On July 21, 2022, the National Institute of Standards and Technology (NIST) released an updated version of Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (SP 800-66 Rev.2). NIST originally released a draft of this publication in April 2021, and it is the first revision to this Special Publication aimed at organizations in healthcare since SP 800-66 Rev.1 was published in 2008.
NIST Special Publication (SP) 800-66
NIST Special Publication (SP) 800-66 is intended to help educate readers about the security standards included in the HIPAA Security Rule and assist regulated entities in their implementation of the Security Rule. The Special Publication includes a brief overview of the HIPAA Security Rule, provides guidance for regulated entities in assessing and managing risk to Electronic Protected Health Information (ePHI), identifies typical activities that a regulated entity should consider when implementing an information security program, and lists additional resources that regulated entities might find useful in implementing the Security Rule.
Additionally, SP 800-66 lists a wide variety of resources (e.g., guidance, templates, tools) that regulated entities may find useful in complying with the Security Rule and improving the security posture of their organizations. Regulated entities could consult these resources when they need additional information or guidance about a particular topic.
Revision 2 Updates
The updated Special Publication still maintains many of the same elements as Rev.1 but provides updated detail on the risk assessment and risk management process, compliance with the HIPAA Security Rule, and more recent topics related to the security of ePHI. NIST’s updated guidance is timely as the Department of Health and Human Services has noted a rise in cyberattacks affecting the healthcare industry. NIST’s goal was to make the updated guidance more of a resource guide for healthcare organizations.
One of the key reasons NIST developed the latest revision was to integrate it with other NIST Cybersecurity Guidance that did not exist when the initial revision was published in 2008. Since 2008, NIST has developed a Cybersecurity Framework (https://www.nist.gov/cyberframework) and has updated its collection of Security and Privacy Controls that organizations can use to tailor their own risk management approaches. The latest guidance makes explicit connections to NIST’s other cybersecurity resources. In this revision, NIST has increased its emphasis on the guidance’s risk management components, including integrating enterprise risk management concepts. The latest revision also has an increased emphasis on assessment and management of risk to ePHI.
- Risk Analysis and Management
Although Rev. 1 did have guidance on risk management, the latest draft provides a more extensive outline on the standards for a risk assessment and risk mitigation process. The draft outlines guidance on the:
- identification of threats, including natural, human and environmental,
- the identification of potential vulnerabilities and predisposing conditions,
- determination of the likelihood and impact of the threats and vulnerabilities,
- possible harms to operations, assets, individuals, other organizations, and nations, and
- determination of the level of risk.
The Special Publication also provides detailed guidance on managing risks, such as considering an organization’s risk appetite and risk tolerance, implementing additional security controls to deal with risks that cannot be reduced to an acceptable level, and documenting all risk management activities.
- Updated Questions and Guidance on HIPAA Security Rule Compliance
In addition to the guidance on the risk management process under HIPAA, Rev. 2 also provides updated guidance on all the HIPAA Security Rule safeguards. Similar to Rev. 1, this Special Publication has a chart listing the safeguards, descriptions of each safeguard, and sample questions covered entities and business associates can use to evaluate their compliance with the safeguard. However, these questions and descriptions have been updated to account for developments in technology, the cybersecurity landscape, and changes in the healthcare space. Additionally, these questions assume an organization has already been complying with HIPAA for some time, whereas Rev.1 questions were geared towards organizations that were just starting to comply with HIPAA since it was released only a few years after the Security Rule.
- Updated Resources on New and Evolving Topics
Finally, another helpful update to this Special Publication are the resources listed. Rev. 2 lists a large number of resources, many of which were released after Rev. 1, and deals with new issues or issues that have become more prominent since 2008. For example, the Special Publication provides resources on cloud usage, telework, ransomware, and telemedicine. Many of these topics were not prominent or non-existent in 2008 but have now become a large part of the way PHI is stored, used, and exchanged.
How to Use this Document
This Special Publication is a great resource for organizations to understand current issues and threats in the healthcare cybersecurity environment. In addition to guidance on newer topics, the Special Publication also provides updated guidance on established safeguards, procedures, and practices. This document can be used to review your organization’s HIPAA security program and update your organization’s important processes. Although Rev. 1 provides good guidance, a lot has changed in cybersecurity and healthcare over the past decade and Rev.2 provides an updated view on the HIPAA Security Rule and current cybersecurity issues. It also connects to other NIST publications, which can help organizations, especially many business associates that work both in the healthcare space and other industries, to create more global information security programs.
NIST is accepting public comment on the latest revision from July 21, 2022, until September 21, 2022. Comments on the revised publication can be submitted to: [email protected]
Our experienced team of attorneys works with numerous businesses on cybersecurity issues and regulatory compliance efforts, including policy development and training. The Octillo team can help you navigate through this new guidance. Our team can help your company mitigate risks while assessing the effectiveness of your cybersecurity program and creating a roadmap to tackle each new component, including planning for resource allocation in the form of time, money, technology, and personnel.
*Attorney advertising: prior results do not guarantee future outcomes.