NIST Seeks Public Comment on Cybersecurity Resource Guide

In 2008, the National Institute of Standards and Technology (NIST) organization published guidance as to how covered entities and business associates were expected to implement HIPAA Security Rule requirements. At the end of April of 2021, the NIST organization announced that it is planning to update this cybersecurity guide. The NIST organization is seeking public comment as to what should be included in the new cybersecurity guide. The details of NIST’s effort to expand upon the current guidance is discussed below.

NIST Cybersecurity Resource Guide

The NIST organization is seeking public comment on the purpose of its Cybersecurity Resource Guide to:

The current NIST Cybersecurity Resource Guide is designed to educate readers and amplify their awareness of resources relevant to the Security Rule. The fourth reason for why NIST is seeking public comment, to “provide detailed implementation guidance for covered entities and business associates,” is of particular importance.

Many organizations find themselves in a bind when it comes to understanding what is required of them under the HIPAA Security Rule. The HIPAA Security Rule was deliberately written as a high-level set of requirements and safeguards. Current NIST guidance was written in the opposite manner, providing extensive, even minute, cybersecurity guidance.

NIST seeks to create a new cybersecurity resource guide with a level of detail that is in the middle of these two extremes. NIST’s attempt to find a middle ground comes off a very recent change to the HITECH Act. In January of 2021, a new provision was added to the HITECH Act. This provision, which originated as H.R. 7898, requires the Department of Health and Human Services (HHS) to incentivize a covered entity’s or business associate’s cybersecurity best practices. Under this legislation, HHS, when deciding whether to issue a fine, or undertake an audit, must take into account whether an organization has been using recognized HIPAA cybersecurity best practices to comply with the HIPAA Security Rule.

What are recognized cybersecurity best practices? Per the new law, “recognized security practices” broadly, mean:

• The cybersecurity practices developed under section 405(d) of the Cybersecurity Act of 2015;
• Programs and practices that are developed in, recognized by, or set forth in federal laws other than HIPAA; and
• Standards, guidelines, best practices, methodologies, procedures, and processes developed under the National Institute of Standards and Technology Act (NIST Act).

The revised NIST Cybersecurity Resources Guide intends to describe what “standards, best practices, methodologies, procedure, and processes” are in greater detail, so organizations will understand what is required of them to implement a “recognized security practice.”

Interested individuals can submit comments to NIST by June 15, 2021. To prepare for issuing the new Cybersecurity Resource Guide, NIST is seeking input from covered entities and business associates on specific topics. 

NIST is asking covered entities and business associates to:

• Describe any tools, resources, or techniques that their organization currently uses or would like to use to implement the HIPAA Security Rule.
• Describe how their organization manages compliance and security simultaneously (i.e., how their organization achieves compliance with the HIPAA Security Rule while also improving cybersecurity posture).
• Describe how your organization assesses risk to ePHI (electronic protected health information) and how this assessment leads to the identification of appropriate security controls/practices.
• Describe how their organization determines that security measures implemented in accordance with the Security Rule are effective in protecting ePHI and how often their  organization initiates a process to determine such effectiveness.
• Describe how you document the process of demonstrating adequate implementation of recognized security practices.
• Describe how these recognized security practices overlap with and diverge from compliance with the HIPAA Security Rule at their organization.