Analysis
Attacks and Vulnerabilities
Medical
News
NIST
Regulation, Standards and Compliance
Risk & Compliance
System Design & Architecture
Technology & Solutions
Threat Landscape

NIST SP 800-66r2 updates healthcare cybersecurity guidance to comply with HIPAA Security Rule

July 22, 2022
NIST SP 800-66r2 updates healthcare cybersecurity guidance to comply with HIPAA Security Rule

The National Institute of Standards and Technology (NIST) updated its cybersecurity guidance to safeguard patients’ personal health information for healthcare organizations. With the SP 800-66r2 draft document, the NIST aims to assist healthcare organizations seeking further information on the security safeguards of the HIPAA Security Rule, regardless of the particular structures, methodologies, and approaches used to address its requirements. 

The new draft publication titled ‘Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide’ has been designed to help the industry maintain the confidentiality, integrity, and availability of electronically protected health information (ePHI). 

NIST is seeking comments on the draft publication until Sept. 21.

One of the main reasons NIST has developed the NIST SP 800-66r2 revision is to integrate it with other NIST cybersecurity guidance that did not exist when Revision 1 was published in 2008. Since then, NIST has developed its Cybersecurity Framework and repeatedly updated its collection of Security and Privacy Controls (NIST SP 800-53) that organizations can use to tailor their risk management approaches. The new HIPAA Security Rule guidance draft explicitly connects these and other NIST cybersecurity resources

“One of our main goals is to help make the updated publication more of a resource guide,” Jeff Marron, a NIST cybersecurity specialist, said. “The revision is more actionable so that health care organizations can improve their cybersecurity posture and comply with the Security Rule. We have mapped all the elements of the HIPAA Security Rule to the Cybersecurity Framework subcategories and to controls in NIST SP 800-53’s latest version. We have increased our emphasis on the guidance’s risk management component, including integrating enterprise risk management concepts,” he added. 

The draft considers more than 400 responses NIST received to its pre-draft call for comments last year. Marron describes the draft as a refresh than an overhaul, as the document’s structure has changed slightly. The content has been updated with an increased emphasis on assessing and managing risk to ePHI. Many significant changes are implied in the publication’s ‘Note to Reviewers,’ asking readers for thoughts on specific sections.

Marron said that, as with many related NIST cybersecurity publications, the revised draft was not intended to be a checklist for health care organizations to follow but rather to guide them in improving their management of risk to ePHI. “We provide a resource that can assist you with implementing the Security Rule in your own organization, which may have particular needs. Our goal is to offer guidance and resources you can use in one readable publication,” he added.

Data released by the U.S. Department of Health and Human Services (HHS) earlier this year said that the agency received reports of data breaches from 578 healthcare organizations in 2021, impacting over 41.45 million individuals. Additionally, the agency revealed that 38 organizations affecting close to two million individuals were already targeted by data breaches last month, indicating that the cybercriminals intend to continue carrying out cyberattacks against the healthcare sector in 2022.

The NIST SP 800-66r2 can support compliance efforts of regulated entities in many ways, including ensuring that each organization selects security practices and controls that adequately protect ePHI of which they are the steward. It also informs of the development of compliance strategies that are in concert with the size and structure of the entity, provides guidance on best practices for developing and implementing a risk management program, and creates appropriate documentation that demonstrates effective compliance with the HIPAA Security Rule.

The HIPAA Security Rule is separated into six main sections, each including several standards and implementation specifications that a regulated entity must address. These six sections include security standards and general rules; administrative, physical, and technical safeguards; organizational requirements; and policies, procedures, and documentation requirements. A regulated entity is required to comply with all of the standards of the Security Rule concerning all ePHI. 

Many standards contain implementation specifications, which are either required or addressable. However, regardless of whether a standard includes implementation specifications, regulated entities must comply with each standard. 

Regulated entities are also required to document these assessments and all decisions. All of the HIPAA Security Rule’s addressable implementation specifications for federal agencies will most likely be reasonable and appropriate safeguards for implementation, given their sizes, missions, and resources.

The administrative safeguards cover the security management process, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency plan, evaluation, and business associate contracts and other arrangements. 

Looking into the administrative safeguards, the NIST 800-66r2 includes facility access controls, workstation use and security, and device and media controls. The technical safeguards involve access and audit controls, integrity, person or entity authentication, and transmission security. The organizational requirements are made up of business associate contracts and demands for group health plans. It also includes policies and procedures.  

Last month, the NIST released an initial summary analysis of responses to its Request for Information (RFI) on evaluating and improving the NIST Cybersecurity Framework (CSF), use of the framework in conjunction with other resources, and improving supply chain cybersecurity risk management. Based on stakeholder feedback, the agency plans a significant update to the Framework, often referred to as CSF 2.0, to reflect the evolving cybersecurity landscape and help organizations more efficiently and effectively manage cybersecurity risk.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base