NIST Releases Guidance for HIPAA Cybersecurity Standards
On July 21, the National Institute of Standards and Technology (“NIST”) announced that it had updated its cybersecurity guidance for the healthcare industry in order to “help health care organizations protect patients’ personal health information[.]”
These updates came in the form of a new draft publication, titled “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide” (NIST Special Publication 800-66, Revision 2[1]). According to the NIST, this new rule was designed to assist the industry in maintaining “the confidentiality, integrity and availability of electronic protected health information” (“ePHI”), which includes “a wide range of patient data,” such as prescription information, lab and test results, and health records like hospitalizations and vaccination status.
This draft guidance is not a legal mandate or directive. As Jeff Marron, a NIST cybersecurity specialist stated, “one of our main goals is to help make the updated publication more of a resource guide,” that is “more actionable so that health care organizations can improve their cybersecurity posture and comply with the [HIPAA] Security Rule.” The guidance also makes clear that it will not create regulations to enforce the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), which is a federal law designed to protect patients’ sensitive health information from unauthorized disclosure.
The NIST’s latest resource guide is designed to integrate with its other cybersecurity and privacy guidance, including the Cybersecurity Framework and Security and Privacy Controls (NIST SP 800-53), that were not yet in existence in 2008 when the NIST issued its last HIPAA guide, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.”
In addition to integrating the latest institute guidance, the NIST states the draft publication is also a reflection of “more than 400 unique responses” that NIST received when it issued a pre-draft call for comments on April 29, 2021.
Being that this guidance is still in draft form, NIST is seeking public comment and asking the following questions:
Do you find the overall organization of the document appropriate? Do you have suggestions for improving the document’s organization?
Is it helpful to have the Risk Assessment Guidance and Risk Management Guidance sections sequential? Do you have suggestions for improving these sections and/or making them more useful to regulated entities?
Are there Key Activities, Descriptions, and/or Sample Questions that should be added to or removed from the tables in Section 5? Are there specific techniques, threats, or topics that need to be added to Section 5 as Key Activities, Descriptions, and/or Sample Questions?
Does the appendix about the National Online Informative References (OLIR) Program help the reader? Is its purpose clear?
Is Appendix F helpful in its current format? Are there resources that should be added to or removed from the Appendix? Should Appendix F be reorganized in any way? Does the annotation of the resources help? Are there additional suggestions for improving Appendix F?
Are there sections of the publication that would be better extracted from the document and presented elsewhere (e.g., online or as Supplementary Materials hosted on the website)?
Are there additional topics that should be included in the main body or appendices?
The NIST is seeking public comment on the draft guidance by email to sp800-66-comments@nist.gov until September 21, 2022.