Health Information Technology   Cybersecurity  


Cyber-attacks continue to disrupt all sectors, including health care. Health care is among the most targeted due to the value of medical information (as compared to financial or other information). The proliferation of health information technology (health IT) presents new vulnerabilities and increases risk of a breach for health care organizations. Common vulnerabilities include insider wrongdoing and external hacking attacks. Cybercrime can be particularly disruptive in health care if systems or operations are interrupted, posing a potential risk to patient health and safety. Awareness and implementation of cybersecurity best practices across a health care enterprise is paramount to reducing cybersecurity risks.


Register for an upcoming cybersecurity webinar 

Cyber Liability Insurance:   What Practices Need to Know about Risk, Seleting Coverage, and Avoiding Common Pitfalls (February 18,2022 | 12-1PM ET)  

Click here for more information to register.

Patient Generated Health Data —  A Closer Look at Privacy and Security Risks, the Current State of Health Care Cybersecurity, and State-Level Protections (2021)

Overviews the privacy and security landscape of patient generated health data (PGHD), which typically is not covered by HIPAA and presents risks to consumers who may intentionally or unintentionally share their health-related data with third party applications.  Also included is information on cybersecurity and breach trends and legislation passed in select states to strengthen protections for PGHD. 

Consumer Data Privacy & Security Legislation:  A Legislative Scan to Access State-Level Protections for Patient Generated Health Data (2021)

Findings from an environmental scan of state-level protections for health-related data created and recorded by patients outside of a clinical setting.  Includes a snapshot of legislation passed by select states.

Health Care Data Breaches, Perspectives on Breach Trends in Maryland and Comparative States (2021)

An analysis of health care data breaches locally and nationally affecting 500 or more individuals between 2018 and 2020.  This insights brief includes findings on breach trends and the changing cybersecurity landscape, including privacy and security risks as it relates to PGHD and the growing use of consumer health technologies that lack HIPAA-equivalent protections.

To access health care data breach reports published from 2018-2020, click here

Peer to Peer Learning

The MHCC collaborates with State agencies, health care associations, and other industry leaders to raise awareness and share information about cybersecurity best practices. Stakeholders convene to share perspectives about cybersecurity, including network security, safeguarding data and privacy, and incident preparedness and response.

Health Care Cybersecurity Symposium:  Managing Risk Within the Health Care Supply Chain (November 2021)

The MHCC convened a virtual event in collaboration with the Healthcare Information Management Systems Society Maryland Chapter (MD HIMSS), the Maryland Hospital Association (MHA), the Health Facilities Association of Maryland (HFAM), and the Health Services Cost Review Commission (HSCRC).  Local and national leaders shared insights about cyber supply chain risk management and best practices for mitigating cyber risk.  Click here for available slides and here for presenter bios.  A recording of the event is here.

Cybersecurity Symposium:  Reevaluating Security, Risk and Governance to Ensure a Well-Rounded Approach to Cybersecurity (October 2019)

In collaboration with MD HIMSS, MHA, and HSCRC, MHCC brought together local subject matter experts from the National Institute of Standards and Technology (NIST), health systems, long-term care, and academia. Presentations highlighted updates to the NIST Cybersecurity Framework and best practices for reducing cyber risk through governance and operational controls. Click here for the symposium agenda.

Back to Basics Cybersecurity Lunch and Learn Webinar (October 2018)

The MHCC hosted a webinar for small practices with presentations from the Maryland Department of Commerce and Mokxa Technologies. The webinar provided information about a free cybersecurity self-assessment tool, key security steps to reduce risk of a breach, and a Maryland cybersecurity tax credit. Click here to view the webinar on-demand.

Health IT User Education Roundtable:  A Best Practices Symposium (March 2017)

The MHCC, MD HIMSS, MHA, and HSCRC convened industry experts, including two Chief Information Security Officers from local health systems. A roundtable discussion focused on end-user behavior and knowledge gaps that directly impact health care security. Presenters highlighted real-life scenarios and best practices for reducing human error. Click here for available slides. 

Hospital Cybersecurity Symposium (September 2016)

The MHCC, MD HIMSS, MHA, and HSCRC hosted a first of its kind event bringing together health care leaders in the State to discuss the growing importance of securing data, protecting privacy, and mitigating cyber risk. Presentations provided insights about the evolving nature of cyber threats and best practices for risk management, including vendor accountability and cyber liability insurance. Click here for available slides.


U.S. Department of Health & Human Services (HHS)

HHS 405(d) Aligning Health Care Industry Security Approaches Program

The 405(d) Program and Task Group is a collaborative effort between industry and the federal government to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating pertinent cybersecurity threats. 

Health Industry Cybersecurity Practices Publication:  Managing Threats and Protecting Patients

Examines cybersecurity threats and vulnerabilities and includes practices to activities to mitigate those threats.  Targeted sub-practices are provided for small and medium to large health care organizations. 

For Small Health Care Practices:

Data Privacy When Using Wearable Health and Fitness Devices – What Consumers Need to Know

Guidance to help patients make informed decisions when using wearable technology. 

People:  The Frontline of Cybersecurity – 3 Good Habits for Small Practices

Basic cybersecurity best practices that anyone can adopt. 

Safeguarding Privacy and Security in Telehealth:  Tips to Keep Your Practice Safe

Important privacy and security considerations when providing telehealth services.

Top 10 Tips for Cybersecurity in Health Care

The Office of the National Coordinator for Health Information Technology (ONC) provides information and additional resources for reducing cyber risks.

American Medical Association:  Protect Your Practice and Patients from Cybersecurity Threats

Guidance for safeguarding confidential and patient information in a medical practice.

General Guidance:

OCR Cybersecurity Guidance Materials

Educational materials for responding to cybersecurity incidents.

2020 HIMSS Cybersecurity Survey

A study of cybersecurity experiences and practices of security leaders nationally.

National Security Agency:  Mitigating Cloud Vulnerabilities

Information about cloud vulnerabilities and perspectives on cloud security principles.

Security Assessments and Frameworks:

MHCC Cybersecurity Self-Assessment Readiness Tool (2018)

Designed to help health care organizations assess readiness and potential gaps in cybersecurity. A series of self-evaluation statements are grouped by people processes, policies, and technology, which align with the NIST Cybersecurity Framework.

HHS Security Risk Assessment Tool

A guide for small health care providers conducting a security risk assessment; results can be used to determine potential risks in policies, processes and systems, and methods to mitigate risks.

NIST Cybersecurity Framework

Integrates industry standards and best practices to help organizations manage their cybersecurity risks and is meant to be accessible to small and large organizations across all sectors. 

Other Security Frameworks

Overviews common security frameworks used to enhance security and develop robust cybersecurity programs.


Contact Information

For more information, contact Justine Springer at

Last Updated: 1/25/2022