The National Institute of Standards and Technology (NIST) is an agency at the U.S. Department of Commerce that promotes U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology to enhance economic security. In February 2024, NIST released a revision of its Special Publication (SP) 800–66. This second iteration, titled “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide,”[1] offers comprehensive guidance for regulated entities on managing risks to electronic Protected Health Information (ePHI).
To help healthcare organizations comply with the HIPAA Security Rule, manage risk, and protect ePHI against cybersecurity threats, here are five key takeaways from the updated publication:
5 Key Takeaways
- Enhanced Cybersecurity Guidance: Special Publication 800-66 aims to assist HIPAA-covered entities and business associates in assessing and managing risks to ePHI. It highlights typical activities these entities might consider as part of an information security program and offers guidance to improve their cybersecurity posture and assist with HIPAA Security Rule compliance.
- Risk Assessment and Management: A crucial aspect of the guidance is the emphasis on risk assessment and risk management. It advises entities on how to assess risks to ePHI effectively and develop a corresponding risk management plan. The guidance asserts that these steps should be tailored to each entity to identify risks accurately.
- Flexibility and Scalability: The guidance underscores the flexibility, scalability, and technology-neutral nature of the HIPAA Security Rule. It asserts no single compliance approach is suitable for all entities and encourages customized solutions based on the size, nature, and specific security risks of each entity.
- Accountability and Business Reasons for Cybersecurity: Beyond compliance, the guidance stresses the importance of improving cybersecurity practices to prevent costly breaches and reputational damage. In an era of increasing data security risks, such as ransomware attacks, enhancing organizational cyber posture is highlighted as mission critical.
- Resource and Support Availability: The publication lists various resources, such as guidance, templates, and tools, available on the SP 800-66r2 web page.[2] Additionally, it integrates the content into NIST’s Cybersecurity and Privacy Reference Tool (CPRT),[3] providing mappings of the HIPAA Security Rule’s standards and implementation specifications to NIST frameworks and security controls. This tool is designed to help entities implement the required standards and specifications more efficiently.
SP 800-66 Revision 2, which reflects collaboration between NIST and the U.S. Department of Health and Human Services Office for Civil Rights, presents a detailed roadmap for healthcare entities to enhance their cybersecurity measures, conduct thorough risk assessments and management, and ultimately comply with the HIPAA Security Rule. It emphasizes the need for a flexible, tailored approach to cybersecurity, acknowledging the diverse nature of entities governed by HIPAA and the varied threats they face. The guidance serves as a critical resource for entities looking to navigate the complexities of protecting ePHI against modern cybersecurity threats.
If you would like assistance with cybersecurity, compliance with HIPAA, information technology (IT) infrastructure, or any matter related to compliance, operations, or strategy, our executives are happy to help. Please contact them via email or by calling (800) 270-9629.
Learn about PYA’s IT risk management program, Overwatch.
[1] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-66r2.pdf
[2] https://csrc.nist.gov/pubs/sp/800/66/r2/final/.
[3] https://csrc.nist.gov/Projects/cprt/catalog#/cprt/framework/version/SP800_66_2_0_0/home/.
