Summary of HHS cybersecurity awareness

As the digital space continues to evolve, so do the threats that lurk within it. Cybersecurity awareness is no longer a luxury - it's a necessity, especially for organizations like the U.S. Department of Health and Human Services (HHS), who manage sensitive data about millions of Americans. 

Ensuring this data's confidentiality, integrity, and availability requires a comprehensive understanding of information security policies, physical and digital access controls, and a culture of security awareness.

Introduction to information security

Information Security, also known as INFOSEC, prevents unauthorized access, use, disclosure, disruption, modification, or destruction of information. It provides confidentiality, integrity, and data availability by implementing technical, management, and operational controls.

The primary goal of an INFOSEC program is to understand, manage, and reduce the risk to information under the organization's control. Three main elements define the protection of information:

• Confidentiality: Safeguarding information from unauthorized disclosure to people or processes.
• Availability: Ensuring accessibility of information systems and resources by authorized users.
• Integrity: Assuring the reliability and accuracy of information and IT resources.

Go deeper:

• How HIPAA defines confidentiality, integrity, and availability of ePHI  
• The CIA triad for HIPAA 

Understanding information security policies and governance

Several Federal and Departmental Guidelines provide the backbone of IT security and privacy within HHS. These guidelines, established by bodies like the National Institute of Standards and Technology (NIST), form the basis for defining IT security legislation and privacy legislation.

Within the HHS, the cybersecurity program, overseen by the Office of the Chief Information Officer (OCIO) and Chief Information Security Officer (CISO), sets programmatic direction, coordinates among key stakeholders, and sets standards for protecting information and information systems.

Physical access controls and password protection

Physical access control is a part of information systems security. Limiting physical access to information systems and infrastructure to authorized personnel reduces the likelihood of information theft or misuse.

One of the deterrents to unauthorized access is the use of unique user identification and a strong password. A strong password typically has at least eight characters, combining upper and lower-case letters, numbers, and special characters.

Additionally, the use of Personal Identity Verification (PIV) cards, by Homeland Security Presidential Directive 12 (HSPD-12), provides a higher level of assurance by facilitating physical access to HHS facilities and enabling strong authentication for access to HHS networks and information systems.

Read also: A guide to HIPAA and access controls

Email and internet security

With the rapid increase of cyber threats, email and internet security have become top priorities. Cybercrime, such as credit card fraud, phishing, and identity theft, is primarily committed online.

One of the most common forms of cybercrime is phishing, where intruders seek access to your personal information or passwords by posing as a legitimate business or organization. Awareness and vigilance are necessary to protect your identity and sensitive information from phishing attacks.

Read more: What is a phishing attack? 

Security outside the office

Securing information outside the office is important in the age of remote work and telecommuting. Whether you're traveling or working remotely, it's necessary to maintain possession of your devices, use only authorized equipment, and report any loss or theft of equipment immediately.

Related: HIPAA requirements while working remotely 

Insider threats: A growing concern

Insider threats pose a significant risk to organizations. These threats come from current or former employees, contractors, or other business partners who misuse their authorized access to the organization's network, system, or data in a manner that negatively impacts the confidentiality, integrity, or availability of information.

Read more: Insider threats in healthcare 

The criticality of incident reporting

Reporting suspected incidents, especially those that could compromise protected health information (PHI), is very important. Incidents can range from loss, damage, theft, or improper disposal of PHI equipment to accidentally sending PHI to an unauthorized person or clicking on a link in a phishing email.

See also: HIPAA Compliant Email: The Definitive Guide