The National Institute of Standards and Technology aligned recent cybersecurity guidance helping agencies and organizations secure electronic protected health information with its newer frameworks, according to author Jeff Marron.
NIST Special Publication (SP) 900-66 Revision 2, Implementing the Health Insurance Portability Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, incorporates both its Cybersecurity Framework and SP 800-53 security controls.
The draft publication comes 14 years after the last revision of (SP) 900-66 and updates recommendations for protecting electronic protected health information (ePHI) per the HIPAA Security Rule to account for the rise in phishing and ransomware attacks affecting health care.
“The trick of it is that the ePHI that a regulated entity is holding has been entrusted to them by citizens, by regular people,” Marron, a NIST IT specialist, said. “You want to provide them the means to best protect the information from realistic threats and vulnerabilities.”
Technologies have changed too — cloud computing and telemedicine taking on greater importance — which will influence agencies and organizations risk assessments.
While ePHI was emphasized in Revision 1, Revision 2 shifts focus to risk management of environmental threats and vulnerabilities and assessing overall risk to reduce it to an acceptable level, Marron said.
NIST began work on Revision 2 in late 2020 and called for comments in spring 2021, so don’t expect another update anytime soon.
The guidance has “resource guide” in the title, and there’s a section where users can refer to other publications on topics NIST covers that Marron hopes to see turned into an updatable webpage — reducing the need for future revisions.
Respondents have until Sept. 21 to comment on the draft.