Skip to main content
Sign In
HHS Logo
U.S. Department of Health & Human Services
Search Icon
Menu Icon

Appendix H: Small Health Care Organization Cybersecurity Guidance

Health Care and Public Health Sector Cybersecurity Framework Implementation Guide

Industry regulators and standards bodies generally recognize that smaller, resource-constrained organizations do not have the same capability as medium and large enterprises. US legislation requires federal agencies to give special consideration for small businesses around regulatory compliance,[92] and HIPAA in particular allows covered entities and business associates a certain 'flexibility of approach' based on such factors as size, complexity and capability when addressing its standards and implementation specifications.[93]

With respect to standards organizations, NIST provides small business information security guidance[94] in partnership with the U.S. Small Business Administration (SBA)[95] as well as other online resources such as the NIST Small Business Cybersecurity Corner,[96] and HHS provides small and medium business (SMB) guidance[97] as well.

Through the public-private partnership with the HSCC CWG, HHS jointly developed a cybersecurity publication for health care organizations. The Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP), the primary publication of the Cybersecurity Act of 2015, Section 405(d) Task Group, aims to raise awareness, provide vetted cybersecurity practices, and move organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector[98]. It seeks to aid health care and public health organizations to develop meaningful cybersecurity objectives and outcomes. The publication includes a main document, two technical volumes, and resources and templates. The HICP examines cybersecurity threats and vulnerabilities that affect the health ​care industry. It explores five current threats and presents ten practices to mitigate those threats. Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations[99] discusses the ten Cybersecurity Practices along with Sub-Practices for small health care organizations. Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations does the same for these larger entities.

<< Back                                                                                                                                                                              Next >>


92 Small Business Regulatory Enforcement Flexibility Act (SBREFA), Publ. L. 104-121 (1996; as amended by P.L. 110-28, 2007). 

93 HIPAA Administrative Simplification, Regulation Text, 45 CFR Parts 160, 162, and 164 (2013, Mar). § 164.306(b), p. 63. 

94 Paulsen, C. and Toth, P. (2016, Nov). Small Business Information Security: The Fundamentals (NISTIR 7621, Revision 1). 

95 Small Business Administration, SBA (2020). 

96 NIST (2020b). Small Business Security Cybersecurity Corner

97 US-CERT (2020d). Resources for Small and Midsize Businesses (SMB). 

98 Stine, K., Quinn, S., Witte, G., and Gardner, R. (2020). “Integrating Cybersecurity and Enterprise Risk Management (ERM)". NISTIR 8286.

99 HHS 405d. (n.d,). Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations

























CIP Right-Nav

HPH Sector Cybersecurity Framework Implementation Guide