NIST Updates Its HIPAA Guidance

Advice for firms to comply with the HIPAA Security Rule

Blog NIST Updates Its HIPAA Guidance

| 4 min read

Contact us

On July 21, the National Institute of Standards and Technology (NIST) published the draft of a new update to its guidance for implementing the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA). The update is intended to help the healthcare industry enhance its controls to safeguard the health information of patients.

In this blog post, we bring you the most significant changes to this standard with some hints on what you can start implementing to update your compliance.

What's NIST guidance for compliance with the HIPAA?

Let's first review what the HIPAA is. We're talking about a federal law that dates back to 1996. It requires the creation of standards that regulate and improve the handling of Protected Health Information (PHI). This kind of information may be understood as any data that could be used to identify a patient. For example, lab results, prescriptions, hospital visits and vaccination records. Following this legislation would mainly ensure that PHI is not disclosed without a patient's knowledge or consent, thus minimizing the risks of theft and further fraud.

The NIST draft we're dealing with in this post is for the second revision to NIST Special Publication (SP) 800-66. It focuses on compliance with the HIPAA Security Rule. This rule protects electronic PHI (ePHI) that health plans, healthcare clearinghouses and healthcare providers (henceforth, "regulated entities") create, receive, maintain or transmit. According to the NIST news, the idea with this revision is to give more actionable guidance. (Below, we'll touch on how this is accomplished.) Further, the draft gives an increased emphasis on risk management.

What's new in the NIST SP 800-66 Rev. 2 draft?

NIST intends to catch up to its Cybersecurity Framework (CSF) publication, which was released years after the first revision to SP 800-66. The new draft publication maps the elements of the Security Rule to NIST CSF subcategories. Additionally, it updates the mapping to controls in NIST's Security and Privacy Controls for Information Systems and Organizations (SP 800-53). This is shown in a comprehensive table in the draft's Appendix E. As regulated entities are pointed to these further resources, they can have an even more specific idea of what security requirements they need to check.

As hinted, another remarkable feature of this draft is its emphasis on the assessment of risk to ePHI as a fundamental process in an entity's compliance with the Security Rule. The draft dedicates a section to risk assessment, placed strategically just before the risk management guidance, instead of only an appendix, as in the previous revision. Accordingly, it is more specific in its description of the different steps involved and provides more resources. Worthy of note are the several examples of threat events characterized by tactics, techniques and procedures (Appendix C).

Although the names of the steps have changed somewhat, it is the result of merging or separating them.

Comparison between the NIST SP 800-66 rev. 1 and rev. 2

By the way, the draft makes it clear that the identification of technical vulnerabilities should be done with an appropriate methodology. Bear in mind that assessments carried out with automated security testing tools alone fail to detect risk exposure accurately. In our latest State of Attacks report, we show that 67.4% of the risk exposure reported in the systems we evaluated throughout the last year was identified only by our ethical hackers.

Get started with Fluid Attacks' Ethical Hacking solution right now

Another welcome addition is that this new revision acknowledges the importance of continuous risk assessment. It's made explicit that, in order to execute a risk management strategy, regulated entities should conduct risk assessment as an ongoing task. We believe this advice is on point. Systems should be subjected to continuous security testing so that it can be proven whether they can withstand emerging threats.

For the next feature, it's important to clarify something first. The Security Rule categorizes actions, policies and procedures to protect the confidentiality, integrity and availability of ePHI into three "Safeguards." Namely, Administrative (e.g., periodic reviews), Physical (e.g., restrictions to access to facilities and software) and Technical (e.g., PHI encryption) Safeguards. The NIST draft publication's key activities associated with Safeguards remain basically the same, save for the fact that the draft gives a richer description of the key activities and relies more heavily on the risk assessment results.

What we've described so far —providing many more resources, placing risk assessment under the spotlight, keeping up with the trends and being more exhaustive— makes this guidance a more actionable one in comparison with the previous revision.

To name a few other changes, scenarios in the implementation advice have been updated (e.g., to include telehealth) and some successful practices are given more emphasis than before (e.g., NIST is a little more insistent on implementing multi-factor authentication solutions). Finally, the enhancements to the guidance may encourage regulated entities to set stricter standards (e.g., defining time frames and clearer responsibilities regarding the investigation and reporting of security incidents and breaches).

NIST is receiving comments on its draft publication until September 21. In the meantime, you should take a look at the document and see the actions you can take to step up your cybersecurity game.

At Fluid Attacks, we help you develop technology that complies with the HIPAA and many more security standards. Don't hesitate to contact us!

Caution: Many major details from the publication are missing in this blog post. Having read this post in no way substitutes for careful reading of the NIST SP 800-66 Rev. 2 (Draft). If you need to know all the details, we recommend that you read the full text.

Subscribe to our blog

Sign up for Fluid Attacks' weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Wilhelm Gunkel on Unsplash

Transparency for fewer supply chain attacks

Photo by Sarah Kilian on Unsplash

Develop bank applications that resist DDoS attacks

Photo by Towfiqu barbhuiya on Unsplash

Ensuring compliance and security in the banking sector

Photo by Andre Taissin on Unsplash

With great convenience comes increased risk

Photo by FlyD on Unsplash

Software supply chain management in financial services

Photo by Robs on Unsplash

Consequential data breaches in the financial sector

Photo by Towfiqu barbhuiya on Unsplash

Data protection in the financial sector, tips and more

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.