NIST Maps Cybersecurity Framework to HIPAA Security RuleDocument May Help Entities Avoid Fines by Showing 'Recognized Security Practices'
New draft federal cybersecurity guidance could help healthcare organizations avoid regulatory fines in the wake of breaches, some experts say.
Federal regulators are looking for adoption of "recognized security practices" when investigating the aftermath of a breach involving protected health information. Congress in 2021 told the Department of Health and Human Services to consider in HIPAA enforcement actions whether a medical center or business associate can show that it had "recognized security practices" in place for at least the previous 12 months.
A prime source of recognized security practices is, of course, the Cybersecurity Framework - developed by the National Institute of Standards and Technology with the goal of establishing a de facto national benchmark for effective security.
In the years since the framework's 2013 introduction, it has been adapted into industry-specific cybersecurity manuals, leading NIST last week to publish a draft document mapping compliance with the HIPAA Security Rule onto the framework's list of security controls.
The revised draft - like other related NIST documents - is "not intended to be a checklist for healthcare organizations to follow," Jeff Marron, a NIST cybersecurity specialist and an author of the document, said in a statement. It's meant to guide them in improving their electronic protected health information risk management, he added.
Other experts say the updated draft guidance could help organizations avoid the wrath of regulators in the wake of a HIPAA breach or similar violation.
"Healthcare organizations are now incentivized by potentially reduced regulatory scrutiny, fines, and penalties to implement recognized security practices and, in particular, the NIST Cybersecurity Framework," says Jon Moore, chief risk officer at privacy and security consultancy firm Clearwater.
If there's one point of criticism so far, it's how lengthy the draft document is, says Tom Walsh, president of privacy and security consultancy tw-Security. "While NIST tries to be helpful, I find in general, over the years, their documents keep getting longer and longer," he says. "You can write the absolute best guidance in the world, but if no one has time to read it, then it’s all for nothing."
Crosswalk From HIPAA to NIST CSF
Among the information contained in the draft guidance is a detailed "crosswalk" chart between the HIPAA Security Rule and the NIST framework and other related NIST documents.
That crosswalk and related control mapping will benefit organizations that have elected to implement NIST security specifications and will also help identify gaps in their current cybersecurity programs, Moore says.
"This guidance becomes an input, along with other compliance requirements, contractual requirements, risks, and the organization’s strategic goals and objectives, to define an appropriate target profile for the organization," he says.
Other Upcoming Guidance
The HHS Office for Civil Rights is also planning to soon release new video guidance to assist regulated healthcare entities on the "recognized security practices" that regulators will consider when determining HIPAA enforcement actions against organizations (see: Feds Signal New Guidance on 'Recognized Security Practices').
HHS OCR says among topics planned to be covered in the upcoming video guidance is how the agency will request evidence of recognized security practices from entities.