Health Information Technology   Cybersecurity  

Overview

Cyber-attacks continue to disrupt all sectors, including health care.  Health care is among the most targeted in part due to the value of medical information (as compared to financial or other information).  The proliferation of health information technology (health IT) presents new vulnerabilities and increases risk of a breach for health care organizations.  Common vulnerabilities include insider wrongdoing and external hacking attacks.  Cybercrime can be particularly disruptive in health care if systems go down and operations are interrupted, posing risks to patient health and safety.  Awareness and implementation of cybersecurity best practices is paramount to reducing cybersecurity risks.

Featured

Consumer Health Data Privacy & Security - A State-Level Scan (2024)

Findings from a legislative scan of state-level protections for consumer health data that falls outside the scope of HIPAA.

Spotlight:  Health Care Data Breach Trends, 2018-2021 (2022)

Trends and observations from an analysis of health care data breaches affecting 500 or more individuals between 2018 and 2021.

To access health care data breach reports published from 2018-2020, click here

Patient Generated Health Data — A Closer Look at Privacy and Security Risks, the Current State of Health Care Cybersecurity, and State-Level Protections (2022)

Overviews the privacy and security landscape of patient generated health data (PGHD), which is not typically covered by HIPAA and presents risks to consumers who may intentionally or unintentionally share their health-related data with third party applications.  Also included is information on cybersecurity and breach trends, and legislation passed in select states to strengthen protections for PGHD. 

Peer to Peer Learning

The MHCC collaborates with State agencies, health care associations, and other industry leaders to raise awareness and share information about cybersecurity best practices. Stakeholders convene to share perspectives about cybersecurity, including network security, safeguarding data and privacy, and incident preparedness and response.

Privacy and Security Town Hall featuring HITRUST 

April 2024

The Maryland Health Care Commission convened a virtual Town Hall featuring a guest speaker from HITRUST, an information protection standards organization and certifying body. Attendance included representatives from payers and health IT developers operating in the State, including registered health information exchanges and certified electronic health networks. Discussions centered on updates to the HITRUST Common Security Framework that aim to keep pace with current and emerging cyber threats and support regulated entities in providing assurances of privacy and security controls.

The Town Hall recording can be found here; a copy of the slides can be found here


Cyber Liability Insurance:  What Practices Need to Know about Risk, Selecting Coverage, and Avoiding Common Pitfalls 

February 2022

The MHCC, in collaboration with MedChi, The State Medical Society, convened a webinar featuring two industry experts that shared information about cyber threats, strategies to mitigate cyber risk, and key considerations for evaluating and selecting cyber liability coverage. A recording is available here. Click here for a copy of the slides.


Health Care Cybersecurity Symposium:  Managing Risk Within the Health Care Supply Chain 

November 2021

The MHCC convened a virtual event in collaboration with the Healthcare Information Management Systems Society Maryland Chapter (MD HIMSS), the Maryland Hospital Association (MHA), the Health Facilities Association of Maryland (HFAM), and the Health Services Cost Review Commission (HSCRC). Local and national leaders shared insights about cyber supply chain risk management and best practices for mitigating cyber risk.  Click here for available slides and here for presenter bios.  A recording of the event is here.


Cybersecurity Symposium:  Reevaluating Security, Risk and Governance to Ensure a Well-Rounded Approach to Cybersecurity 

October 2019

In collaboration with MD HIMSS, MHA, and HSCRC, MHCC brought together local subject matter experts from the National Institute of Standards and Technology (NIST), health systems, long-term care, and academia. Presentations highlighted updates to the NIST Cybersecurity Framework and best practices for reducing cyber risk through governance and operational controls.  Click here for the symposium agenda.


Back to Basics Cybersecurity Lunch and Learn Webinar

October 2018

The MHCC hosted a webinar for small practices with presentations from the Maryland Department of Commerce and Mokxa Technologies. The webinar provided information about a free cybersecurity self-assessment tool, key security steps to reduce risk of a breach, and a Maryland cybersecurity tax credit. Click here to view the webinar on-demand.


Health IT User Education Roundtable: A Best Practices Symposium

March 2017

The MHCC, MD HIMSS, MHA, and HSCRC convened industry experts, including two Chief Information Security Officers from local health systems. A roundtable discussion focused on end-user behavior and knowledge gaps that directly impact health care security.  Presenters highlighted real-life scenarios and best practices for reducing human error. Click here for available slides. 


Hospital Cybersecurity Symposium 

September 2016

The MHCC, MD HIMSS, MHA, and HSCRC hosted a first-of-its-kind event bringing together health care leaders in the State to discuss the growing importance of securing data, protecting privacy, and mitigating cyber risk.  Presentations provided insights about the evolving nature of cyber threats and best practices for risk management, including vendor accountability and cyber liability insurance. Click here for available slides.

Resources

Buy Maryland Cybersecurity (BMC) Tax Credit 

The BMC Tax Credit provides an incentive for Qualified Maryland Companies to purchase cybersecurity technologies and services from a Qualified Maryland Cybersecurity Seller. For more information, click here.  

For Small Health Care Practices:

Cyber Liability Insurance:  Tips for Small Practices

Tips for practices seeking to purchase or increase cyber liability coverage.

Data Privacy When Using Wearable Health and Fitness Devices - What Consumers Need to Know

Guidance to help patients make informed decisions when using wearable technology. 

People:  The Frontline of Cybersecurity – 3 Good Habits for Small Practices

Basic cybersecurity best practices that anyone can adopt. 

Safeguarding Privacy and Security in Telehealth: Tips to Keep Your Practice Safe

Important privacy and security considerations when providing telehealth services.

Top 10 Tips for Cybersecurity in Health Care

The Office of the National Coordinator for Health Information Technology (ONC) provides information and additional resources for reducing cyber risks.

American Medical Association: Protect Your Practice and Patients from Cybersecurity Threats

Guidance for safeguarding confidential and patient information in a medical practice.

Security Assessments and Frameworks

Cybersecurity Preparedness - Self-Assessment Questionnaire (2022)

A questionnaire designed by MHCC in collaboration with stakeholders to assist provider organizations with identifying potential gaps in cybersecurity and prioritizing areas for improvement.  A series of self-evaluation statements are grouped by people, processes, and technology, which align with the NIST Cybersecurity Framework. 

HHS Security Risk Assessment Tool

A guide for small health care providers conducting a security risk assessment; results can be used to determine potential risks in policies, processes and systems, and methods to mitigate risks.

NIST Cybersecurity Framework

Integrates industry standards and best practices to help organizations manage their cybersecurity risks and is meant to be accessible to small and large organizations across all sectors.

Other Security Frameworks

Overviews common security frameworks used to enhance security and develop robust cybersecurity programs.

U.S. Department of Health & Human Services (HHS)

HHS 405(d) Aligning Health Care Industry Security Approaches Program

The HHS 405(d) Program and Task Group is a collaborative effort between industry and the federal government to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating pertinent cybersecurity threats.  Spanish translated cybersecurity resources are available here.

10 Practices to Protect Your Organization from Cyber Threats

Infographic highlighting 10 practices to mitigate cyber threats.

Health Industry Cybersecurity Practices Publication: Managing Threats and Protecting Patients

Examines cybersecurity threats and vulnerabilities and includes practices to mitigate those threats. Targeted sub-practices are provided for small and medium to large health care organizations. 

General Guidance:

OCR Cybersecurity Guidance Materials

Educational materials for responding to cybersecurity incidents.

2021 HIMSS Cybersecurity Survey

A study of cybersecurity experiences and practices of security leaders nationally.

National Security Agency: Mitigating Cloud Vulnerabilities

Information about cloud vulnerabilities and perspectives on cloud security principles.

Contact

For more information, contact Justine Springer at justine.springer@maryland.gov


Last Updated: 7/3/2024