Downloads

Checklists, Surveys, Templates, Documents, Studies & More

HICP Resources & Templates

The HICP examines cybersecurity threats and vulnerabilities that affect the healthcare industry. It explores (5) current threats and presents (10) practices to mitigate those threats. The Resources and Templates portion includes a variety of cybersecurity resources and templates for end users to reference.

HICP Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations

The HICP examines cybersecurity threats and vulnerabilities that affect the healthcare industry. It explores (5) current threats and presents (10) practices to mitigate those threats. Technical Volume 2 discusses the ten Cybersecurity Practices along with Sub-Practices for medium and large health care organizations.

HICP Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations

The HICP examines cybersecurity threats and vulnerabilities that affect the healthcare industry. It explores (5) current threats and presents (10) practices to mitigate those threats. Technical Volume 1 discusses the ten Cybersecurity Practices along with Sub-Practices for small health care organizations.

Health Industry Cybersecurity Practices (HICP)

The HICP examines cybersecurity threats and vulnerabilities that affect the healthcare industry. It explores (5) current threats and presents (10) practices to mitigate those threats.

2018 State of Endpoint Security Risk

The 2018 State of Endpoint Security Risk, sponsored by Barkly, reveals that organizations are being attacked at an alarming rate with significant financial consequences. In this year’s research, nearly two-thirds (64 percent) of respondents report that their company experienced one or more endpoint attacks that successfully compromised data assets and/or IT infrastructure over the past 12 months, a 17 percent increase from last year’s research (54 percent of respondents).

Ponemon Institute surveyed 660 IT security professionals responsible for managing and reducing their organization’s endpoint security strategy.

State of Cybersecurity Report 2018

Welcome to the 2nd edition of the State of Cybersecurity Report from Wipro. The year that has gone by has witnessed some of the most visible cyber-attacks in recent times through ransomware that propagated as the world media reported on it, making this menace very real to society, large corporations and governments, all at the same time. The report will provide useful operational and strategic insights to security teams and professionals across customer organizations.

2018 Cost of Data Breach Study

IBM Security and Ponemon Institute have released the 2018 Cost of Data Breach Study: Global Overview This year they conducted interviews with more than 2,200 IT, data protection, and compliance professionals from 477 companies that have experienced a data breach over the past 12 months. According to the findings, data breaches continue to be costlier and result in more consumer records being lost or stolen, year after year.

NIST Cybersecurity Framework 1.1

Version 1.1 of this Cybersecurity Framework refines, clarifies, and enhances Version 1.0, which was issued in February 2014. It incorporates comments received on the two drafts of Version 1.1. Version 1.1 is intended to be implemented by first-time and current Framework users. Current users should be able to implement Version 1.1 with minimal or no disruption; compatibility with Version 1.0 has been an explicit objective.

2017 Internet Crime Report

The 2017 Internet Crime Report emphasizes the IC3’s efforts in monitoring trending scams such as Business Email Compromise (BEC), Ransomware, Tech Support Fraud, and Extortion. The report also highlights the Elder Justice Initiative promoting justice for the nation’s seniors. In 2017, IC3 received a total of 301,580 complaints with reported losses exceeding $1.4 Billion.

State Data Security & Breach Laws (Updated April 2018)

First, you need to know the state law so you abide by your state’s laws for data security and breach notification. State laws may be more strict than HIPAA and therefore may override HIPAA. There are some exceptions to this if the state law is deemed ‘contrary’ to HIPAA. Second, many businesses are not aware that they have legal obligations under state laws to protect specific data and follow rules for handling portions of a breach. They also face state investigations and fines. This document, created by Mintz Levin, is a quick reference for state data security and breach laws.

Covered Entity Guidance

Find out whether an organization or individual is a Covered Entity under the Administrative Simplification provisions of HIPAA

State Medical Record Laws

Minimum Medical Record Retention Periods for Records Held by Medical Doctors and Hospitals (as of 3/2018)

Cybercrime Tactics & Techniques: 2017 State of Malware

This report, from the people at Malwarebytes, takes a look back at cybercrime in 2017. Looking at what is working, what we should be protecting ourselves against and their predictions about 2018.

State Data Security & Breach Laws

Did you know that 48 states (as of Nov 2017) have their own data security and breach laws? Only Alabama and South Dakota have no laws related to security breach notification (yet). Why does this matter? First, you need to know the state law so you abide by your state’s laws for data security and breach notification. State laws may be more strict than HIPAA and therefore may override HIPAA. There are some exceptions for this if the state law is deemed ‘contrary’ to HIPAA. Second, many businesses are not aware that they have legal obligations within state laws to protect specific data and follow rules for handling portions of a breach. They also face state investigations and fines. This document, created by Mintz Levin, is a quick reference for state data security and breach laws.

How HIPAA Allows Doctors To Respond To The Opioid Crisis

HIPAA regulations allow health professionals to share health information with a patient’s loved ones in emergency or dangerous situations – but misunderstandings to the contrary persist and create obstacles to family support that is crucial to the proper care and treatment of people experiencing a crisis situation, such as an opioid overdose. This document explains how health care providers have broad ability to share health information with patients family members during certain crisis situations without violating HIPAA privacy regulations.

HIPAA Security and Compliance on AWS

This whitepaper from Amazon Web Services discusses how Covered Entities and their Business Associates can use the secure, scalable, lowcost IT components provided by Amazon Web Services (AWS) to architect applications in alignment with HIPAA and HITECH compliance requirements.

The Ransomware Economy

How and Why the Dark Web Marketplace for Ransomware Is Growing at a Rate of More Than 2,500% Per Year. A research report by the folks at Carbon Black. Published October 2017.

A Cyber Attack Quick-Response Checklist from the OCR

Has your entity just experienced a ransomware attack or other cyber-related security incident, and you are wondering what to do now? This guide explains, in brief, the steps for a HIPAA covered entity or its business associate (the entity) to take in response to a cyber-related security incident. Also includes this INFOGRAPHIC.

G Suite HIPAA Implementation Guide

This is Google’s HIPAA implementation guide for G Suite. This guide is intended for security officers, compliance officers, IT administrators, and other employees in organizations who are responsible for HIPAA implementation and compliance with G Suite. This is the updated guide that replaced the previous guide.

Workforce Training Logs

Workforce training for HIPAA, policies & procedures, and security awareness is a requirement under HIPAA. This handy spreadsheet log will help you keep track of your personnel and training efforts. Also useful for tracking other workforce training (ie. OSHA). You may also use this with your clients. §164.308(a)(5) – Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). Maintaining HIPAA compliance is the responsibility of all of the workforce members of a covered entity OR business associate. A well-maintained HIPAA security and awareness training program will help ensure that everyone understands their responsibilities within the organization for maintaining compliance.  

Google Sheets Version

 

Microsoft Excel Version

File Sharing and Cloud Computing: What to Consider?

The implementation of file sharing and collaboration tools, including tools that leverage cloud technology, brings with it additional security concerns that HIPAA covered entities and business associates must take into account in their risk analyses, risk management policies, and business associate agreements (BAAs). Cloud computing and file sharing services can introduce additional risks to the privacy and security of electronic protected health information (ePHI) that organizations must identify as part of their risk analysis process and mitigate as part of their risk management process.

Comparison of US State and Federal Security Breach Notification Laws

The Breach Notification Law Roadmap summarizes the state and federal data breach statutes currently in effect.

Medical Record Retention Required of Health Care Providers: 50 State Comparison

This comparative map shows medical record retention requirements applicable to health care providers in all 50 states plus the District of Columbia. State law governs the length of time that providers must maintain medical records, and this map categorizes states by the minimum length of time providers must retain records.

Security Breach Notification Laws

Forty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, data/ information brokers, government entities, etc); definitions of “personal information” (e.g., name combined with SSN, driver’s license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisition of data); requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for encrypted information).

Bitglass Healthcare Breach Report 2017

The Bitglass research team, for this third annual Healthcare Breach Report, pulled data from the US Department of Health and Human Services’ Wall of Shame to identify the most common causes of data leakage, changes in breach frequency, and the preventative steps organizations have taken to limit the impact of each breach. Read on to see how the healthcare sector has fared in protecting data across 2016 and so far in 2017.

HIPAA Policies & Procedures Manual (Awesome Example)

This HIPAA P&P Manual, created by Rocky Mountain Human Services, is a great example of a well written and well organized P&P manual. This manual is created by a Covered Entity so keep in mind that many of these policies may not pertain to MSPs or other Business Associates. Please use this as an example and NOT a template (don’t replace company names and then use it as your own).

The CyberEdge 2017 Cyber Defense Report

Cyber security threats are on the rise—yet according to CyberEdge’s 2017 Cyberthreat Defense Report organizations now feel less equipped to defend against both the internal and external threat. Read the report to gain valuable insight gathered from 1,100 IT security decision makers to help you determine:
  • How to best protect your business critical data from cyber criminals and compromised insiders
  • What defense measures your peers have in place
  • Why weaknesses in your strategy could make your organization a “low hanging fruit”
Report Infographic  |  Report Figures & Table Graphics

The Hiscox Cyber Readiness Report 2017

The Hiscox Cyber Readiness Report 2017 is compiled from a survey of more than 3,000 executives, departmental heads, IT managers and other key professionals in the UK, US and Germany. Drawn from a representative sample of businesses by size and sector, these are the men and women on the front line of the business battle against cyber crime. While all are involved to a greater or lesser extent in their organization’s cyber security effort, three in five make the final decision on how their business should respond. The report not only provides an up-to-the-minute picture of the cyber readiness of businesses big and small, it also offers a blueprint for best practice in the fight to counter an ever-evolving threat.

The Deep Web Exploitation of Health Sector Breach Victims

The intention of this report is to force the conversation past the predictable comfort zones of patient victims, health sector executives, law enforcement and the legislative community. We are starting the conversation post-breach, with the understanding that patient identity theft is an obvious and negative byproduct of an organization that has mishandled patient records and delve deeper into the deep web black market forums and marketplaces where stolen EHR and PII are sold and bartered.

2016 Check Point Security Report

Reading this year’s Security Report, it becomes clear that the protection model of security that reacts to threats is no longer sufficient to safeguard today’s enterprises. Losing is a real possibility. This kind of breach can happen to anyone. To help you protect your organization, your data, and your customers, Check Point has woven recommendations into each of the report’s chapters. Every breach is a learning experience that inspires us to protect ourselves better. We can all learn from OPM’s experience

Guidance On HIPAA & Cloud Computing

With the proliferation and widespread adoption of cloud computing solutions, HIPAA covered entities and business associates are questioning whether and how they can take advantage of cloud computing while complying with regulations protecting the privacy and security of electronic protected health information (ePHI).  This guidance assists such entities, including cloud services providers (CSPs), in understanding their HIPAA obligations.

Ransomware and HIPAA

To help health care entities better understand and respond to the threat of ransomware, the HHS Office for Civil Rights has released new Health Insurance Portability and Accountability Act (HIPAA) guidance on ransomware. The new guidance reinforces activities required by HIPAA that can help organizations prevent, detect, contain, and respond to threats.

HIPAA Compliance & Data Protection with Google Apps (OUTDATED)

This is Google’s HIPAA implementation guide for Google Apps for Work. This guide is intended for security officers, compliance officers, IT administrators, and other employees in organizations who are responsible for HIPAA implementation and compliance with Google Apps.

New Security Risk Assessment Tool

The SRA Tool takes you through each HIPAA requirement by presenting a question about your organization’s activities. Your “yes” or “no” answer will show you if you need to take corrective action for that particular item. There are a total of 156 questions. Resources are included with each question to help you:
  • Understand the context of the question
  • Consider the potential impacts to your PHI if the requirement is not met
  • See the actual safeguard language of the HIPAA Security Rule
You can document your answers, comments, and risk remediation plans directly into the SRA Tool. The tool serves as your local repository for the information and does not send your data anywhere else. The download includes the software tool as well as the paper-based version (3 Word documents).

Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA

The ONC explains in the report that a large number of organizations are now collecting, storing, and transmitting health data, yet many of those organizations are not subject to the same rules concerning the protection of ePHI as traditional healthcare organizations. Data and privacy protections at non-HIPAA-covered entities are not always robust and numerous gaps exist that place the health data of individuals at risk.

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

The Sixth Annual study from the Ponemon Institute reveals that the majority of healthcare organizations represented in this study have experienced multiple data breaches. Despite the increased frequency of breaches, the study found that many organizations lack the money and resources to manage data breaches caused by evolving cyber threats, preventable mistakes, and other dangers.

Lessons Learned From Major Healthcare Data Breaches

A Brookings Institute’s Center for Technology Innovation report. The purpose of this report is to examine recent privacy breaches in the health care industry and uncover the underlying factors leading to these incidents, document the lessons learned, and examine how similar breaches can be prevented moving forward.

NIST CFR to HIPAA Security Rule Crosswalk

This crosswalk document identifies “mappings” between the NIST Cybersecurity Framework and the HIPAA Security Rule. The aim of the crosswalk is to help HIPAA-covered entities identify and address any gaps in their cybersecurity protections and better safeguard ePHI.

2016 California Data Breach Report

A 4-year study of security incidents in California, revealing that not only were the private records of nearly 50 million residents compromised but most could have been prevented. Read the full report and view recommendations about reducing risks and threats.

LogMeIn HIPAA Considerations

This LogMeIn publication provides a brief introduction to the scope of HIPAA compliance with regard to remote access products (including LogMeIn Pro and Central) and support and collaboration products (including LogMeIn Rescue).

Battling the Big Hack

IT Pro’s security concerns for 2016 probed by this SpiceWorks survey. The company conducted a survey of 200 U.S. IT professionals to find out more about the security incidents suffered in 2015 and to gather opinions on the biggest data security threats for 2016.

Guide to Privacy and Security of Electronic Health Information

Sample Seven-Step Approach for Implementing a Security Management Process

ID Experts 2015 Privacy & Security Survey

ID Experts surveyed privacy, compliance, security and risk leaders about incident trends and predictions. Find out what they believe will be the target industry for 2016 data breaches, current threats to data, budget trends, and more. Proof that HIPAA compliant MSPs have massive opportunity.

HIPAA Screensaver & Wallpaper

Place your logo on these image slides for a custom, high quality screensaver. Place the images on each client’s computers as a screensaver to be a constant reminder of what they should be doing to help protect privacy and security.  Contains 23 screensaver images and 1 wallpaper image.

What a BA needs to do for HIPAA

This document, created by Kardon Compliance, is an invaluable tool for use as a comprehensive checklist of things every Business Associate needs to do to comply with HIPAA.

Experian 2015 Study: Is Your Company Ready For A Big Data Breach?

The Experian-sponsored Third Annual Study on Data Breach Preparedness was published in October 2015. The study explored the efforts that have been made by companies to deal with the increased risk of cyberattacks and breaches by malicious insiders.

HIPAA Policies & Procedures Template #1

This document, created by the National Learning Consortium and made available by HealthIT.gov, is a comprehensive template/guide for developing your own documentation. As with any template, please edit out or in the content that applies to your business. Read and edit it carefully.

HIPAA Policies & Procedures Template #2

This document, created by a company named Catalyze and made available through github, is their own documentation that you can use as a guide. As with any template, please edit out or in the content that applies to your business. Read and edit it carefully.

The Case For MSPs

This document, created by HIPAAforMSPs.com, is a marketing piece which will show your prospects WHY using an MSP is necessary for their HIPAA compliance efforts.

Top 10 Health Technology Hazards for 2015

A Report from Health Devices, November 2014. Numbers 2 and 9 are just right for MSPs to address.

Sample Business Associate Agreement

This sample BAA is put out by HHS as a guide to assist in building your own BAA. Make sure you read it thoroughly and edit it to fit your needs. All highlighted areas need special attention.

Breach Report 2014

This report came out 09/02/2014 and shows a very comprehensive list of all Breaches in 2014 (so far), not just healthcare. Using this report it is very easy to find breaches in your state along with links to more information about each. This is a great tool for yourself and your clients.

Checklist For Business Associate Agreements

Use this checklist to ensure your BAA covers the necessary requirements. Also very useful in comparing to BAAs offered to you to sign by your clients or other entities. May also be used to help your clients in drafting their own BAA.

Marketing Flier – Breaches of PHI Can Result in Fines

Use this PDF as a marketing or awareness tool. It doesn’t just give some scary info or story to try to use scare tactics, it has valuable and actionable content to help the reader. When you give value first, you’re more likely to get reciprocation.

HIPAA Security Assessment Checklist

A very nice worksheet to use to perform a Security Assessment for yourself and your clients. Use this to determine how much work a client still needs to do on compliance. Take the results and create a Corrective Action Plan to fix everything that was discovered to be insufficient.

Slides – Electronic Communication In Your Practice

PowerPoint – 16 Slides Use this presentation to discuss compliant email and mobile device usage in a healthcare practice. Feel free to brand and customize it.

HIPAA Compliance For The Wireless LAN

This publication, from Meraki, describes the implications of HIPAA on a wireless LAN solution, and highlights how Meraki can be used to implement a HIPAA-compliant network infrastructure.

Infographic – The Top 7 HIPAA Security Risk Analysis Myths

A very nice infographic from the folks at Coalfire addressing some very common myths. These myths apply to both CEs and BAs (though the infographic is targeted at CEs)! Trust me, you will hear these objections (myths) so be prepared to address them. This infographic will help you get the point across.

Infographic – Road To HIPAA Compliance

Great for showing clients the long and tough road ahead to achieve compliance.

FBI Cyber Division – Notification – April 08, 2014

This is a very good document to read and understand. It is also a great conversation starter with your clients or potential clients on the health of their systems’ security. I recommend NOT using this as a scare tactic fact sheet. Use it as an opportunity to share with your clients the concerns you have in protecting them and keeping them safe and secure. They need to know and understand that your role in their practice is critical to the survival of their business. When things are going great and no problems are around, clients will sometimes forget how valuable you are. Gently remind them 🙂

HIPAA Guide For Law Enforcement

Use this as a handout to local law enforcement. A great tool to use to give a short presentation to get noticed in your community. Have the local media cover it for even more exposure. Community service or events are a great (and usually free) way to get great advertising while giving of yourself or your business to your community.

Determine who is a Covered Entity

Guidance on how to determine whether an organization or individual is a covered entity under the Administrative Simplification provisions of HIPAA.

Summary of the HIPAA Privacy Rule

OCR released this summary of the Privacy Rule to assist CEs and BAs in understanding its contents.

HIPAA Security Series

This is a HHS/CMS publication entitled “HIPAA Security Series”. There is some good information in this series. **NOTE** – These documents are pre Omnibus Rule.