them. It’s not a competitive sport.”

There are numerous free resources available to healthcare organizations, created by groups like HSCC, government entities, and others, that can walk healthcare organizations of all sizes through the process of enhancing security and improving organizational resilience at no cost.

“Our biggest challenge really is not coming together and developing these best practices, but it’s getting the horse to drink,” Garcia said during an interview with HealthITSecurity. “Right now, we are slowly getting the horse to the water.”

Below, HealthITSecurity will highlight a few of the top free, comprehensive cyber resources available to healthcare organizations. These resources are the direct results of continuous collaboration and communication across the sector.

In addition to the sources detailed below, healthcare stakeholders can leverage free or low-cost resources from trusted organizations such as the HSCC, the HHS 405(d) Program and Task Group, the National Institute of Standards and Technology (NIST), the Health Sector Cybersecurity Coordination Center (HC3), the Health Information Sharing and Analysis Center (Health-ISAC), and more.



Published in January 2019, the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) is a four-volume publication aimed at raising awareness of current cyber threats facing the healthcare sector as well as top mitigation tactics for various organization sizes.

The HICP was the industry’s response to a requirement in the Cybersecurity Act of 2015 Section 405(d) to “develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry,” HSCC stated.

“The HICP is a jointly published document by HHS and the Health Sector Coordinating Council,” Garcia explained. “It is quickly becoming a commonly referenced toolkit.”

In fact, the HICP was recently enshrined in law as part of a 2021 amendment of the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HICP is one of three recognized security practices (RSPs) that a regulated entity can voluntarily implement. If the entity can show HHS evidence that they have effectively used the HICP for the previous 12 months, the implementation evidence may serve as a mitigating factor in Security Rule audits and investigations.

The HICP consists of two technical volumes as well as resources and templates that organizations can use to implement cybersecurity practices and assess their security postures.

The first technical volume contains 10 cybersecurity practices for small healthcare organizations, while the second applies to medium and large organizations. The topics range from vulnerability management to email protection systems and medical device security.

Each volume contains useful guidance for combatting ransomware attacks, phishing, accidental data loss, and more. Using the HICP can help healthcare organizations manage risk in a cost-effective manner.



The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is used by a variety of industries and can be useful for healthcare organizations looking for clear guidance on how to manage risk throughout the business.

The CSF consists of three main components: the Framework Core, the Implementation Tiers, and the Framework Profiles.

The Framework Core is further divided into five essential functions: identify, protect, detect, respond, and recover. The core functions are meant to be performed simultaneously to craft a culture of cybersecurity within an organization. Each core function has its own outcome categories, ranging from risk management strategy to detection processes and security awareness and training.

he Framework Implementation Tiers quantify the degree of sophistication in cybersecurity risk management practices. The four tiers (partial, risk informed, repeatable, and adaptive) serve as a decision-making guide for organizations trying to manage cybersecurity risk.

NIST also maintains a variety of Framework Profiles, which it defines as “the alignment of the Functions, Categories, and Subcategories with the business requirements, risk tolerance, and resources of the organization.”

For example, in 2021, NIST released its “Cybersecurity Framework Profile for Ransomware Risk Management,” aimed at assisting organizations in preventing, responding to, and recovering from ransomware attacks.

In addition to the NIST CSF, healthcare organizations can leverage the “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide,” also known as NIST Special Publication 800-66, Revision 2. The publication maps the elements of the HIPAA Security Rule to the NIST CSF subcategories, linking the two.



“When you think of the product lifecycle medical devices, it’s relatively new that medical devices have become a target, as they become interconnected,” Garcia noted.

“Device manufacturers have to play catch up, and that means designing, developing, building security into those devices from the ground up.”

The Health Sector Coordinating Council’s (HSCC) Joint Security Plan (JSP) is a product lifecycle reference guide to developing, deploying, and supporting secure medical devices and health IT products and solutions.

The JSP can help medical device manufacturers, health IT vendors, providers, and others manage medical device security and continuously evaluate and improve their device security practices.

“For the successful use of the JSP, an initial step is to be able to define the governance process as it relates to organizational roles and responsibilities, and the needs for personnel training,” the document states.

“Governance which may include strategic decisions, establishing milestones, and tracking of maturity against the framework is executed by designated leaders in a vendor’s organization. Framework adoption should be driven by mapping each of the framework cybersecurity activities and processes into existing processes and minimizing the creation of separate or redundant processes.”

The JSP framework includes detailed guidance based on different activities and processes, such as risk management, design control, and complaint handling and reporting.

“This voluntary plan is intentionally forward leaning and seeks to inspire organizations to raise the bar for product cybersecurity,” the JSP continues.

“In particular, integrating cybersecurity into an organization necessitates organizational and process changes that come with considerable time and monetary investments. The JSP provides a framework for making these organizational and process related changes.”

In addition to the JSP, the HSCC maintains a variety of other free resources that healthcare organizations can leverage to improve security. For example, the Operational Continuity Cyber Incident (OCCI) checklist provides a template for responding to an outage caused by a cyberattack. Additionally, the Health Industry Cybersecurity Workforce Guide aims to help healthcare organizations recruit and retain cybersecurity workforce members.



The Health-ISAC is a global nonprofit through which healthcare stakeholders can communicate, collaborate, and share cyber threat intelligence with each other.

“The Health-ISAC is the neighborhood watch,” Garcia explained. “You have to see what’s coming at you and prepare for it.”

Health-ISAC membership is not free, but membership rates are tiered and can be as low as $2,400 annually for organizations with less than $100 million in revenue. There are also special fee levels for nonprofits and medical schools. The organization also publishes free guidance and resources on its website.

“Being a member of Health-ISAC can extend the scope of your security department. Health-ISAC is a force multiplier. Instead of you and your department of 3 or 30, you now have a department of over 4,000 [Note: This number is currently 8,000+ and the website has now been updated] Global analysts ready to send alerts 24/7,” the organization’s website states.

“As each member organization shares Cyber Threat Intel across the sector, the virtual landing space for malicious attackers is reduced.”

Health-ISAC also regularly publishes white papers on its website about topics such as zero trust and interoperability for healthcare chief information security officers (CISOs). The organization frequently shares detailed information about the latest cyber threats facing the sector via monthly newsletters and other avenues.

These free and low-cost resources can help organizations of all sizes improve their security postures, especially those with limited resources.

Translate »