NIST Updates Steering for Well being Care Cybersecurity

NIST Updates Steering for Well being Care Cybersecurity

Credit score: N. Hanacek/NIST In an effort to assist well being care organizations shield sufferers’

Illustration shows a padlock surrounded by health-care images like a medicine bottle, a vaccine card, and health records.

Credit score:

N. Hanacek/NIST

In an effort to assist well being care organizations shield sufferers’ private well being data, the Nationwide Institute of Requirements and Expertise (NIST) has up to date its cybersecurity steering for the well being care trade. 

NIST’s new draft publication, formally titled Implementing the Well being Insurance coverage Portability and Accountability Act (HIPAA) Safety Rule: A Cybersecurity Useful resource Information (NIST Particular Publication 800-66, Revision 2), is designed to assist the trade preserve the confidentiality, integrity and availability of digital protected well being data, or ePHI. The time period covers a variety of affected person information, together with prescriptions, lab outcomes, and information of hospital visits and vaccinations. 

“Considered one of our primary targets is to assist make the up to date publication extra of a useful resource information,” stated Jeff Marron, a NIST cybersecurity specialist. “The revision is extra actionable in order that well being care organizations can enhance their cybersecurity posture and adjust to the Safety Rule.” 

The Well being Insurance coverage Portability and Accountability Act of 1996 (HIPAA) is a federal legislation that requires the creation of nationwide requirements to guard delicate affected person well being data from being disclosed with out the affected person’s consent or data. A part of HIPAA is the Safety Rule, which particularly focuses on defending ePHI {that a} well being care group creates, receives, maintains or transmits. NIST doesn’t create laws to implement HIPAA, however the revised draft is in step with NIST’s mission to supply cybersecurity steering. NIST’s up to date steering is especially well timed because the U.S. Division of Well being and Human Companies has famous an increase in cyberattacks affecting well being care. 

NIST is in search of feedback on the draft publication till Sept. 21, 2022.

One of many primary causes NIST has developed the revision is to combine it with different NIST cybersecurity steering that didn’t exist when Revision 1 was revealed in 2008. Since then, NIST has developed its well-known Cybersecurity Framework, and it additionally has repeatedly up to date its assortment of Safety and Privateness Controls (NIST SP 800-53) that organizations can use to tailor their very own danger administration approaches. The brand new HIPAA Safety Rule steering draft makes express connections to those and different NIST cybersecurity sources. 

“We now have mapped all the weather of the HIPAA Safety Rule to the Cybersecurity Framework subcategories and to controls in NIST SP 800-53’s newest model,” Marron stated. “We now have elevated our emphasis on the steering’s danger administration element, together with integrating enterprise danger administration ideas.” 

The draft takes under consideration greater than 400 distinctive responses NIST acquired to its pre-draft name for feedback final 12 months. Marron describes the draft as extra of a refresh than an overhaul, because the doc’s construction has modified solely barely, however the content material has been up to date with an elevated emphasis on evaluation and administration of danger to ePHI. Most of the vital modifications are implied within the publication’s “Observe to Reviewers,” which asks readers for ideas on particular sections. 

Marron stated that as with many associated NIST cybersecurity publications, the revised draft was not meant to be a guidelines for well being care organizations to observe, however reasonably to information them in bettering their administration of danger to ePHI. 

“We offer a useful resource that may help you with implementing the Safety Rule in your personal group, which can have specific wants,” he stated. “Our purpose is to supply steering and sources you need to use in a single readable publication.”

NIST is accepting feedback on the draft till Sept. 21, 2022, by electronic mail to sp800-66-comments [at]