The healthcare industry faces the challenge of safeguarding sensitive electronic protected health information (ePHI). To address this pressing concern, the National Institute of Standards and Technology (NIST) has released a revised version of its seminal publication, NIST SP 800-66, titled Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide. This updated guidance, known as Revision 2, promises to be a game-changer in healthcare cybersecurity compliance.
NIST SP 800-66 Revision 1 was previously a foundational resource for organizations seeking clarity on implementing the Health Insurance Portability and Accountability Act (HIPAA) security rule. However, the transition to Revision 2 signifies a shift in the scope and approach to securing ePHI.
Whereas Revision 1 primarily focuses on security safeguards, Revision 2 takes a more detailed approach. The updated guidance looks deeper into risk management frameworks, advocating for a nuanced strategy to protect ePHI.
One of Revision 2's standout features is its emphasis on providing practical advice and resources that organizations can use to better understand and implement the HIPAA security rule. The document has been restructured to enhance its clarity, utility, and convenience, making it a more valuable tool for healthcare entities dealing with compliance.
A fundamental change in Revision 2 is the explicit identification of electronic personal health information (ePHI) as the data that must be protected. This shows the necessity of safeguarding this sensitive information, which is at the core of healthcare operations.
Read more: What is the HIPAA Security Rule?
To fully grasp the implications of the NIST SP 800-66 Revision 2, let's review the changes and their impact on healthcare organizations.
Revision 2 stresses risk tolerance and risk appetite, requiring organizations to clearly define and weigh these factors. The guidance also outlines the need to tailor risk mitigation and management efforts to align with an organization's specific risk profile.
Another change is the clarification that a regulated entity does not absolve itself of responsibility for ePHI protection by outsourcing or partnering with a business associate. The regulated entity remains accountable for ensuring its workforce, business associates, and other stakeholders adhere to and support compliance efforts.
The updated guidance features several structural changes and enhancements, including:
Revision 2 also introduces new appendices and online resources to aid organizations in their compliance efforts. These include:
Additionally, the guidance has been updated to reflect evolving security considerations, such as contingency planning guidelines and updated telework security recommendations.
The transition to NIST SP 800-66 Revision 2 represents a step forward in advancing cybersecurity measures within healthcare. The updated guidelines offer practical solutions to address current security challenges and serve as a valuable resource for securing systems and infrastructure.
The revisions in Revision 2 align with industry-recognized standards and frameworks, such as NIST CSF, NIST 800-53, and the NIST IR 8286 series. This harmonization ensures that healthcare organizations can use their security investments and integrate the new guidance into their cybersecurity strategy.
The updates in Revision 2 reflect the need for more cybersecurity measures. By addressing current security concerns and providing practical recommendations, the guidance empowers healthcare entities to proactively mitigate risks and strengthen their overall security posture.
The transition to Revision 2 requires healthcare organizations to reassess their security measures and make the necessary adjustments to ensure compliance with the updated guidelines. This process allows organizations to enhance their security practices, address gaps, and demonstrate their commitment to protecting ePHI.
In other news, NIST has also updated its Cybersecurity Framework (CSF), a guidance document for reducing cybersecurity risk. The new 2.0 edition is designed for all audiences, industry sectors, and organization types, regardless of their level of cybersecurity competence.
For many businesses, the CSF has become a tool for anticipating and addressing cybersecurity threats.“CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve,” said Laurie E. Locascio, Under Secretary of Commerce for Standards and Technology and NIST Director.
CSF 2.0 introduces a new function, "Govern," stressing governance in cybersecurity risk management. This addition shows the need for executive leadership and organizational culture in cybersecurity initiatives. The Framework also addresses supply chain risks, increasing the interconnectedness of organizations and the growing prevalence of supply chain attacks. The Framework helps organizations strengthen their resilience against such threats by including guidance on supply chain risk management.
Read more: NIST unveils comprehensive update to its cybersecurity framework
NIST 800-66 rev2 provides guidelines for securing healthcare information systems, and while it does not directly address HIPAA requirements, implementing NIST guidelines can help healthcare organizations align with HIPAA security standards.
NIST 800-66 rev2 focuses on the security and privacy of healthcare information systems, and while consent is an important aspect of patient privacy, NIST guidelines primarily stress the technical and operational safeguards necessary to protect health information.
NIST 800-66 rev2 recommends the use of the NIST Cybersecurity Framework, which provides a detailed set of guidelines and best practices for managing cybersecurity risks in healthcare organizations. Additionally, organizations can use industry-standard security controls such as those outlined in NIST Special Publication 800-53 to enhance their compliance with NIST 800-66 rev2.
Learn more: HIPAA Compliant Email: The Definitive Guide