Healthcare Information Security

Cybersecurity News

Reviewing Important Healthcare Cybersecurity Frameworks

Between the HIPAA Security Rule and NIST Cybersecurity Framework, healthcare organizations have several options to guide their cybersecurity efforts.

By Sara Heath

- Healthcare cybersecurity is a significant issue as of late, with several hospitals and practices falling victim to ransomware and malware attacks.


Just recently, a ransomware attack affected Hollywood Presbyterian in California, causing the hospital to pay $17,000 to regain access to its databases.

Although ransomware attacks don’t typically breach or affect patient PHI, they are serious nonetheless due to the fact that they debilitate hospitals and block providers from accessing critical health information.

But how do healthcare organizations protect against these threats? What kinds of cybersecurity frameworks exists to safeguard against cybersecurity issues? Below, reviews some of the most common security frameworks that help enhance healthcare data security:

HIPAA Security Rule

READ MORE: ICIT Explains NIST Guide Impact on Healthcare Cybersecurity

Under the broad HIPAA umbrella lies the HIPAA Security Rule, which spells out the physical and technical safeguards healthcare organizations need to implement in order to adequately protect PHI. It’s under this rule that HHS addresses cybersecurity protocol to protect ePHI.

The HIPAA Security Rule is intentionally written in a broad, non-specific, and technology-neutral way so that it can easily be applied to various different systems and healthcare organizations and can be used in conjunction with other cybersecurity frameworks.

“A HIPAA covered entity or business associate should be able to assess and implement new and evolving technologies and best practices that it determines would be reasonable and appropriate to ensure the confidentiality, integrity and availability of the ePHI it creates, receives, maintains, or transmits,” HHS’s Office for Civil Rights (OCR) says.

Specifically, the HIPAA Security Rule calls for technical safeguards, which encompass four areas:

  • Access control
  • Audit controls
  • Integrity controls
  • Transmission security

The HIPAA Security Rule also acknowledges the importance of health data encryption. Although the rule states that encryption is “addressable” rather than required, several experts say that encryption can be a vital tool in protecting healthcare data at certain organizations.

READ MORE: NIST Funding Can Strengthen National Cybersecurity Efforts

NIST Cybersecurity Framework

As stated above, the HIPAA Security Rule is “flexible, scalable, and technology-neutral” in order to help healthcare organizations integrate other cybersecurity frameworks into their security workflows. One such framework includes the NIST Cybersecurity Framework.

In February 2014, NIST responded to the President’s call for an overarching cybersecurity framework that would inform several industries, including healthcare. The framework addresses best practices for cybersecurity in five categories, including identification, protection, detection, response, and recovery.

It is important to distinguish the way the NIST Cybersecurity Framework relates to the HIPAA Security Rule. While HIPAA is worded in such a way that healthcare organizations can adopt other cybersecurity frameworks such as NIST’s, they must keep in mind that NIST does not guarantee HIPAA compliance.

Recently, OCR released a crosswalk that would facilitate HIPAA compliance in conjunction with the use of the NIST framework. OCR explained that this crosswalk would help healthcare organizations fully reinforce all of their electronic security safeguards.

READ MORE: NIST Calls for Public Comment on Cybersecurity Framework

“This crosswalk maps each administrative, physical and technical safeguard standard and implementation specification in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework Subcategory,” OCR explained in the document. “Due to the granularity of the NIST Cybersecurity Framework’s Subcategories, some HIPAA Security Rule requirements may map to more than one Subcategory.”

Federal calls to action

In addition to these popular cybersecurity frameworks, the federal government has made calls for other cybersecurity regulations.

At the end of last year, the Cybersecurity Information Sharing Act (CISA) was passed, allowing industry experts to exchange information about cybersecurity threats. This is beneficial for all industries because it facilitates collaboration and helps detect threats in a more effective manner. It is also beneficial because it lets the government in on the side of healthcare organizations.

According to Bill Stewart, Booz Allen Hamilton Executive Vice President and leader of the Commercial Cyber Security Business, the government has been handling cybersecurity threats for some time and has ample expertise in mitigating these issues. By hosting a platform on which healthcare and other industry experts may exchange information about cybersecurity, the government can more easily assist these companies.

“They just by definition have more expertise around it,” Stewart told “And they have access that as private citizens we’re not allowed to have. So, it’s very valuable.”

Legislators are also calling for better cybersecurity protocol. In light of recent ransomware and malware incidents, Senate Health Committee chairman and Tennessee Senator Lamar Alexander called on HHS to create a specific cybersecurity law.

“Congress has passed a law to help keep hospitals and patients safe from these malicious attacks – calling for Health and Human Services to give hospitals and doctors clear information on the best ways to prevent a hack in the first place and putting someone at the agency on the flagpole if a cyber attack occurs,” he urged. “Yesterday’s attack, which, unfortunately, is not unique, shows the need for HHS to implement the law with the urgency patients and hospitals deserve.”

The incident Alexander referenced was the MedStar Health malware attack, which at the time of this article’s publication is experiencing EHR downtime. MedStar Health states that no patient information has been obtained or mishandled.

In light of that event, Alexander urges HHS to act upon the legislation that calls for HHS to create specific laws, security officials, and response coordination to help healthcare organizations protect against security incidents.

Going forward, it is important that healthcare organizations understand the various cybersecurity frameworks that can guide their security practices. As the healthcare industry continues to face ransomware and malware threats, organizations need to reinforce their technical safeguards to ensure that none of their patient information is affected and they do not experience system downtimes, which can affect patient care.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks