Previous
Learn how PurpleSec’s experts can protect your business against the latest cyber attacks.
Author: Dušan Trojanović / Last Updated: 8/30/2022
Reviewed By: Dalibor Gašić, & Michael Swanagan, CISSP, CISA, CISM
View Our: Editorial Process
Table Of Contents
Monthly Security Newsletter
Get expert analysis on the latest data breaches, emerging security research, government policies and regulations, healthcare security, and more!
[contact-form-7 id=”19211″ title=”Security Insights”]
NIST has updated its cyber security guidance intended for the healthcare industry, in an effort to help healthcare organizations to protect patient’s personal health information.
Download The Updated Guidance >
U.S. federal law Health Insurance Portability and Accountability Act of 1996 (HIPAA) intention is to improve the efficiency and effectiveness of the health care system by the creation of national standards to protect patient sensitive health information from being disclosed without the patient’s consent or knowledge.
Under HIPAA, any information that can be used to identify a patient is considered to be Protected Health Information (PHI), and Electronic protected health information (ePHI) represents data that including:
NIST intention is not to create regulations to enforce HIPAA, but to revise the draft to align with its mission to provide and improve cyber security guidance.
The original NIST’s cyber security guidance was published in 2008, and the updated guidance is meant to integrate into the NIST cyber security framework and other resources that were developed after the original guidance.
One of the NIST cyber security framework’s most important collections is Security and Privacy Controls (NIST SP 800-53), which can help organizations with a better approach to the risk management process.
NIST has released a new draft publication, for improving cyber security resources guide titled Health Insurance Portability and Accountability Act 5 Security Rule (NIST Special Publication 800-66, Revision 2), which is designed to help the industry maintain security CIA triad (Confidentiality, Integrity and Availability) for ePHI.
The new draft provides more than 400 unique responses NIST received from the community in its pre-draft stage last year.
How PurpleSec Helps To Secure Your Organization
Our vulnerability management services and penetration testing services provide a holistic approach to securing what’s most important to you.
The publication guidance provides all entities and their business associates of all sizes throughout the world that store, process, or transmit ePHI.
NIST recommended the following guidelines for practices:
The revised draft was not intended to be a checklist for healthcare organizations to follow, it should present a guide to improving risk management to ePHI.
NIST is seeking comments on the draft publication until Sept. 21, 2022, which can be emailed to [email protected].
The number of ransomware attacks on U.S. healthcare organizations increased 94% from 2021 to 2022.
More than two-thirds of U.S. healthcare organizations reported that they had experienced a ransomware attack in 2021.
In terms of a large increase of attacks in past years healthcare providers and the companies that support them operate in an elevated cyber security risk environment.
When cyber security related incident occurs, during regulatory inquiries or litigation in most cases focus was on whether the organization and to what extent was aligned with security best practices and recommendations.
NIST’s updated cyber security related guidance is timely as the U.S. Department of Health and Human Services reported a significant increase in cyber security attacks affecting healthcare organizations.
Related Articles:
Dušan is a Senior Security Engineer actively working as a penetration tester in DevSecOps projects. He is also an avid security researcher bringing forward analysis on the latest attacks and techniques.