NIST Cybersecurity Guidelines

The National Institute of Standards and Technology (NIST) has released a draft update to its cybersecurity guidelines for the healthcare industry and is seeking public feedback through September 21, 2022.

NIST is the federal agency responsible for establishing standards and measurement criteria for various industries, including manufacturing, health and bioscience, and cybersecurity. This draft update is intended to integrate with and expand upon a previous NIST Cybersecurity Guidelines revision released in 2008. 

NIST Cybersecurity Framework for Healthcare – What it is

NIST’s new draft publication, formally titled Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide supports the ongoing efforts of the healthcare industry to maintain the confidentiality, integrity, and availability of electronic protected health information (ePHI).

The proposed update aims to create a comprehensive resource guide for healthcare organizations that incorporates the NIST Cybersecurity Framework and Security and Privacy Controls. Jeff Marron, a NIST cybersecurity specialist and the author of the update, said the efforts focus on creating a more actionable document by making explicit connections to these and other NIST cybersecurity resources.

“We have mapped all the elements of the HIPAA Security Rule to the Cybersecurity Framework subcategories to controls in NIST SP 800-53’s latest version,” Marron said. “We have increased our emphasis on the guidance’s risk management component, including integrating enterprise risk management concepts.”

Let’s Simplify Compliance

Do you need help meeting HIPAA Security Rule requirements? We can help!

Learn More!
HIPAA Seal of Compliance

NIST Healthcare Guidance – A Quick Overview

In addition to mapping the elements of the Security Rule, the NIST healthcare publication provides additional guidance for those who need information in addition to what is currently provided by the Office for Civil Rights (OCR) and the language within the Rule itself.

NIST has outlined vital activities to consider implementing, with detailed descriptions and suggested questions that might be asked by those responsible for meeting the standards of the HIPAA Security Rule. 

A section on Risk Assessment Guidelines provides a methodology for conducting risk assessments with guidance that closely follows previous guidance from OCR, which includes:

  1. Prepare for the Assessment.
  2. Identify Realistic Threats. 
  3. Identify Potential Vulnerabilities and Predisposing Conditions.
  4. Determine the Likelihood of a Threat Exploiting a Vulnerability.
  5. Determine the Impact of a Threat Exploiting a Vulnerability.
  6. Determine the Level of Risk. 
  7. Document the Results.</