In an effort to assist Health Insurance Portability Act ("HIPAA") covered entities strengthen their cybersecurity preparedness, the U.S. Department for Health and Human Services Office for Civil Rights ("OCR") has published a HIPAA Security Rule Crosswalk identifying "mappings" between the National Institute of Standards and Technology's ("NIST") Framework for Improving Critical Infrastructure Cybersecurity ("NIST Cybersecurity Framework") and the HIPAA Security Rule. 

Criminal hackers have increasingly targeted sensitive personal and health information maintained by health care providers and health plans.  For instance, in early 2015, Anthem announced a breach of its servers resulting in the exposure of 78.8 million records containing personally identifiable information.  In February 2016, news reports stated that criminal hackers shut down the computers of a large Hollywood hospital and locked patient files in exchange for a ransom. 

HIPAA covered entities must comply with the HIPAA Security Rule and implement strong data security safeguards to ensure the confidentiality of the electronic protected health information ("ePHI") they create, receive, maintain or transmit.  In complying with the HIPAA Security Rule, many healthcare organizations voluntarily rely on detailed security guidance and specific standards issued by NIST. 

In February 2014, NIST released the Cybersecurity Framework to help organizations better understand and manage cybersecurity risks. The Cybersecurity Framework, issued in response to Executive Order 13636Improving Critical Infrastructure Cybersecurity, organizes cybersecurity activities into five key functions: identify, protect, detect, respond and recover.  The Cybersecurity Framework divides each function into categories and subcategories that define particular activities, such as inventorying software or managing user credentials, and lists widely-adopted industry standards and best practices for each of the defined activities.  Organizations may adopt these standards and best practices to manage security risks in their environments.

According to the OCR's Press Release, the Crosswalk addresses gaps between the NIST Cybersecurity Framework and the HIPAA Security Rule.  The OCR issued the Crosswalk due to calls for guidance on implementation of the NIST Cybersecurity Framework in both the Health Information Technology for Economic and Clinical Health Act of 2009 ("HITECH") and the Cybersecurity Information Sharing Act of 2015 ("CISA"). 

OCR believes that the Crosswalk can be used by covered entities as a tool to identify any overlap between the NIST Cybersecurity Framework and the HIPAA Security Rule and to also address any gaps in compliance with the Security Rule.  The Crosswalk maps each administrative, physical and technical safeguard standard and implementation specification in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework Subcategory.  The OCR intends the mappings between the NIST Cybersecurity Framework and the HIPAA Security Rule to be an informative reference for covered entities and business associates.  While the mappings do not imply or guarantee compliance with applicable laws and regulations, the mappings will serve as a valuable roadmap to covered entities and business associates seeking to bolster their cybersecurity strategy.

Click here to find the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework.