NIST finalizes HIPAA Security Rule guidance amidst rising breach stats

Amid escalating healthcare data breaches, the National Institute of Standards and Technology (NIST) has revealed updated HIPAA Security Rule implementation guidance.

What happened 

Recognizing the urgent need for enhanced cybersecurity measures and compliance with the HIPAA Security Rule, the NIST released the finalized Special Publication 800-66r2 in February 2024. This publication provides guidance to enhance cybersecurity and comply with HIPAA Security Rule:

• Mappings to cybersecurity frameworks: Includes mappings of the Security Rule’s standards and implementation specifications to Cybersecurity Framework subcategories and applicable security controls, such as those detailed in NIST SP 800-53, facilitating a more structured approach to compliance.
• Additional resources and tools: Lists additional resources, tools, and publications that regulated entities may find useful in implementing the Security Rule and improving their security measures.
• Addressing evolving cybersecurity threats: Highlights the importance of adapting security practices to address evolving cybersecurity threats and vulnerabilities, ensuring the protection of ePHI against current and future risks.
• Guidance for conducting risk analysis: Provides comprehensive instructions for HIPAA-covered entities and business associates on conducting a thorough risk analysis to identify risks and vulnerabilities to electronic protected health information (ePHI).
• Risk management recommendations: Offers detailed recommendations on implementing security measures to manage and mitigate identified risks to ePHI, helping entities achieve a reasonable and appropriate level of security.
• Activity suggestions for information security programs: Identifies typical activities and best practices that regulated entities should consider incorporating into their information security programs to enhance their cybersecurity posture.

See also: The NIST Cybersecurity Framework and the HIPAA Security Rule crosswalk

The backstory

Audits by the OCR in 2011 and 2016/2017 uncovered widespread noncompliance, particularly in risk analysis and risk management areas. In February 2023, in response to the escalating cyberattacks on the healthcare sector, the Office for Civil Rights (OCR) took decisive action by announcing its intention to gather feedback on its HIPAA audit program, signaling a potential reboot of the program that could impose fines for noncompliance. The publication came as a response to this increased focus on the cybersecurity side of HIPAA compliance. 

The OCR audits revealed that none of the audited entities achieved full compliance in risk analysis, with a large number showing minimal efforts. The situation has grown more alarming with a sharp rise in healthcare data breaches. According to the Paubox HIPAA Breach Report for December 2023, there were 235 breaches affecting over 32 million individuals in the last five Novembers, with network server breaches impacting the most people. 

See also: HIPAA Compliant Email: The Definitive Guide

The bigger picture 

The actions of the NIST and OCR directly respond to the glaring compliance gaps and escalating data breaches that have plagued the sector. By seeking feedback on the audit program, the OCR actively acknowledges the need for a more effective method of deterring noncompliance through the threat of fines. Meanwhile, the publication's release by NIST provides a much-needed framework and guidance for organizations struggling to navigate the complexities of HIPAA compliance and cybersecurity threats. 

See also: What is cybersecurity in healthcare?

FAQs

What should healthcare organizations do about the updated NIST Security Rule Guidance?

Healthcare organizations should review the updated NIST Security Rule Guidance thoroughly, and assess their current compliance and cybersecurity practices and strategies to safeguard ePHI effectively against threats.

What does the OCR do?

The OCR's job is to enforce HIPAA regulations, ensuring that covered entities and business associates comply with the rules to protect the privacy and security of health information.

Why is the NIST involved in HIPAA?

The NIST provides guidelines and frameworks, such as the Special Publication 800-66r2, to help organizations implement the technical and administrative safeguards required by the HIPAA Security Rule (and the implementation of effective cybersecurity protocols).