Skip to main content
Sign In
HHS Logo
U.S. Department of Health & Human Services
Search Icon
Menu Icon

Healthcare and Public Health Cybersecurity

ASPR Serves as the Sector Risk Management Agency for the Health Care and
Public Health Sector to Protect Patient Health and Safety

#StopRansomware: ALPHV Blackcat#StopRansomware: ALPHV Blackcat

A new joint cybersecurity advisory from FBI, DHS/CISA, and HHS encourages organizations to take actions that mitigate the threat of ransomware. This advisory provides updates to the BlackCat/ALPHV Ransomware Indicators of Compromise released April 19, 2022 and to the advisory released December 19, 2023.

 Read the Advisory

The Healthcare and Public Health (HPH) sector continues to experience increasingly sophisticated cyberattacks that exploit complex, interconnected IT systems at hospitals and health care facilities. Nationwide, health care and public health IT infrastructures suffer from many common vulnerabilities: underfunded cybersecurity programs, vulnerable legacy systems, a growing need for skilled cybersecurity professionals, and network-connected medical technologies, including medical devices. 

These cyberattacks against the HPH sector are growing both in numbers and severity, with the frequency of cyberattacks on hospitals and health systems more than doubling from 2016 to 2021. The HPH sector experienced a 42 percent increase in ransomware attacks in 2022 compared to 2021. The cost of an average health care data breach has reached $10.93 million, according to a report from IBM Security. That’s an 8% jump from a year ago, when the average cost topped $10 million for the first time. In health care, cyber risks are patient risks – unlike other more typical industries impacted by cybersecurity threats (e.g., energy, finance), disruptions in health care could cost lives.

ASPR has worked with our partners in HHS, across the federal government, and with industry to develop resources to help hospitals and health care facilities protect themselves and their patient’s from cyber attacks.

ASPR leads the HHS divisions and works with our public and private partners to provide guidance and support to help enhance cybersecurity for the health care and public health sectors.

Learn more about ASPR's role in cybersecurity

       Subscribe to ASPR's
     Cybersecurity Bulletins

Get information on cyber incidents, news,
resources, engagement opportunities, and
security updates sent right to your inbox.

   alert icon  Stay Informed. Subscribe Today.  

                       More alerts:
   Health Sector Coordination Center
               405(d) Mailing List

Learn to Improve Cybersecurity and Cyber Defense

                  

HPH
Cybersecurity
Performance Goals (CPG)

Cybersecurity Icon

These CPGs are a voluntary subset of cybersecurity practices that healthcare organizations, and healthcare delivery organizations in particular, can prioritize to strengthen cyber preparedness, improve cyber resiliency, and ultimately protect patient health information and safety.





Learn More

Health care Sector Cybersecurity:
Introduction to the Strategy of the U.S. Department of Health And Human Services

Cybersecurity Icon

 Overview of HHS recommendations
to help the health care and
 public health sectoraddress
cyber threats.








Learn More

Health Care and Public
Health sector cybersecurity framework implementation guide

Cybersecurity Icon

Developed to help organizations establish a strong cybersecurity program or validate the effectiveness of an existing program, this guide helps organizations map their existing program to the NIST Cybersecurity Framework, identify improvements, and communicate results. This guide was developed to incorporate and align with processes and tools currently in use or under consideration.



Learn More

Health industry cybersecurity practices: Managing threats and protecting patients
(hicp 2023 ed.)

Cybersecurity Icon

Featuring recommendations and best practices to prepare for and fight against cybersecurity threats that can impact patient safety, this document outlines the top threats facing the HPH Sector. It has been developed with all stakeholders in mind; organizations from small to large can benefit from the resources and best practices provided in the main document and additional two technical volumes.


Learn More

national cybersecurity strategy implementation plan
 (2023)

Cybersecurity Icon

 This plan outlines a path for achieving
two significant changes: the need
for more capable actors in cybersecurity
and the need to increase incentive
to make investments in long-term resilience.







Learn More

health care system cybersecurity: readiness and response 
considerations

Cybersecurity Icon

Focuses on the effects of a cyber incident on the health care operational environment; one that impacts the ability to effectively care for patients and maintain business practices and readiness during such an event. It covers many strategies and principles relevant to a range of cybersecurity incidents and health care facilities included disruptions associated with a large-scale cyberattack.



Learn More

Health industry cybersecurity protection of innovation
capital

Cybersecurity Icon

With a focus on Innovation Capital  protection, this resource can help
security and risk practitioners protect their systems at any stage of their information protection program’s maturity.







Learn More

Health industry cybersecurity
tactical crisis response
guide

Cybersecurity Icon

With a focus on Innovation Capital  protection, this resource can help security and risk practitioners protect their systems at any stage of their information protection program’s maturity.








Learn More

Hospital Cyber
Resiliency Landscape
Analysis

Hospital icon

This resource highlights findings and issues affecting the cybersecurity resiliency of U.S. hospitals to better identify the biggest threats facing hospitals and assess their cybersecurity capabilities relative to commonly accepted cybersecurity practices.






Learn More

health industry cybersecurity
information sharing
best practices

Cybersecurity Icon

Provides HPH Sector organizations interested in information sharing
with a set of guidelines and
best practices for efficient
and effective
information sharing.







Learn More

security risk
assessment
tool

Hospital icon

This risk assessment tool helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. It also helps reveal areas where your organization’s protected health information could be at risk. Designed for medium and small providers.






Learn More

risc toolkit 2.0:
the risk identification and site criticality toolkit

Cybersecurity Icon

An objective, data-driven all-hazards risk assessment for use by public and private organizations within the HPH sector to inform emergency preparedness planning, risk management activities, and resource investments. This tool enables the user to estimate the human, property, and business impacts to a facility that may result from 67 internal and external threats, including cyber threats. 



Learn More

aspr tracie:
health care
cybersecurity

Cybersecurity Icon

Updated in 2022, this collection of resources can help stakeholders (including practitioners, facility executives, information technology professionals, and emergency managers) better protect against, mitigate, respond to, and recover from cyberattacks to ensure patient safety and operational continuity.





Learn More

Tailored
top reads from
405(D)

Cybersecurity Icon

The 405(d) program has developed a tailored list of must-read resources for health care practitioners and IT professionals at health care organizations of all sizes. Just indicate your role and the size of your organization, and the 405(d) program will provide you with a customized list of resources to help you improve your organization’s cybersecurity posture.



Learn More

health industry cybersecurity supply chain risk management
guide v2.0

Cybersecurity Icon

This tool for smaller to mid-sized health organizations is focused on supply chain cybersecurity risk management.










Learn More

top 10
myths of security risk
analysis

Cybersecurity Icon

This checklist from the HHS Office of the National Coordinator for Health Information Technology (HHS/ONC/IT) helps separate fact from fiction.









Learn More

Top 10
Tips for cybersecurity in
Healthcare

Cybersecurity Icon

HHS/ONC/IT provides its top ten tips for strengthening cybersecurity and provides information to help you get started on implementation. 









Learn More