NIST Cybersecurity Guidelines Update for HIPAA Set to Review

NIST is the federal agency responsible for establishing standards and measurement criteria for various industries, including manufacturing, health and bioscience, and cybersecurity. This draft update is intended to integrate with and expand upon a previous NIST Cybersecurity Guidelines revision released in 2008. 

NIST Cybersecurity Framework for Healthcare – What it is

NIST’s new draft publication, formally titled Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide supports the ongoing efforts of the healthcare industry to maintain the confidentiality, integrity, and availability of electronic protected health information (ePHI).

The proposed update aims to create a comprehensive resource guide for healthcare organizations that incorporates the NIST Cybersecurity Framework and Security and Privacy Controls. Jeff Marron, a NIST cybersecurity specialist and the author of the update, said the efforts focus on creating a more actionable document by making explicit connections to these and other NIST cybersecurity resources.

“We have mapped all the elements of the HIPAA Security Rule to the Cybersecurity Framework subcategories to controls in NIST SP 800-53’s latest version,” Marron said. “We have increased our emphasis on the guidance’s risk management component, including integrating enterprise risk management concepts.”

NIST Healthcare Guidance – A Quick Overview

In addition to mapping the elements of the Security Rule, the NIST healthcare publication provides additional guidance for those who need information in addition to what is currently provided by the Office for Civil Rights (OCR) and the language within the Rule itself.

NIST has outlined vital activities to consider implementing, with detailed descriptions and suggested questions that might be asked by those responsible for meeting the standards of the HIPAA Security Rule. 

A section on Risk Assessment Guidelines provides a methodology for conducting risk assessments with guidance that closely follows previous guidance from OCR, which includes:

1. Prepare for the Assessment.
2. Identify Realistic Threats. 
3. Identify Potential Vulnerabilities and Predisposing Conditions.
4. Determine the Likelihood of a Threat Exploiting a Vulnerability.
5. Determine the Impact of a Threat Exploiting a Vulnerability.
6. Determine the Level of Risk. 
7. Document the Results.

NIST also echos OCR’s guidance that risk assessment should be an ongoing activity. Industry best practices have long stated that risk assessments should be performed annually or more often based on changes in risk factors or acceptable levels of risk.

Failure to perform adequate risk assessments has been one of the most documented HIPAA violations uncovered by OCR during investigations. The resulting fines and settlements make it clear that risk assessments must be taken seriously.

NIST Cybersecurity Guidelines Update – What it isn’t

The update should not be used as a checklist for healthcare organizations. Instead, companies should utilize it as a guide to improving their risk management of ePHI.

“We provide a resource that can assist you with implementing the Security Rule in your own organization, which may have particular needs,” said Marron. “Our goal is to offer guidance and resources you can use in one readable publication.”

The document also should not be used as a “one-size-fits-all” reference. Because of HIPAA’s broadly written regulations, the law requires each business to make evaluations based upon their specific circumstances. What works for one organization may not be effective for an apparently identical organization.

NIST Cybersecurity Guidelines Update – Feedback

NIST continues to seek feedback from organizations to determine what additions, deletions, or other edits are needed to finalize the second revision. Comments can be emailed to [email protected] through September 21, 2022.