In 2008, the National Institute of Standards and Technology (NIST) organization published guidance as to how covered entities and business associates were expected to implement HIPAA Security Rule requirements. At the end of April of 2021, the NIST organization announced that it is planning to update this cybersecurity guide. The NIST organization is seeking public comment as to what should be included in the new cybersecurity guide. The details of NIST’s effort to expand upon the current guidance is discussed below.
NIST Cybersecurity Resource Guide
The NIST organization is seeking public comment on the purpose of its Cybersecurity Resource Guide to:
- Educate readers about information security terms used in the HIPAA Security Rule;
- Amplify awareness of NIST cybersecurity resources relevant to the HIPAA Security Rule requirements;
- Amplify awareness of non-NIST resources relevant to the HIPAA Security Rule; and
- Provide detailed implementation guidance for covered entities and business associates.
The current NIST Cybersecurity Resource Guide is designed to educate readers and amplify their awareness of resources relevant to the Security Rule. The fourth reason for why NIST is seeking public comment, to “provide detailed implementation guidance for covered entities and business associates,” is of particular importance.
Many organizations find themselves in a bind when it comes to understanding what is required of them under the HIPAA Security Rule. The HIPAA Security Rule was deliberately written as a high-level set of requirements and safeguards. Current NIST guidance was written in the opposite manner, providing extensive, even minute, cybersecurity guidance.
NIST seeks to create a new cybersecurity resource guide with a level of detail that is in the middle of these two extremes. NIST’s attempt to find a middle ground comes off a very recent change to the HITECH Act. In January of 2021, a new provision was added to the HITECH Act. This provision,