Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • Radical Transparency
  • Big Wins
  • HIPAA for Individuals
  • Filing a Complaint
  • HIPAA for Professionals
  • Newsroom
Breadcrumb
  1. HHS
  2. HIPAA Home
  3. For Professionals
  4. The Security Rule
  5. Security Rule Guidance Material
  6. Cyber Security Guidance Material
  • HIPAA for Professionals
  • Regulatory Initiatives
  • Privacy
    • Summary of the Privacy Rule
    • Guidance
    • Combined Text of All Rules
    • HIPAA Related Links
  • Security
    • Security Rule NPRM
    • Summary of the Security Rule
    • Security Guidance
    • Cyber Security Guidance
  • Breach Notification
    • Breach Reporting
    • Guidance
    • Reports to Congress
    • Regulation History
  • Compliance & Enforcement
    • Enforcement Rule
    • Enforcement Process
    • Enforcement Data
    • Resolution Agreements
    • Case Examples
    • Audit
    • Reports to Congress
    • State Attorneys General
  • Special Topics
    • HIPAA and Part 2
    • Change Healthcare Cybersecurity Incident FAQs
    • HIPAA and COVID-19
    • HIPAA and Reproductive Health
      • HIPAA and Final Rule Notice
    • HIPAA and Telehealth
    • HIPAA and FERPA
    • Research
    • Public Health
    • Emergency Response
    • Health Information Technology
    • Health Apps
  • Patient Safety
  • Covered Entities & Business Associates
    • Business Associate Contracts
    • Business Associates
  • Training & Resources
  • FAQs for Professionals
  • Other Administrative Simplification Rules

Cyber Security Guidance Material

In this section, you will find educational materials specifically designed to give HIPAA covered entities and business associates insight into how to respond to a cyber-related security incidents.

How the HIPAA Security Rule Can Help Defend Against Cyber-Attacks

The HHS Office for Civil Rights (OCR) has produced a pre-recorded video presentation for HIPAA covered entities and business associates (regulated entities) on how the HIPAA Security Rule can help regulated entities defend against cyber-attacks. The video is available in English and Spanish.

The presentation is intended to educate the health care industry on real world cyber-attack trends from OCR breach reports and investigations and explore how implementation of appropriate HIPAA Security Rule safeguards can help detect and mitigate common cyber-attacks. Topics include:

  • OCR breach and investigation trend analysis
  • Common attack vectors
  • OCR investigations of weaknesses that led to or contributed to breaches
  • How Security Rule compliance can help regulated entities defend against cyber-attacks

The video presentation may be found on HHS’s YouTube channel at:
https://www.youtube.com/watch?v=VnbBxxyZLc8 (Oct. 23, 2023)

The video presentation in Spanish may be found on HHS’s YouTube channel at:
https://www.youtube.com/watch?v=3oVarCxLcB8 (Oct. 23, 2023)

Cyber Security Checklist and Infographic

This guide and graphic explains, in brief, the steps for a HIPAA covered entity or its business associate to take in response to a cyber-related security incident.

Cyber Security Checklist

Cyber Security Infographic [GIF 802 KB]

Ransomware Guidance

HHS has developed guidance to help covered entities and business associates better understand and respond to the threat of ransomware.

Ransomware

National Institute of Standards and Technology (NIST) Cybersecurity Framework

This crosswalk document identifies “mappings” between NIST’s Framework for Improving Critical Infrastructure Cybersecurity and the HIPAA Security Rule.

NIST Cyber Security Framework to HIPAA Security Rule Crosswalk

OCR Cyber Awareness Newsletters

In 2019, OCR moved to quarterly cybersecurity newsletters. The purpose of the newsletters remains unchanged: to help HIPAA covered entities and business associates remain in compliance with the HIPAA Security Rule by identifying emerging or prevalent issues, and highlighting best practices to safeguard PHI. Visit our Cybersecurity Newsletter Archive page to view previous newsletters from 2016.

  • October 2024 OCR Cybersecurity Newsletter: Social Engineering: Searching for Your Weakest Link
  • August 2024 OCR Cybersecurity Newsletter: HIPAA Security Rule Facility Access Controls – What are they and how do you implement them?
  • October 2023 OCR Cybersecurity Newsletter: How Sanction Policies Can Support HIPAA Compliance
  • June 2023 OCR Cybersecurity Newsletter: HIPAA and Cybersecurity Authentication
  • October 2022 OCR Cybersecurity Newsletter: HIPAA Security Rule Security Incident Procedures
  • Quarter 1 2022 OCR Cybersecurity Newsletter: Defending Against Common Cyber-Attacks
  • Fall 2021 OCR Cybersecurity Newsletter: Securing Your Legacy [System Security]
  • Summer 2021 OCR Cybersecurity Newsletter: Controlling Access to ePHI: For Whose Eyes Only?
  • Summer 2020 OCR Cybersecurity Newsletter: HIPAA and IT Asset Inventories
  • Fall 2019 OCR Cybersecurity Newsletter: What Happened to My Data?: Update on Preventing, Mitigating and Responding to Ransomware
  • Summer 2019 OCR Cybersecurity Newsletter: Managing Malicious Insider Threats
  • Spring 2019 OCR Cybersecurity Newsletter: Advanced Persistent Threats and Zero Day Vulnerabilities

Sign up for the OCR Security Listserv to receive the OCR Cyber Awareness Newsletters in your email inbox.

Frequently Asked Questions for Professionals - Please see the HIPAA FAQs for additional guidance on health information privacy topics.

Content created by Office for Civil Rights (OCR)
Content last reviewed October 24, 2024
Back to top

Subscribe to Email Updates

Receive the latest updates from the Secretary and Press Releases.

Subscribe
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

Follow HHS

Follow Secretary Kennedy