NIST Updates Guidance for Health Care Cybersecurity

In an effort to help health care organizations protect patients’ personal health information, the National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for the health care industry. 

NIST’s new draft publication, formally titled Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (NIST Special Publication 800-66, Revision 2), is designed to help the industry maintain the confidentiality, integrity and availability of electronic protected health information, or ePHI. The term covers a wide range of patient data, including prescriptions, lab results, and records of hospital visits and vaccinations. 

“One of our main goals is to help make the updated publication more of a resource guide,” said Jeff Marron, a NIST cybersecurity specialist. “The revision is more actionable so that health care organizations can improve their cybersecurity posture and comply with the Security Rule.” 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. Part of HIPAA is the Security Rule, which specifically focuses on protecting ePHI that a health care organization creates, receives, maintains or transmits. NIST does not create regulations to enforce HIPAA, but the revised draft is in keeping with NIST’s mission to provide cybersecurity guidance. NIST’s updated guidance is particularly timely as the U.S. Department of Health and Human Services has noted a rise in cyberattacks affecting health care. 

NIST is seeking comments on the draft publication until Oct. 5, 2022 (extended from the original deadline of Sept. 21, 2022).

One of the main reasons NIST has developed the revision is to integrate it with other NIST cybersecurity guidance that did not exist when Revision 1 was published in 2008. Since then, NIST has developed its well-known Cybersecurity Framework, and it also has repeatedly updated its collection of Security and Privacy Controls (NIST SP 800-53) that organizations can use to tailor their own risk management approaches. The new HIPAA Security Rule guidance draft makes explicit connections to these and other NIST cybersecurity resources. 

“We have mapped all the elements of the HIPAA Security Rule to the Cybersecurity Framework subcategories and to controls in NIST SP 800-53’s latest version,” Marron said. “We have increased our emphasis on the guidance’s risk management component, including integrating enterprise risk management concepts.” 

The draft takes into account more than 400 unique responses NIST received to its pre-draft call for comments last year. Marron describes the draft as more of a refresh than an overhaul, as the document’s structure has changed only slightly, but the content has been updated with an increased emphasis on assessment and management of risk to ePHI. Many of the significant changes are implied in the publication’s “Note to Reviewers,” which asks readers for thoughts on specific sections. 

Marron said that as with many related NIST cybersecurity publications, the revised draft was not intended to be a checklist for health care organizations to follow, but rather to guide them in improving their management of risk to ePHI. 

“We provide a resource that can assist you with implementing the Security Rule in your own organization, which may have particular needs,” he said. “Our goal is to offer guidance and resources you can use in one readable publication.”

NIST is accepting comments on the draft until Oct. 5, 2022 (extended from the original deadline of Sept. 21, 2022), by email to sp800-66-comments [at] nist.gov (sp800-66-comments[at]nist[dot]gov).