Without question, healthcare providers and the companies that support them operate in an elevated cybersecurity risk environment. And when a cybersecurity incident occurs, the ensuing regulatory inquiries and/or litigation often focus on whether the entity followed recognized security practices. The National Institute of Standards and Technology (NIST) Cybersecurity Framework has long been one of the most widely recognized sources of recommended security practices, even as some of its guidance has become outdated. This is especially true for its HIPAA security guidance, as the NIST publication “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule” was published in 2008. Office for Civil Rights investigations now routinely ask for evidence that an organization has implemented “recognized security practices”, typically in alignment with the NIST Cybersecurity Framework. The challenges presented by aging NIST guidance cause frustration for many of our clients
But in a move that feels long overdue, NIST has finally published a draft update to its healthcare cybersecurity guide, Special Publication 800-66r1. We’re excited to share our “unboxing” of the updated compilation of guidance and references, useful to anyone interested in healthcare cybersecurity. The draft of 800-66r2, titled “Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide,” is open for public comment until Sept. 21, 2022.
While remaining essentially true to the structure of the original 800-66 publication, the draft revision adds substantial details. The main body of the document contains significantly expanded guidance on risk assessments and risk management. The appendices have been largely reworked and feature extensive resources to aid in performing risk assessments, especially with regard to threat modeling. The update to the original “Security Rule Standards and Implementation Specifications Crosswalk” appendix combines the many NIST publications issued in the intervening years between the release of 800-66r1 and the draft of 800-66r2.
Perhaps the most useful new feature in the revised draft, Appendix F – HIPAA Security Rule Resources (Informative) contains more than 10 pages of categorized and summarized links to other resources in 17 different categories. While these categories include several timeless and broad topics (Risk Assessment/Risk Management, Documentation Templates, Small Regulated Entities, Education, Training & Awareness, Protection of Organizational Resources and Data, Equipment and Data Loss, Contingency Planning, Supply Chain, Information Sharing, Access Control/Secure Remote Access, Cybersecurity Workforce), they also include more specific topics of particular relevance to the current security environment (Telehealth/Telemedicine Guidance, Mobile Device Security, Cloud Services, Ransomware & Phishing, Medical Device and Medical IoT Security, Telework). The revamped Appendix F essentially offers a guided tour to an extensive library of healthcare cybersecurity resources. It’s worth noting, however, that digesting the content of these resources may prove to be a heavy lift for already overburdened healthcare information security teams.
As in 800-66r1, the largest section of the revised draft is “Considerations When Implementing the HIPAA Security Rule,” which sets forth “Key Activities” with corresponding “Description” and “Sample Questions” in a tabular format. In several places, the draft adds updated material and references consistent with the way the cybersecurity landscape continues to develop. For example, in addressing authentication, the draft revision includes considerations regarding multifactor authentication and application programming interfaces (both absent from r1).
Although this draft is intended to incorporate suggestions from the hundreds of pre-draft comments NIST received, healthcare entities have until Sept. 21, 2022 to provide additional feedback. Still, the draft of 800-66r2 offers a wealth of content and concrete guidance that anyone addressing healthcare cybersecurity should be able to use immediately—a welcome tool considering the security challenges the sector faces right now.