Cybersecurity News

NIST Updates Healthcare Cybersecurity, HIPAA Security Rule Guidance

NIST issued a new draft publication on healthcare cybersecurity and implementing HIPAA Security Rule requirements.

NIST Updates Healthcare Cybersecurity, HIPAA Security Rule Guidance

Source: Getty Images

By Jill McKeon

- The National Institute of Standards and Technology (NIST) issued updated healthcare cybersecurity and HIPAA Security Rule guidance to aid organizations in safeguarding protected health information (PHI). NIST is seeking comments on the draft publication until October 5.

“One of our main goals is to help make the updated publication more of a resource guide,” Jeff Marron, a NIST cybersecurity specialist, said in an accompanying press release.

“The revision is more actionable so that health care organizations can improve their cybersecurity posture and comply with the Security Rule.” 

The original guidance was published in 2008, and the updated guidance is meant to fit seamlessly into the NIST Cybersecurity Framework and other resources that were developed after the original guidance. It is important to note that the HHS Office for Civil Rights (OCR) is the office that enforces HIPAA compliance. NIST’s publication is simply additional guidance on implementing HIPAA’s provisions.

“We provide a resource that can assist you with implementing the Security Rule in your own organization, which may have particular needs,” Marron continued.

“Our goal is to offer guidance and resources you can use in one readable publication.”

The new guidance mapped the elements of the HIPAA Security Rule to subcategories of the NIST Cybersecurity Framework. The guidance is largely the same, with a few slight tweaks to the structure and a renewed focus on risk assessments and risk management.

“The identification of vulnerabilities or conditions that a threat could use to cause impact is an important component of risk assessment. While it is necessary to review threats and vulnerabilities as unique elements, they are often considered at the same time,” the guidance advised.

“Many organizations will consider a given loss scenario and evaluate both. What threat sources might initiate which threat events? What vulnerabilities or predisposing conditions might those threat sources exploit to cause an adverse impact?”

NIST recommended that covered entities develop a list of vulnerabilities that could be exploited and brainstorm the ways in which PHI could be disclosed improperly.

Next, NIST recommended that organizations assess the potential impacts of a threat actor exploiting a vulnerability, determine the risk level, and document risk assessment results.

Marron explained that the revised publication is not meant to serve as a checklist for healthcare organizations, but rather a guide for improving risk management and safeguarding PHI based on each organization’s resources and needs.