Credit score: N. Hanacek/NIST
In an effort to assist well being care organizations shield sufferers’ private well being data, the Nationwide Institute of Requirements and Know-how (NIST) has up to date its cybersecurity steering for the well being care trade.
NIST’s new draft publication, formally titled Implementing the Well being Insurance coverage Portability and Accountability Act (HIPAA) Safety Rule: A Cybersecurity Useful resource Information (NIST Particular Publication 800-66, Revision 2), is designed to assist the trade preserve the confidentiality, integrity and availability of digital protected well being data, or ePHI. The time period covers a variety of affected person knowledge, together with prescriptions, lab outcomes, and data of hospital visits and vaccinations.
“One among our most important objectives is to assist make the up to date publication extra of a useful resource information,” stated Jeff Marron, a NIST cybersecurity specialist. “The revision is extra actionable in order that well being care organizations can enhance their cybersecurity posture and adjust to the Safety Rule.”
The Well being Insurance coverage Portability and Accountability Act of 1996 (HIPAA) is a federal regulation that requires the creation of nationwide requirements to guard delicate affected person well being data from being disclosed with out the affected person’s consent or information. A part of HIPAA is the Safety Rule, which particularly focuses on defending ePHI {that a} well being care group creates, receives, maintains or transmits. NIST doesn’t create laws to implement HIPAA, however the revised draft is consistent with NIST’s mission to supply cybersecurity steering. NIST’s up to date steering is especially well timed because the U.S. Division of Well being and Human Companies has famous an increase in cyberattacks affecting well being care.
NIST is searching for feedback on the draft publication till Sept. 21, 2022.
One of many most important causes NIST has developed the revision is to combine it with different NIST cybersecurity steering that didn’t exist when Revision 1 was revealed in 2008. Since then, NIST has developed its well-known Cybersecurity Framework, and it additionally has repeatedly up to date its assortment of Safety and Privateness Controls (NIST SP 800-53) that organizations can use to tailor their very own threat administration approaches. The brand new HIPAA Safety Rule steering draft makes specific connections to those and different NIST cybersecurity assets.
“We’ve mapped all the weather of the HIPAA Safety Rule to the Cybersecurity Framework subcategories and to controls in NIST SP 800-53’s newest model,” Marron stated. “We’ve elevated our emphasis on the steering’s threat administration element, together with integrating enterprise threat administration ideas.”
The draft takes under consideration greater than 400 distinctive responses NIST obtained to its pre-draft name for feedback final 12 months. Marron describes the draft as extra of a refresh than an overhaul, because the doc’s construction has modified solely barely, however the content material has been up to date with an elevated emphasis on evaluation and administration of threat to ePHI. Lots of the important adjustments are implied within the publication’s “Observe to Reviewers,” which asks readers for ideas on particular sections.
Marron stated that as with many associated NIST cybersecurity publications, the revised draft was not supposed to be a guidelines for well being care organizations to comply with, however fairly to information them in enhancing their administration of threat to ePHI.
“We offer a useful resource that may help you with implementing the Safety Rule in your personal group, which can have specific wants,” he stated. “Our aim is to supply steering and assets you should utilize in a single readable publication.”
NIST is accepting feedback on the draft till Sept. 21, 2022, by electronic mail to sp800-66-comments [at] nist.gov.
