NIST revises healthcare guidance to improve HIPAA Security Rule compliance

The draft publication 800-66 focuses on helping inform the industry about security issues around electronic protected health information.
By Nathan Eddy
10:47 AM

Photo: Christina Morillo/Pexels

The National Institute of Standards and Technology announced an update to its healthcare cybersecurity guidance, placing a greater emphasis on the guidance's risk management component, including integrating enterprise risk management concepts.

WHY IT MATTERS
The draft publication 800-66 focuses on helping inform the industry about security issues around electronic protected health information, or ePHI, which runs the gamut of patient data from lab results to hospital visits within the context of the HIPAA Security Rule.

The HIPAA Security Rule, which focuses on protecting the confidentiality, integrity and availability of ePHI, is separated into six main sections, ranging from general rules and administrative safeguards to technical and physical safeguards.

The guidance also draws attention to the new challenges posed by telehealth and telemedicine technologies, as well as cloud services and mobile device technology.

Also included are resources made available to help healthcare organizations protect ePHI from ransomware and phishing, two common threats that are rapidly evolving.

The draft document includes advisories for education, training and awareness of personnel at healthcare organizations, as well as methods to help protect organizational data and the resources that store and access ePHI, including zero-trust architecture and digital identity guidelines.

THE LARGER TREND
The U.S. Department of Health and Human Services has noted a rise in cyberattacks affecting healthcare.

The number of data breaches at hospitals, health systems, health plans and elsewhere continues to cause significant challenges across the healthcare industry, with incidents reported in June impacting organizations including Kaiser Permanente and Atrium Health, which fell victim to attack.

In May, hackers allegedly sponsored by North Korea targeted health systems in Kansas and Colorado, complying with the ransomware demands through bitcoin payments that the FBI recovered just this past week.

In June, the HHS published guidance on "strengthening cyber posture," but healthcare organizations continue to ask for more government help managing their security challenges.

A June report from the Ponemon Institute found few organizations in healthcare and elsewhere are investing adequately in identity and access management (IAM) technologies, which can also help providers save money.

PeaceHealth's IAM automation program, for example, helped save the organization hundreds of thousands of dollars.

ON THE RECORD
"One of our main goals is to help make the updated publication more of a resource guide. The revision is more actionable so that healthcare organizations can improve their cybersecurity posture and comply with the Security Rule," said Jeff Marron, a NIST cybersecurity specialist. 

"We provide a resource that can assist you with implementing the Security Rule in your own organization, which may have particular needs," he said. "Our goal is to offer guidance and resources you can use in one readable publication."

Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.