HIPAA/HITECH
,
Standards, Regulations & Compliance
HHS OCR, NIST Finalize HIPAA Cyber Guide; HSCC Issues Security, Privacy Resource
Two new guidance resources – one from government regulators and the other from an industry council – aim to help healthcare sector firms strengthen their approaches to protecting sensitive patient information and critical IT systems. The publications come as the Biden administration is pushing the sector to up its cyber game.
See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government
One of the documents is a joint publication, “Special Publication 800-66 Revision 2, Implementing the HIPAA Security Rule,” released by the Department of Health and Human Services’ Office for Civil Rights and the National Institute of Standards and Technology on Friday.
The other document, also issued Friday, from the Healthcare and Public Health Sector Coordinating Council’s Cybersecurity Working Group, is a guide to help healthcare sector entities better address “disconnects” between their privacy and cybersecurity functions “for improved overall compliance and operational efficiencies and effectiveness.”
HIPAA/NIST CSF Crosswalk Guide
The new joint HHS OCR/NIST resource is meant to help HIPAA-covered entities and business associates map the HIPAA Security Rule’s standards and implementation specifications to NIST Cybersecurity Framework subcategories and SP 800-53r5 security controls.
It is a finalized version of a draft guidance HHS OCR and NIST released in July 2022, and it supersedes an earlier, introductory HIPAA guide NIST released in 2008 (see: NIST Maps Cybersecurity Framework to HIPAA Security Rule).
As a supplement to the joint guidance, NIST posted on its website Friday an updated listing of available NIST resources to help healthcare sector entities address cybersecurity issues pertaining to specific topics. These resources address telehealth, mobile devices, IoT, medical devices, ransomware and phishing, cloud services, and application security.
The release of the joint HHS OCR/NIST guidance is the latest action by HHS supporting the Biden administration’s evolving strategy to improve healthcare sector cybersecurity, which was outlined in a concept paper in December (see: Biden Administration Issues Cyber Strategy for Health Sector).
In January, also as part of the administration’s strategy, HHS published a guidance paper detailing voluntary “essential” and “enhanced” cybersecurity performance goals for the healthcare sector (see: HHS Details New Cyber Performance Goals for Health Sector).
“Regulated entities should consider that employing cybersecurity practices can not only help a HIPAA-regulated entity comply with the Security Rule but can also assist with compliance with other federal mandates,” the HHS OCR/NIST guidance says.
“Those other mandates include the Medicare Promoting Interoperability Program, which requires an annual risk assessment to avoid Medicare financial penalties, and forthcoming cyber incident reporting mandates from the Cybersecurity and Infrastructure Security Agency as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022,” the document says.
HHS said it is planning to issue a proposed update to the HIPAA Security Rule in the spring, as well as other potential new regulatory actions.
HSCC Privacy, Security Guide
The new guide from HSCC – a public-private industry council of more than 400 healthcare sector entities and 19 government agencies – aims to help organizations better address factors that contribute to disharmony between their privacy and security efforts.
“Factors ranging from organizational structure to conflicting priorities can lead to disconnect between Privacy and Security, increasing organizational risk,” HSCC said in a statement.
The intended audience for the guidance includes healthcare privacy, security, and compliance leaders; their teams; and others “looking to develop best practices for privacy and security programs and policies,” HSCC said.
The publication provides healthcare sector entities with assistance in addressing privacy and security friction in several areas, including helping entities identify intersections, interdependencies, and regulatory and operational distinctions between enterprise privacy and security disciplines; spotlighting challenges and risks that arise from gaps and misalignments between privacy and security functions and priorities; and recommending options for frameworks, best practices and measures to address those issues.
The guide “provides practical suggestions of collaborative practices” to help healthcare sector entities’ privacy and security organizations work together more “proactively and cohesively,” HSCC said.