NIST Adds Cybersecurity Guidance to HIPAA Security Rule

New draft of federal cybersecurity guidance could help healthcare organizations avoid regulatory fines in the wake of breaches.

Federal regulators are looking for the adoption of “recognized security practices,” when investigating the aftermath of a breach involving protected health information. In 2021, Congress told the Department of Health and Human Services to consider whether a medical center or business associate can show that it had “recognized security practices” in place for at least the previous 12 months when deciding HIPAA enforcement actions

A key source of recognized security practices is, of course, the Cybersecurity Framework — developed by the National Institute of Standards and Technology with the goal of establishing a de facto national benchmark for effective security.

“Healthcare organizations are now incentivized by potentially reduced regulatory scrutiny, fines, and penalties to implement recognized security practices and, in particular, the NIST Cybersecurity Framework,” says Jon Moore, chief risk officer at privacy and security consultancy firm Clearwater.

In the years since the framework’s 2013 introduction, it has been adapted into industry-specific cybersecurity manuals, leading NIST last week to publish a draft document mapping compliance with the HIPAA Security Rule onto the framework’s list of security controls.

The draft guidance, NIST Special Publication 800-66, Revision 2, for which NIST is accepting public comment until Sept. 21, is a refresh of the 14-year-old Revision 1.

The revised draft is not intended to be a checklist for healthcare organizations to follow. It’s meant to guide them in improving their electronic protected health information risk management. However, given the emphasis on “recognized security practices” the NIST framework should be implemented if for no other reason than to reduce the potential impacts of regulatory enforcement.

Other Upcoming Guidance
The HHS OCR is also planning to release new video guidance to assist regulated healthcare entities on the “recognized security practices” that regulators will consider when determining HIPAA enforcement actions against organizations. Among the topics planned to be covered in the upcoming video guidance is how the agency will request evidence of recognized security practices from entities.

If you have questions about how the evolving regulatory landscape should affect your IT security practices, call ITPAC today.