The National Institute of Standards and Technology (NIST) is seeking feedback on its draft update to the NIST Cybersecurity Framework. The framework aims to create a comprehensive cybersecurity framework for healthcare to meet HIPAA Security Rule requirements. Healthcare organizations and providers are invited to provide feedback through September 21, 2022.
NIST Cybersecurity Framework & the HIPAA Security Rule
NIST has regularly updated its cybersecurity framework throughout the years to improve guidance for complying with HIPAA. The current NIST cybersecurity framework explains cybersecurity best practices but still lacks information on the practical application of these standards. As discussed earlier in several of Telehealth.org’s articles, such as Healthcare Cybersecurity: Effective Ways to Avoid Healthcare Phishing Attacks, the existing NIST Cybersecurity Framework is helpful. Jeff Marron, a NIST cybersecurity specialist, quoted on the NIST website, outlines the goal of the proposed framework:
One of our main goals is to help make the updated publication more of a resource guide….The revision is more actionable so that health care organizations can improve their cybersecurity posture and comply with the Security Rule.
In the new draft guidance, NIST has mapped out each element of the HIPAA Security Rule and matched it to controls in NIST SP 800-53. While NIST does not create regulations to enforce HIPAA, they provide guidance on how to meet Security Rule requirements.
Risk assessment and risk management are emphasized in the new publication. It describes how to:
- Prepare for a risk assessment
- Identify potential threats and their likelihood of exploiting a vulnerability
- Determine the impact of a threat and risk levels
- Document the results.
NIST Healthcare Guide Overview
Nonetheless, as most healthcare providers can attest, understanding the HIPAA Security Rule is confusing. The NIST healthcare guide, however, divides the HIPAA Security Rule into manageable activities to consider for implementation. The framework also provides a detailed description of each key point with questions to consider. As with previous NIST Cybersecurity Frameworks, the proposed update is not intended to be a checklist. Instead, it aims to provide guidance and resources that providers can use in a friendly, readable publication.
HIPAA Security Risk Assessments
One of the most critical areas in which the NIST healthcare guidance assists is conducting an accurate and thorough HIPAA security risk assessment (SRA). In the past, failure to properly conduct an SRA has been one of the top reasons healthcare organizations have been fined by the Office for Civil Rights (OCR).
The following are steps to take when conducting an SRA:
- Prepare for the Assessment
- Identify Realistic Threats
- Identify Potential Vulnerabilities and Predisposing Conditions
- Determine the Likelihood of a Threat Exploiting a Vulnerability
- Determine the Impact of a Threat Exploiting a Vulnerability
- Determine the Level of Risk
- Document the Results
Readers are encouraged to consider commenting on the proposed NIST Cybersecurity Framework by email: firstname.lastname@example.org. The comment period is open through September 21, 2022.
Contributed by Compliancy Group
Need assistance with HIPAA compliance? Compliancy Group can help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance®. Get HIPAA compliant today!