Overview
Cyber-attacks continue to disrupt all sectors, including health care. Health care is among the most targeted in part due to the value of medical information (as compared to financial or other information). The proliferation of health information technology (health IT) presents new vulnerabilities and increases risk of a breach for health care organizations. Common vulnerabilities include insider wrongdoing and external hacking attacks. Cybercrime can be particularly disruptive in health care if systems go down and operations are interrupted, posing risks to patient health and safety. Awareness and implementation of cybersecurity best practices is paramount to reducing cybersecurity risks.
Featured
Consumer Health Data Privacy & Security - A State-Level Scan (2024)
Findings from a legislative scan of state-level protections for consumer health data that falls outside the scope of HIPAA.
Spotlight: Health Care Data Breach Trends, 2018-2021 (2022)
Trends and observations from an analysis of health care data breaches affecting 500 or more individuals between 2018 and 2021.
To access health care data breach reports published from 2018-2020, click here.
Patient Generated Health Data — A Closer Look at Privacy and Security Risks, the Current State of Health Care Cybersecurity, and State-Level Protections (2022)
Overviews the privacy and security landscape of patient generated health data (PGHD), which is not typically covered by HIPAA and presents risks to consumers who may intentionally or unintentionally share their health-related data with third party applications. Also included is information on cybersecurity and breach trends, and legislation passed in select states to strengthen protections for PGHD.
Peer to Peer Learning
The MHCC collaborates with State agencies, health care associations, and other industry leaders to raise awareness and share information about cybersecurity best practices. Stakeholders convene to share perspectives about cybersecurity, including network security, safeguarding data and privacy, and incident preparedness and response.
Privacy and Security Town Hall featuring HITRUST
April 2024
The Maryland Health Care Commission convened a virtual Town Hall featuring a guest speaker from HITRUST, an information protection standards organization and certifying body. Attendance included representatives from payers and health IT developers operating in the State, including registered health information exchanges and certified electronic health networks. Discussions centered on updates to the HITRUST Common Security Framework that aim to keep pace with current and emerging cyber threats and support regulated entities in providing assurances of privacy and security controls.
The Town Hall recording can be found here; a copy of the slides can be found here.
Cyber Liability Insurance: What Practices Need to Know about Risk, Selecting Coverage, and Avoiding Common Pitfalls
February 2022
The MHCC, in collaboration with MedChi, The State Medical Society, convened a webinar featuring two industry experts that shared information about cyber threats, strategies to mitigate cyber risk, and key considerations for evaluating and selecting cyber liability coverage. A recording is available here. Click here for a copy of the slides.
Health Care Cybersecurity Symposium: Managing Risk Within the Health Care Supply Chain
November 2021
The MHCC convened a virtual event in collaboration with the Healthcare Information Management Systems Society Maryland Chapter (MD HIMSS), the Maryland Hospital Association (MHA), the Health Facilities Association of Maryland (HFAM), and the Health Services Cost Review Commission (HSCRC). Local and national leaders shared insights about cyber supply chain risk management and best practices for mitigating cyber risk. Click here for available slides and here for presenter bios. A recording of the event is here.
Cybersecurity Symposium: Reevaluating Security, Risk and Governance to Ensure a Well-Rounded Approach to Cybersecurity
October 2019
In collaboration with MD HIMSS, MHA, and HSCRC, MHCC brought together local subject matter experts from the National Institute of Standards and Technology (NIST), health systems, long-term care, and academia. Presentations highlighted updates to the NIST Cybersecurity Framework and best practices for reducing cyber risk through governance and operational controls. Click here for the symposium agenda.
Back to Basics Cybersecurity Lunch and Learn Webinar
October 2018
The MHCC hosted a webinar for small practices with presentations from the Maryland Department of Commerce and Mokxa Technologies. The webinar provided information about a free cybersecurity self-assessment tool, key security steps to reduce risk of a breach, and a Maryland cybersecurity tax credit. Click here to view the webinar on-demand.
Health IT User Education Roundtable: A Best Practices Symposium
March 2017
The MHCC, MD HIMSS, MHA, and HSCRC convened industry experts, including two Chief Information Security Officers from local health systems. A roundtable discussion focused on end-user behavior and knowledge gaps that directly impact health care security. Presenters highlighted real-life scenarios and best practices for reducing human error. Click here for available slides.
Hospital Cybersecurity Symposium
September 2016
The MHCC, MD HIMSS, MHA, and HSCRC hosted a first-of-its-kind event bringing together health care leaders in the State to discuss the growing importance of securing data, protecting privacy, and mitigating cyber risk. Presentations provided insights about the evolving nature of cyber threats and best practices for risk management, including vendor accountability and cyber liability insurance. Click here for available slides.
Resources
|
Buy Maryland Cybersecurity (BMC) Tax Credit
The BMC Tax Credit provides an incentive for Qualified Maryland Companies to purchase cybersecurity technologies and services from a Qualified Maryland Cybersecurity Seller. For more information, click here. |
For Small Health Care Practices:
Cyber Liability Insurance: Tips for Small Practices
Tips for practices seeking to purchase or increase cyber liability coverage.
Data Privacy When Using Wearable Health and Fitness Devices - What Consumers Need to Know
Guidance to help patients make informed decisions when using wearable technology.
People: The Frontline of Cybersecurity – 3 Good Habits for Small Practices
Basic cybersecurity best practices that anyone can adopt.
Safeguarding Privacy and Security in Telehealth: Tips to Keep Your Practice Safe
Important privacy and security considerations when providing telehealth services.
Top 10 Tips for Cybersecurity in Health Care
The Office of the National Coordinator for Health Information Technology (ONC) provides information and additional resources for reducing cyber risks.
American Medical Association: Protect Your Practice and Patients from Cybersecurity Threats
Guidance for safeguarding confidential and patient information in a medical practice.
Security Assessments and Frameworks
Cybersecurity Preparedness - Self-Assessment Questionnaire (2022)
A questionnaire designed by MHCC in collaboration with stakeholders to assist provider organizations with identifying potential gaps in cybersecurity and prioritizing areas for improvement. A series of self-evaluation statements are grouped by people, processes, and technology, which align with the NIST Cybersecurity Framework.
HHS Security Risk Assessment Tool
A guide for small health care providers conducting a security risk assessment; results can be used to determine potential risks in policies, processes and systems, and methods to mitigate risks.
NIST Cybersecurity Framework
Integrates industry standards and best practices to help organizations manage their cybersecurity risks and is meant to be accessible to small and large organizations across all sectors.
Other Security Frameworks
Overviews common security frameworks used to enhance security and develop robust cybersecurity programs.
U.S. Department of Health & Human Services (HHS)
HHS 405(d) Aligning Health Care Industry Security Approaches Program
The HHS 405(d) Program and Task Group is a collaborative effort between industry and the federal government to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating pertinent cybersecurity threats. Spanish translated cybersecurity resources are available here.
10 Practices to Protect Your Organization from Cyber Threats
Infographic highlighting 10 practices to mitigate cyber threats.
Health Industry Cybersecurity Practices Publication: Managing Threats and Protecting Patients
Examines cybersecurity threats and vulnerabilities and includes practices to mitigate those threats. Targeted sub-practices are provided for small and medium to large health care organizations.
General Guidance:
OCR Cybersecurity Guidance Materials
Educational materials for responding to cybersecurity incidents.
2021 HIMSS Cybersecurity Survey
A study of cybersecurity experiences and practices of security leaders nationally.
National Security Agency: Mitigating Cloud Vulnerabilities
Information about cloud vulnerabilities and perspectives on cloud security principles.
Contact
For more information, contact Justine Springer at justine.springer@maryland.gov