Illustration shows a padlock surrounded by health-care images like a medicine bottle, a vaccine card, and health records.

Credit score:

N. Hanacek/NIST

In an effort to assist well being care organizations shield sufferers’ private well being info, the Nationwide Institute of Requirements and Know-how (NIST) has up to date its cybersecurity steerage for the well being care trade. 

NIST’s new draft publication, formally titled Implementing the Well being Insurance coverage Portability and Accountability Act (HIPAA) Safety Rule: A Cybersecurity Useful resource Information (NIST Special Publication 800-66, Revision 2), is designed to assist the trade preserve the confidentiality, integrity and availability of digital protected well being info, or ePHI. The time period covers a variety of affected person information, together with prescriptions, lab outcomes, and data of hospital visits and vaccinations. 

“Considered one of our essential objectives is to assist make the up to date publication extra of a useful resource information,” mentioned Jeff Marron, a NIST cybersecurity specialist. “The revision is extra actionable in order that well being care organizations can enhance their cybersecurity posture and adjust to the Safety Rule.” 

The Well being Insurance coverage Portability and Accountability Act of 1996 (HIPAA) is a federal legislation that requires the creation of nationwide requirements to guard delicate affected person well being info from being disclosed with out the affected person’s consent or data. A part of HIPAA is the Safety Rule, which particularly focuses on defending ePHI {that a} well being care group creates, receives, maintains or transmits. NIST doesn’t create laws to implement HIPAA, however the revised draft is in line with NIST’s mission to supply cybersecurity steerage. NIST’s up to date steerage is especially well timed because the U.S. Division of Well being and Human Companies has noted an increase in cyberattacks affecting well being care. 

NIST is searching for feedback on the draft publication till Sept. 21, 2022.

One of many essential causes NIST has developed the revision is to combine it with different NIST cybersecurity steerage that didn’t exist when Revision 1 was revealed in 2008. Since then, NIST has developed its well-known Cybersecurity Framework, and it additionally has repeatedly up to date its assortment of Security and Privacy Controls (NIST SP 800-53) that organizations can use to tailor their very own threat administration approaches. The brand new HIPAA Safety Rule steerage draft makes express connections to those and different NIST cybersecurity assets. 

“We’ve got mapped all the weather of the HIPAA Safety Rule to the Cybersecurity Framework subcategories and to controls in NIST SP 800-53’s newest model,” Marron mentioned. “We’ve got elevated our emphasis on the steerage’s threat administration element, together with integrating enterprise risk management ideas.” 

The draft takes into consideration greater than 400 distinctive responses NIST obtained to its pre-draft call for comments final 12 months. Marron describes the draft as extra of a refresh than an overhaul, because the doc’s construction has modified solely barely, however the content material has been up to date with an elevated emphasis on evaluation and administration of threat to ePHI. Most of the vital adjustments are implied within the publication’s “Notice to Reviewers,” which asks readers for ideas on particular sections. 

Marron mentioned that as with many associated NIST cybersecurity publications, the revised draft was not meant to be a guidelines for well being care organizations to comply with, however somewhat to information them in bettering their administration of threat to ePHI. 

“We offer a useful resource that may help you with implementing the Safety Rule in your individual group, which can have explicit wants,” he mentioned. “Our aim is to supply steerage and assets you need to use in a single readable publication.”

NIST is accepting feedback on the draft till Sept. 21, 2022, by electronic mail to sp800-66-comments [at] nist.gov.