September 27, 2022

Last Updated on January 19, 2024

The National Institute of Standards and Technology (NIST) released an “initial public draft” of updated guidance for HIPAA cybersecurity compliance and ePHI protection. The publication, NIST SP 800-66r2 (Revision 2), “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide,” is available free of charge here.

This draft aligns NIST’s approach to HIPAA cybersecurity compliance with other NIST cybersecurity guidance. The public comment period is open through October 5, 2022.

Why is this new guidance important and useful? A quick glance at recent statistics on the unrelenting rise in cyber attacks against healthcare orgs illustrates how much ePHI is being compromised and how badly the industry needs to improve its cybersecurity.

What is the HIPAA Security Rule?

Part of the overarching HIPAA regulation, the HIPAA Security Rule describes requirements for safeguarding electronic protected health information (ePHI) that is transmitted, stored or processed by covered entities and business associates. ePHI includes a wide range of medical data, including health histories; prescription records; medical records; lab results; vaccination records; personal data like name, address, and social security number; health plan numbers; biometric identifiers and even photos.

Orgs subject to HIPAA must protect ePHI against reasonably anticipated threats, including exfiltration, improper disclosure and loss or destruction (e.g., from a ransomware attack). Civil and criminal penalties for HIPAA violations can be harsh… and hard on an org’s reputation.

What is NIST 800-66?

HIPAA first became law in 1996 and the initial version of NIST 800-66 came out in 2005. The new NIST 800-66 V2 offers practical advice and resources that healthcare orgs can use to better understand the HIPAA Security Rule and make sure their cybersecurity controls protect their ePHI while complying with HIPAA directives. This includes nonprescriptive information like highlighting typical activities that a HIPAA regulated entity might consider implementing as part of its cybersecurity program.

According to Jeff Marron, an NIST cybersecurity specialist and author of this latest NIST 800-66 revision, “One of our main goals is to help make the updated publication more of a resource guide. The revision is more actionable so that healthcare organizations can improve their cybersecurity posture and comply with the HIPAA Security Rule.”

A key enhancement to NIST 800-66 has been to integrate it with other NIST cybersecurity publications that didn’t exist back in 2005. These include the NIST Cybersecurity Framework (CSF) and NIST 800-53, “Security and Privacy Controls for Information Systems and Organizations.”

The latest NIST 800-66 revision maps all the elements of the HIPAA Security Rule to the CSF and NIST 800-53. The new document’s structure is similar to the preceding Revision 1 (from 2008), but the content has been updated to emphasize risk assessment and risk management.

As with many NIST cybersecurity publications, the intent of the new NIST 800-66 Revision 2 is not to give you a checklist to follow, but to offer readable, actionable guidance that can help improve how you are managing the risk to your ePHI within your unique environment.

Next steps

HIPAA compliance can be challenging for SMBs with limited resources, and is best approached through a holistic and strategic plan to ensure success, cost-efficiency and maximum business value.

To connect with a HIPAA cybersecurity expert to discuss your current ePHI security program and business goals, contact Pivot Point Security.

For more information on NIST 800-66, visit the NIST website here.

Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!