HIPAA/HITECH , Standards, Regulations & Compliance

New Guides Aim to Help Health Sector Beef Up Cyber, Privacy

HHS OCR, NIST Finalize HIPAA Cyber Guide; HSCC Issues Security, Privacy Resource
New Guides Aim to Help Health Sector Beef Up Cyber, Privacy
Image: HHS, NIST

Two new guidance resources - one from government regulators and the other from an industry council - aim to help healthcare sector firms strengthen their approaches to protecting sensitive patient information and critical IT systems. The publications come as the Biden administration is pushing the sector to up its cyber game.

See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI

One of the documents is a joint publication, "Special Publication 800-66 Revision 2, Implementing the HIPAA Security Rule," released by the Department of Health and Human Services' Office for Civil Rights and the National Institute of Standards and Technology on Friday.

The other document, also issued Friday, from the Healthcare and Public Health Sector Coordinating Council's Cybersecurity Working Group, is a guide to help healthcare sector entities better address "disconnects" between their privacy and cybersecurity functions "for improved overall compliance and operational efficiencies and effectiveness."

HIPAA/NIST CSF Crosswalk Guide

The new joint HHS OCR/NIST resource is meant to help HIPAA-covered entities and business associates map the HIPAA Security Rule's standards and implementation specifications to NIST Cybersecurity Framework subcategories and SP 800-53r5 security controls.

It is a finalized version of a draft guidance HHS OCR and NIST released in July 2022, and it supersedes an earlier, introductory HIPAA guide NIST released in 2008 (see: NIST Maps Cybersecurity Framework to HIPAA Security Rule).

As a supplement to the joint guidance, NIST posted on its website Friday an updated listing of available NIST resources to help healthcare sector entities address cybersecurity issues pertaining to specific topics. These resources address telehealth, mobile devices, IoT, medical devices, ransomware and phishing, cloud services, and application security.

The release of the joint HHS OCR/NIST guidance is the latest action by HHS supporting the Biden administration's evolving strategy to improve healthcare sector cybersecurity, which was outlined in a concept paper in December (see: Biden Administration Issues Cyber Strategy for Health Sector).

In January, also as part of the administration's strategy, HHS published a guidance paper detailing voluntary "essential" and "enhanced" cybersecurity performance goals for the healthcare sector (see: HHS Details New Cyber Performance Goals for Health Sector).

"Regulated entities should consider that employing cybersecurity practices can not only help a HIPAA-regulated entity comply with the Security Rule but can also assist with compliance with other federal mandates," the HHS OCR/NIST guidance says.

"Those other mandates include the Medicare Promoting Interoperability Program, which requires an annual risk assessment to avoid Medicare financial penalties, and forthcoming cyber incident reporting mandates from the Cybersecurity and Infrastructure Security Agency as required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022," the document says.

HHS said it is planning to issue a proposed update to the HIPAA Security Rule in the spring, as well as other potential new regulatory actions.

HSCC Privacy, Security Guide

The new guide from HSCC - a public-private industry council of more than 400 healthcare sector entities and 19 government agencies - aims to help organizations better address factors that contribute to disharmony between their privacy and security efforts.

HSCC's new guide aims to help bridge gaps between privacy and security teams within healthcare sector entities. (Image: HSCC)

"Factors ranging from organizational structure to conflicting priorities can lead to disconnect between Privacy and Security, increasing organizational risk," HSCC said in a statement.

The intended audience for the guidance includes healthcare privacy, security, and compliance leaders; their teams; and others "looking to develop best practices for privacy and security programs and policies," HSCC said.

The publication provides healthcare sector entities with assistance in addressing privacy and security friction in several areas, including helping entities identify intersections, interdependencies, and regulatory and operational distinctions between enterprise privacy and security disciplines; spotlighting challenges and risks that arise from gaps and misalignments between privacy and security functions and priorities; and recommending options for frameworks, best practices and measures to address those issues.

The guide "provides practical suggestions of collaborative practices" to help healthcare sector entities' privacy and security organizations work together more "proactively and cohesively," HSCC said.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.