The National Institute of Standards and Technology (NIST) is seeking comments on a recent draft publication that guides health care cybersecurity.
“Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (NIST Special Publication 800-66, Revision 2)” aims to help organizations comply with HIPAA, a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
The draft publication is designed to help the industry maintain the confidentiality, integrity, and availability of electronic protected health information (ePHI), which includes patient data such as prescriptions, lab results, and records of hospital visits and vaccinations.
The draft was revised after NIST issued a pre-draft call for comments last year and received more than 400 responses. The revision maps all the elements of the HIPAA Security Rule to NIST’s Cybersecurity Framework subcategories and to controls in the latest version of NIST’s Security and Privacy Controls. It has an increased emphasis on the guidance’s risk management component, including integrating enterprise risk management concepts.
“One of our main goals is to help make the updated publication more of a resource guide,” said Jeff Marron, a NIST cybersecurity specialist. “The revision is more actionable so that health care organizations can improve their cybersecurity posture and comply with the Security Rule.”