A constant in the world of cybersecurity governance, risk and compliance management is the steady stream of new frameworks, regulations, laws and guidance that must be reviewed, understood and adhered to. It’s easy to feel overwhelmed and frustrated with this process, but we’re here to help make the job a bit easier for you.
We all know that these updates are meant to make our organizations and the people they serve more secure, but we are often challenged with implementing them. How can we “roll up our sleeves”-so to speak-and get to work?
New Guidance For Cybersecurity In the Healthcare Space
Recently the National Institute of Standards and Technology released updated guidance for cybersecurity in the Healthcare space. It’s safe to say that there were many lessons learned in our profession during the (still ongoing) global pandemic, and no industry vertical was more impacted than the healthcare industry. Naturally, many of those lessons are incorporated into this updated guidance.
The in depth guidance was released through a new draft: Special Publication, NIST SP 800-66 – Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide. This guide is specifically designed to help healthcare organizations maintain the confidentiality, integrity and availability of electronic personal health information (ePHI).
What Is the Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) was originally passed by the US Congress in 1996 through Public Law 104-191. HIPAA set new requirements affecting the entire healthcare industry meant to improve the industry’s efficiency and effectiveness while providing more choice and protection for consumers or patients of this system. The law introduced the term Protected Health Information (PHI) and imposed requirements for control and protection of this information.
The Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS) was given the responsibility of enforcing HIPAA including evaluation of adherence to PHI rules and levying of penalties for non-compliance. Throughout the years, PHI and required privacy and security controls have been revised and updated through various measures including:
- Privacy Rule of December 2000
- Security Rule of 2003
- The Final Omnibus Rule, incorporating HITECH Act
- The Breach Notification Rule
What Is Electronic Protected Health Information (ePHI)?
Electronic Protected Health Information is the modern extension of PHI and it covers any PHI data that is acquired, processed, viewed, stored or transmitted by means of an electronic system. ePHI includes a vast set of data including:
- Patient data
- Prescription medication data
- Laboratory result data
- Hospital and doctor visit data
- Vaccination data
Changes With Recent NIST Special Publication
It’s important to first note that the NIST Special Publication is not meant to be an all encompassing reference, and implementing the guidance from this document does not guarantee compliance with HIPAA. The role of NIST is not to create or enforce regulations. Rather provide guidance on methods of complying with existing rules and regulations as well as best practices and frameworks. This publication is meant to be used as part of an organization’s greater GRC program, in conjunction with a thorough understanding of the underlying laws and regulations.
One of the biggest complaints I’ve heard, especially by practitioners newer to the field, is that requirement, framework and regulation publications can be cryptic, hard to digest and open to interpretation leading to confusion and uncertainty. Some go so far as to say they are essentially detracting from our ability to better oversee GRC programs. NIST made a best effort approach in this new draft to make the publication more actionable than theoretical. A strong emphasis was placed on making it an easy reference and job aid for a practitioner in the field trying to secure their organization and meet regulatory requirements imposed through HIPAA.
Since revision 1 of the NIST-SP 800-66 was released, NIST has released the Cybersecurity Framework and a major revision of NIST SP 800-53 through revision 5. The updated version of this special publication incorporates these and other updates in the NIST publications. The inclusion of the Cybersecurity Framework (CSF) is particularly important as many organizations throughout various verticals have incorporated the NIST CSF into their GRC programs. This enables practitioners new to the healthcare space to better understand how they can secure and protect their data. Anytime there is a crosswalk to a well known framework the learning curve is shortened.
In addition, this revision also includes:
- Overview of the HIPAA Security Rule
- More prescriptive guidance on risk management activities, specifically tailored to healthcare organizations. This is timely and prudent as today’s organizations are forced to place more emphasis on building or maturing risk management activities
- Links to additional resources that are helpful when healthcare organizations are looking to implement of mature their adherence to the HIPAA Security Rule
Need More Help?
Reciprocity® is pleased to be able to offer education to the community through blog posts like this and provide our customers with a clear blueprint for managing unified cyber risk for your organization. The ZenGRC helps you to unify cybersecurity compliance and risk in a way that helps you drive program maturity and frame risk management decisions in business terms.
The result? Your organization’s leadership can make wise, informed decisions on risk management and cybersecurity compliance. Get a live demo today and see how we can help your organization comply with or mature your HIPAA security posture.