Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. The National Institute of Standards and Technology (NIST) is seeking feedback on its draft update to the NIST Cybersecurity Framework. The framework aims to create a comprehensive cybersecurity framework for healthcare to meet HIPAA Security Rule requirements. Healthcare organizations and providers are invited to provide feedback through September 21, 2022.
NIST Cybersecurity Framework & the HIPAA Security Rule
NIST has regularly updated its cybersecurity framework throughout the years to improve guidance for complying with HIPAA. The current NIST cybersecurity framework explains cybersecurity best practices but still lacks information on the practical application of these standards. As discussed earlier in several of Telehealth.org’s articles, such as Healthcare Cybersecurity: Effective Ways to Avoid Healthcare Phishing Attacks, the existing NIST Cybersecurity Framework is helpful. Jeff Marron, a NIST cybersecurity specialist, quoted on the NIST website, outlines the goal of the proposed framework:
One of our main goals is to help make the updated publication more of a resource guide….The revision is more actionable so that health care organizations can improve their cybersecurity posture and comply with the Security Rule.
In the new draft guidance, NIST has mapped out each element of the HIPAA Security Rule and matched it to controls in NIST SP 800-53. While NIST does not create regulations to enforce HIPAA, they provide guidance on how to meet Security Rule requirements.
Risk assessment and risk management are emphasized in the new publication. It describes how to:
- Prepare for a risk assessment
- Identify potential threats and their likelihood of exploiting a vulnerability
- Determine the impact of a threat and risk levels
- Document the results.
NIST Healthcare Guide Overview
Nonetheless, as most healthcare providers can attest, understanding the HIPAA Security Rule is confusing. The NIST healthcare guide, however, divides the HIPAA Security Rule into manageable activities to consider for implementation. The framework also provides a detailed description of each key point with questions to consider. As with previous NIST Cybersecurity Frameworks, the proposed update is not intended to be a checklist. Instead, it aims to provide guidance and resources that providers can use in a friendly, readable publication.
HIPAA Security Risk Assessments
One of the most critical areas in which the NIST healthcare guidance assists is conducting an accurate and thorough HIPAA security risk assessment (SRA). In the past, failure to properly conduct an SRA has been one of the top reasons healthcare organizations have been fined by the Office for Civil Rights (OCR).
The following are steps to take when conducting an SRA:
- Prepare for the Assessment
- Identify Realistic Threats
- Identify Potential Vulnerabilities and Predisposing Conditions
- Determine the Likelihood of a Threat Exploiting a Vulnerability
- Determine the Impact of a Threat Exploiting a Vulnerability
- Determine the Level of Risk
- Document the Results
Readers are encouraged to consider commenting on the proposed NIST Cybersecurity Framework by email: sp800-66-comments@nist.gov. The comment period is open through September 21, 2022.
Contributed by Compliancy Group
Need assistance with HIPAA compliance? Compliancy Group can help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance®. Get HIPAA compliant today!
Essential Telehealth Law & Ethical Issues
Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!
Dr. Maheu wrote a wonderful article.
I might add…. Very briefly and in my opinion… Behavioral health EHRs are still in the wild west as far a HIPAA goes. HITRUST, NIST, and (ISO or SOC2 with 16 added controls) are the most widely accepted standards. Most EHRs say they are HIPAA complaint but they are not. The only way you can be sure they are HIPAA compliant would be if they tell you who certified their. EHR. They would know who that was and would have a document to that effect posted on their website. Third party HIPAA certification is not required in behavioral health for small EHRs. HIPAA compliance is different that ONC certification. The cost of ONC certification is about $20,000. The cost of HIPAA certification for and EHR is about $16,000. NIST has been outdated for over a decade and never considered cloud platform security solutions. Traditional server farms had hundreds of boxes with hard drives in a building. And their OS requires patching continuously for security threats. Cloud based platform hardware and virtual hosting security are different things. They do not have operating systems. EHR software HIPAA security is another issue. The policies and procedures for NIST documentation for a small behavioral health EHR provider are over 200 pages and take about 60 to 90 hours to write. The policies and standards must be reviewed, followed, and updated several times a year at the least. HIPAA compliance is not a “thing”. It a process of steps the organization takes and documents to demonstrate that PHI and PII are reasonably secure. It is worth considering that HIPAA and BAAs usually make the covered entirety responsible for all costs and liability if there is a breach. A serious breach can cost $5,000 to $30,000. You will have to sue the EHR for compensation. Good luck with that. I encourage you to ask your EHR provider to inform you in writing that they will cover the cost of breech notification for all your clients. Determine if their EHR is certified by the EHR provider or a third party. Finally, business and cyber security insurance for healthcare is about $2000 a year. Last time a checked, professional liability insurance does not cover that.
Thank you Dr. Maheu !
Great suggestions, Michael. Thank you for taking the time to explain your position for our readers.