NIST Updates Guidance For Healthcare Security (July 2022)

< Maui Ransomware Attack

Security Insights / Government / NIST Healthcare Security Guidance

Related Articles

NIST Updates Guidance For Healthcare Security

Learn how PurpleSec’s experts can protect your business against the latest cyber attacks.

Author: Dušan Trojanović / Last Updated: 8/30/2022

Reviewed By: Dalibor Gašić, & Michael Swanagan, CISSP, CISA, CISM

View Our: Editorial Process

Table Of Contents

What Happened?
NIST’s Guidance At A Glance
Healthcare Remains A Top Target

Summary Of Research

NIST’s updated cyber security related guidance is timely as the U.S. Department of Health and Human Services reported a significant increase in cybersecurity attacks affecting healthcare organizations.
One of the NIST cybersecurity frameworks most important collection is Security and Privacy Controls (NIST SP 800-53) which can help organizations with a better approach to the risk management process.
The new draft provides more than 400 unique responses NIST received from the community in its pre-draft stage last year.
The new draft is intended to ensure the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits.
NIST is seeking comments on the draft publication until Sept. 21, 2022.

Monthly Security Newsletter

Get expert analysis on the latest data breaches, emerging security research, government policies and regulations, healthcare security, and more!

[contact-form-7 id=”19211″ title=”Security Insights”]

What Happened?

NIST has updated its cyber security guidance intended for the healthcare industry, in an effort to help healthcare organizations to protect patient’s personal health information.

Download The Updated Guidance >

U.S. federal law Health Insurance Portability and Accountability Act of 1996 (HIPAA) intention is to improve the efficiency and effectiveness of the health care system by the creation of national standards to protect patient sensitive health information from being disclosed without the patient’s consent or knowledge.

Under HIPAA, any information that can be used to identify a patient is considered to be Protected Health Information (PHI), and Electronic protected health information (ePHI) represents data that including:

Patient data
Names
Dates
Location
Contact information
Physical identity information
Prescriptions
Lab results

NIST intention is not to create regulations to enforce HIPAA, but to revise the draft to align with its mission to provide and improve cyber security guidance.

The original NIST’s cyber security guidance was published in 2008, and the updated guidance is meant to integrate into the NIST cyber security framework and other resources that were developed after the original guidance.

One of the NIST cyber security framework’s most important collections is Security and Privacy Controls (NIST SP 800-53), which can help organizations with a better approach to the risk management process.

NIST has released a new draft publication, for improving cyber security resources guide titled Health Insurance Portability and Accountability Act 5 Security Rule (NIST Special Publication 800-66, Revision 2), which is designed to help the industry maintain security CIA triad (Confidentiality, Integrity and Availability) for ePHI.

The new draft provides more than 400 unique responses NIST received from the community in its pre-draft stage last year.

How PurpleSec Helps To Secure Your Organization

Our vulnerability management services and penetration testing services provide a holistic approach to securing what’s most important to you.

NIST’s Guidance At A Glance

The publication guidance provides all entities and their business associates of all sizes throughout the world that store, process, or transmit ePHI.

NIST recommended the following guidelines for practices:

Ensure the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits.
Protect against any reasonably anticipated threats and hazards to the security or integrity of ePHI.
Develop a list of vulnerabilities for which there is a higher probability be exploited.
Investigate the probable consequences of a malicious attacker exploiting a vulnerability.
Discuss methods in which PHI could be wrongly released.
Define the risk level of an attacker.
Document the outcomes of the risk assessment.

The revised draft was not intended to be a checklist for healthcare organizations to follow, it should present a guide to improving risk management to ePHI.

NIST is seeking comments on the draft publication until Sept. 21, 2022, which can be emailed to [email protected].

Healthcare Remains A Top Target

The number of ransomware attacks on U.S. healthcare organizations increased 94% from 2021 to 2022.

More than two-thirds of U.S. healthcare organizations reported that they had experienced a ransomware attack in 2021.

In terms of a large increase of attacks in past years healthcare providers and the companies that support them operate in an elevated cyber security risk environment.

When cyber security related incident occurs, during regulatory inquiries or litigation in most cases focus was on whether the organization and to what extent was aligned with security best practices and recommendations.

NIST’s updated cyber security related guidance is timely as the U.S. Department of Health and Human Services reported a significant increase in cyber security attacks affecting healthcare organizations.

Related Articles:

Dušan Trojanović

Dušan is a Senior Security Engineer actively working as a penetration tester in DevSecOps projects. He is also an avid security researcher bringing forward analysis on the latest attacks and techniques.

Enterprise Patch Management

Operational Continuity-Cyber Incident

All Topics

More Security Insights

BREACHES

RESEARCH

healthcare security - purplesec cyber security insights HEALTHCARE

government policy and regulation - purplesec cyber security insights GOVERNMENT

cryptocurrency and blockchain - purplesec cyber security insights CRYPTO