Updated NIST Guidelines for Healthcare

Data PrivacyHIPPANISTUS Regulatory
Written By Jason Shoup

On July 21, the National Institute of Standards and Technology (NIST) announced that it had updated its cybersecurity guidance for the healthcare industry in order to “help health care organizations protect patients’ personal health information[.]”

These updates came in the form of a new draft publication, titled “Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide” (NIST Special Publication 800-66, Revision 2). According to the NIST, this new rule was designed to assist the industry in maintaining “the confidentiality, integrity and availability of electronic protected health information” (“ePHI”), which includes “a wide range of patient data,” such as prescription information, lab and test results, and health records like hospitalizations and vaccination status.

This draft guidance is not a legal mandate or directive. As Jeff Marron, a NIST cybersecurity specialist stated, “one of our main goals is to help make the updated publication more of a resource guide,” that is “more actionable so that health care organizations can improve their cybersecurity posture and comply with the [HIPAA] Security Rule.” The guidance also makes clear that it will not create regulations to enforce the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which is a federal law designed to protect patients’ sensitive health information from unauthorized disclosure.

The NIST’s latest resource guide is designed to integrate with its other cybersecurity and privacy guidance, including the Cybersecurity Framework and Security and Privacy Controls (NIST SP 800-53), that were not yet in existence in 2008 when the NIST issued its last HIPAA guide, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.”

In addition to integrating the latest institute guidance, the NIST states the draft publication is also a reflection of “more than 400 unique responses” that NIST received when it issued a pre-draft call for comments on April 29, 2021.

Being that this guidance is still in draft form, NIST is seeking public comment and asking the following questions:

  • Do you find the overall organization of the document appropriate? Do you have suggestions for improving the document’s organization?

  • Is it helpful to have the Risk Assessment Guidance and Risk Management Guidance sections sequential? Do you have suggestions for improving these sections and/or making them more useful to regulated entities?

  • Are there Key Activities, Descriptions, and/or Sample Questions that should be added to or removed from the tables in Section 5? Are there specific techniques, threats, or topics that need to be added to Section 5 as Key Activities, Descriptions, and/or Sample Questions?

  • Does the appendix about the National Online Informative References (OLIR) Program help the reader? Is its purpose clear?

  • Is Appendix F helpful in its current format? Are there resources that should be added to or removed from the Appendix? Should Appendix F be reorganized in any way? Does the annotation of the resources help? Are there additional suggestions for improving Appendix F?

  • Are there sections of the publication that would be better extracted from the document and presented elsewhere (e.g., online or as Supplementary Materials hosted on the website)?

  • Are there additional topics that should be included in the main body or appendices?

The NIST is seeking public comment on the draft guidance by email to sp800-66-comments@nist.gov until September 21, 2022.

* * * * * * *

To read our coverage on the California Privacy Rights Act of 2020 (CPRA), and its several amendments to the California Consumer Privacy Act of 2018 (CCPA) which require organizations to train employees on security and data privacy, click here.

For ADCG’s Breach Report and more news updates discussing the following news alerts: Ireland Appoints New Privacy Commissioners; Facebook Hit With Health Privacy Lawsuit; Amazon Web Services Enhances Training Program; and TSA Issues Revised Pipeline Security Directives, click here.

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.

Patrick J. Kennedy, Jr. and Dub Sutherland of Kennedy Sutherland LLP join Jody Westby on our Privacy and Cybersecurity podcast this week to provide a macro level view of the business challenges associated with current privacy laws, a looming cyber threat environment, and a lack of cyber governance by many boards and C-suites. New episodes of the ADCG Podcast are released Thursdays and can be found here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!

Jason Shoup
Previous

CPRA Training Requirement
Next

How to comply With Chinese Cross-Border Transfers