Search Icon White
News Cover Image

NIST Revises Health Care Cybersecurity Guidance Document; Comments Accepted Through September 21


The National Institute of Standards and Technology (NIST) is seeking comments on a recent draft publication that guides health care cybersecurity.

“Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (NIST Special Publication 800-66, Revision 2)” aims to help organizations comply with HIPAA, a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

The draft publication is designed to help the industry maintain the confidentiality, integrity, and availability of electronic protected health information (ePHI), which includes patient data such as prescriptions, lab results, and records of hospital visits and vaccinations.

The draft was revised after NIST issued a pre-draft call for comments last year and received more than 400 responses. The revision maps all the elements of the HIPAA Security Rule to NIST’s Cybersecurity Framework subcategories and to controls in the latest version of NIST’s Security and Privacy Controls. It has an increased emphasis on the guidance’s risk management component, including integrating enterprise risk management concepts.

“One of our main goals is to help make the updated publication more of a resource guide,” said Jeff Marron, a NIST cybersecurity specialist. “The revision is more actionable so that health care organizations can improve their cybersecurity posture and comply with the Security Rule.”

NIST is now accepting comments on the draft until September 21, 2022, by email to [email protected]. See the NIST news item to learn more.


Jana Zabinski

Senior Director, Communications & Public Relations


[email protected]

Beth Goodbaum

Journalist/Communications Specialist


[email protected]