The National Institute of Standards and Technology (NIST) is seeking comment on proposed new cybersecurity guidance intended to help healthcare organizations that fall under the regulatory umbrella of the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule.
On July 21, NIST published revised Special Publication 800-66, “Implementing the [HIPAA] Security Rule: A Cybersecurity Resource Guide,” its first update since the original version was published in 2008.
NIST said it developed the revised guidance, in part, to integrate it with other cybersecurity resources that didn’t exist in 2008, including its Cybersecurity Framework and revisions made to its Security and Privacy Controls (NIST SP 800-53).
“We have mapped all the elements of the HIPAA Security Rule to the Cybersecurity Framework subcategories and to controls in NIST SP 800-53’s latest version,” said Jeff Marron, a NIST information technology specialist, in a press release.
The revised guide is intended to help the healthcare industry “maintain the confidentiality, integrity, and availability of electronic protected health information (ePHI),” NIST stated in the press release. “[ePHI] covers a wide range of patient data, including prescriptions, lab results, and records of hospital visits and vaccinations.”
HIPAA prohibits sensitive patient health information from being disclosed without patients’ consent or knowledge, while HIPAA’s Security Rule specifically focuses on protecting ePHI created, received, maintained, or transmitted by a healthcare organization. “NIST does not create regulations to enforce HIPAA, but the revised draft is in keeping with NIST’s mission to provide cybersecurity guidance,” the agency stated.
“One of our main goals is to help make the updated publication more of a resource guide,” Marron said. “The revision is more actionable so that healthcare organizations can improve their cybersecurity posture and comply with the Security Rule.”
Marron described the draft guidance as “more of a refresh than an overhaul, as the document’s structure has changed only slightly.” Many of the significant changes are implied in the publication’s “note to reviewers,” which lists seven questions on sections where NIST is seeking comment.
Risk assessments and risk management: NIST increased its emphasis on risk assessments and risk management, in particular. The risk assessment guidelines section (Section 3), for example, “provides foundational information about risk assessment and an approach that regulated entities may choose to use in assessing risk to ePHI,” as required by the HIPAA Security Rule, the guidance states.
The guidance describes how to prepare for a risk assessment; how to identify potential threats and their likelihood of exploiting a vulnerability; how to determine the impact of a threat and risk levels; and how to document the results.
In Section 4, NIST describes the risk management guidelines as a “structured, flexible, extensible, and repeatable process that regulated entities may utilize for managing identified risks and achieving risk-based protection of ePHI.”
As with other NIST cybersecurity publications, the guidance isn’t intended to be a checklist. “We provide a resource that can assist you with implementing the Security Rule in your own organization, which may have particular needs,” Marron said. “Our goal is to offer guidance and resources you can use in one readable publication.”
NIST is accepting comments on the revised draft guidance until Sept. 21.