Skip to main content
U.S. flag

An official website of the United States government

Return to Search

Cyber Security Guidance Material

This is Guidance re: Cyber Security for Providers


Issued by: Office for Civil Rights (OCR)

Cyber Security Guidance Material

In this section, you will find educational materials specifically designed to give HIPAA covered entities and business associates insight into how to respond to a cyber-related security incidents.

Cyber Security Checklist and Infographic

This guide and graphic explains, in brief, the steps for a HIPAA covered entity or its business associate to take in response to a cyber-related security incident.

Cyber Security Checklist - PDF

Cyber Security Infographic [GIF 802 KB]

Ransomware Guidance

HHS has developed guidance to help covered entities and business associates better understand and respond to the threat of ransomware.

Ransomware - PDF

National Institute of Standards and Technology (NIST) Cybersecurity Framework

This crosswalk document identifies “mappings” between NIST’s Framework for Improving Critical Infrastructure Cybersecurity and the HIPAA Security Rule.

NIST Cyber Security Framework to HIPAA Security Rule Crosswalk - PDF

OCR Cyber Awareness Newsletters

In 2019, OCR moved to quarterly cybersecurity newsletters. The purpose of the newsletters remains unchanged: to help HIPAA covered entities and business associates remain in compliance with the HIPAA Security Rule by identifying emerging or prevalent issues, and highlighting best practices to safeguard PHI. Visit our Cybersecurity Newsletter Archive page to view previous newsletters from 2016.

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.