NIST Updates Guidance For Healthcare Security

Contents

Summary Of The Research

  • NIST’s updated cyber security-related guidance is timely as the U.S. Department of Health and Human Services reported a significant increase in cybersecurity attacks affecting healthcare organizations.
  • One of the NIST cybersecurity frameworks most important collection is Security and Privacy Controls (NIST SP 800-53) which can help organizations with a better approach to the risk management process.
  • The new draft provides more than 400 unique responses NIST received from the community in its pre-draft stage last year.
  • The new draft is intended to ensure the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits.
  • NIST is seeking comments on the draft publication until Sept. 21, 2022.

What Happened?

NIST has updated its cybersecurity guidance intended for the healthcare industry, in an effort to help healthcare organizations to protect patient’s personal health information.

U.S. federal law Health Insurance Portability and Accountability Act of 1996 (HIPAA) intention is to improve the efficiency and effectiveness of the health care system by the creation of national standards to protect patient sensitive health information from being disclosed without the patient’s consent or knowledge.

Under HIPAA, any information that can be used to identify a patient is considered to be Protected Health Information (PHI), and Electronic protected health information (ePHI) represents data including:

  • Patient data
  • Names
  • Dates
  • Location
  • Contact information
  • Physical identity information
  • Prescriptions
  • Lab results

NIST intention is not to create regulations to enforce HIPAA, but to revise the draft to align with its mission to provide and improve cyber security guidance.

The original NIST’s cyber security guidance was published in 2008, and the updated guidance is meant to integrate into the NIST cyber security framework and other resources that were developed after the original guidance.

One of the NIST cyber security framework’s most important collections is Security and Privacy Controls (NIST SP 800-53), which can help organizations with a better approach to the risk management process.

NIST has released a new draft publication, for improving cyber security resources guide titled Health Insurance Portability and Accountability Act 5 Security Rule (NIST Special Publication 800-66, Revision 2), which is designed to help the industry maintain security CIA triad (Confidentiality, Integrity and Availability) for ePHI.

The new draft provides more than 400 unique responses NIST received from the community in its pre-draft stage last year.

.

NIST’s Guidance At A Glance

The publication guidance provides all entities and their business associates of all sizes throughout the world that store, process, or transmit ePHI.

NIST recommended the following guidelines for practices:

  • Ensure the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits.
  • Protect against any reasonably anticipated threats and hazards to the security or integrity of ePHI.
  • Develop a list of vulnerabilities for which there is a higher probability be exploited.
  • Investigate the probable consequences of a malicious attacker exploiting a vulnerability.
  • Discuss methods in which PHI could be wrongly released.
  • Define the risk level of an attacker.
    Document the outcomes of the risk assessment.

The revised draft was not intended to be a checklist for healthcare organizations to follow, it should present a guide to improving risk management to ePHI.

NIST is seeking comments on the draft publication until Sept. 21, 2022, which can be emailed to [email protected].

Healthcare Remains A Top Target

The number of ransomware attacks on U.S. healthcare organizations increased 94% from 2021 to 2022.

More than two-thirds of U.S. healthcare organizations reported that they had experienced a ransomware attack in 2021.

In terms of a large increase of attacks in past years healthcare providers and the companies that support them operate in an elevated cyber security risk environment.

When cyber security related incident occurs, during regulatory inquiries or litigation in most cases focus was on whether the organization and to what extent was aligned with security best practices and recommendations.

NIST’s updated cyber security related guidance is timely as the U.S. Department of Health and Human Services reported a significant increase in cyber security attacks affecting healthcare organizations.

Article by

Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.

Share This Article

Our Editorial Process

Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.

Categories

The Breach Report

Our team of security researchers analyze recent cyber attacks, explain the impact, and provide actionable steps to keep you ahead of the trends.

Related Breaches