BLOG
New NIST Guidance on Compliance with the HIPAA Security Rule
Published On August 15, 2022
NIST has released new guidance for covered entities to comply with the HIPAA Security Rule. The publication is titled: Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide.
Much of the guidance is not new, per se, but it includes very specific and concrete guidance and examples of how to interpret and align with HIPAA Security Rule implementation specifications.
You might ask why we need such clarifications after a few decades of adoption of the HIPAA Security Rule? Well, many covered entities still miss the mark on OCR’s fundamental expectations for compliance with HIPAA and end up with large-financial settlements due to non-compliance with the rule.
This blog post provides a summary of key points in the new NIST publication alongside Meditology’s analysis and further recommendations in support of NIST’s guidance.
Common Misconceptions Clarified
NIST has focused this updated guidance on some of the more common areas of misinterpretation, particularly around the risk analysis requirements and implementation specifications for addressable provisions including encryption.
The NIST guidance includes key activities, descriptions, and sample questions provided for each standard. The key activities suggest actions that are often associated with the security function or functions suggested by that standard. The descriptions provide expanded explanations about each of the key activities, as well as the types of activities that a regulated entity may pursue in implementing the standard.
The following sections summarize NIST’s guidance for 18 critical HIPAA compliance domains covered in this new publication.
Risk Assessment & Risk Analysis
Risk analysis and risk assessments remain one the most commonly misinterpreted requirements in the HIPAA Security Rule. In a nutshell, you need to make sure your risk assessments cover any places where PHI or ePHI may exist, and conduct an accurate and thorough assessment including assessing threat events, threat sources, vulnerabilities, likelihood, impact, and risk calculations.
The accurate and thorough requirement, in particular, is essential for conducting compliant risk analysis processes. To use an analogy, imagine you take your car in for inspection and they only look at the tires and fail to inspect the engine or the brakes or other critical components necessary for the safety and basic operation of the vehicle. It is safe to say that the mechanics failed to perform an "accurate and thorough" inspection of your vehicle. The same applies if you perform a HIPAA Security Risk Assessment and only inspect a handful of key applications and systems, but fail to consider everywhere that ePHI exists including portable and mobile devices, medical devices, cloud-hosted platforms, third-party vendors, and more.
Refer to Meditology’s related blog post: Healthcare Security Risk Assessment & HIPAA Security Risk Analysis FAQs for more information about risk analysis requirements, guidance, and misconceptions.
Documentation Templates
According to NIST’s guidance, regulated entities may find value in utilizing templates that facilitate the creation of required documentation. The templates recommended by NIST for consideration include:
- Sample Business Associate Agreement (BAA) Provisions
- HICP Managing Threats and Protecting Patients: Resources and Templates
Small Regulated Entities
According to NIST, smaller regulated entities with limited resources may face additional challenges in complying with the Security Rule’s requirements. These resources may provide smaller organizations with the guidance needed to improve their cybersecurity posture while complying with the Security Rule.
The NIST guidance includes links to 10 different resources for smaller regulated entities. Examples include "Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations", "Security Standards: Implementation for the Small Provider", "NIST Small Business Cybersecurity Corner", and more.
Telehealth/Telemedicine Guidance
Telehealth and telemedicine technologies can provide advantages to delivering patient care. However, new risks to ePHI can also be introduced.
Regulated entities need to consider the security practices of the telehealth platforms that they utilize. Consideration must also be given to where telehealth meetings are taking place. Are personnel present who do not have authorization to access PHI? Are any devices (e.g., IoT devices) present that are listening and/or recording?
Refer to the following Meditology resources for additional guidance on this topic:
- Webinar Replay: The Doctor Will See You Now: Telehealth Adoption, Security, & Privacy
- Podcast: CyberPHIx Roundup episode including updates on OCR enforcement of HIPAA mandates for telehealth providers
Mobile Device Security
Physicians, healthcare providers, and other healthcare professionals use smartphones, laptops, and tablets in their work. The U.S. Department of Health and Human Services has gathered tips and information to help protect and secure health information when using mobile devices.
NIST provides links to publications including "How Can You Protect and Secure Health Information When Using a Mobile Device?", "Managing Mobile Devices in Your Health Care Organization", and "A Guide to Understanding Your Organization’s Mobile Device Policies & Procedures Fact Sheet".
Cloud Services
Like many technologies, cloud services can provide benefits to patient care and can also assist regulated entities in complying with the Security Rule. However, cloud services can also introduce risks to ePHI. NIST provides resources that can help regulated entities understand, select, and manage cloud services.
Resources provided in the NIST document include "Cloud Security Basics", "Cloud Computing Synopsis and Recommendations", and more.
Refer to the following Meditology resources for additional guidance on this topic:
- Infographic: Healthcare CISOs: It’s Time to Put Your Head in the Clouds
- Website: Meditology’s Cloud Security Services
Ransomware and Phishing
New threats are constantly emerging and ransomware has certainly topped that list for the last several years for healthcare entities. NIST indicates that the resources they provide can help regulated entities protect ePHI from ransomware and phishing, two common threats. The recommendations in these resources may also help regulated entities protect ePHI from a variety of other threats.
The NIST document includes links to over a dozen ransomware sites and resources.
Refer to the following Meditology resources for additional guidance on this topic:
- Webinar Replay: Seek and Destroy: Ransomware and Destructive Malware in Cyberwar
- Case Study: Ransomware Locks Up 80% of 54-Hospital Health System
- Blog: Take a Pen Test Pill: Inoculation for Ransomware
Education, Training, and Awareness
According to NIST, cybersecurity risk management and compliance with the Security Rule are ongoing activities that require the support of organizational personnel. The resources provided in the NIST guidance publication can help regulated entities develop and maintain programs that invest in the education, training, and awareness of personnel.
Resources provided for this domain include: "Cybersecurity Newsletter Archive", "Security Risk Assessment Videos", "Security Rule Education Papers" and more.
Medical Device and Medical Internet of Things (IoT) Security
Connected medical devices are an important component of modern patient care. However, precautions must be taken to securely integrate these devices into organizational networks and to protect ePHI.
Resources in the NIST publication include: "FDA Medical Device Cybersecurity", "HICP Fact Sheet - Attacks Against Connected Medical Devices", "Postmarket Management of Cybersecurity in Medical Devices", and more.
Refer to the following Meditology resources for additional guidance on this topic:
- Blog: White House and FDA Launch New Medical Device Security Plan
- Podcast: Healthcare CISOs Sound Off, Volume 1: Medical Device Security
- Blog: Navigating the Library of Medical Device Security Standards
Protection of Organizational Resources and Data
Protecting the confidentiality, integrity, and availability of ePHI is paramount to the Security Rule. ePHI is often accessed via organizational resources (e.g., assets, services, workflows, network accounts, etc.).
NIST provides a range of resources in this section including publications on zero trust architecture, digital identity guidelines, trustworthy email, and more.
Incident Handling/Response
According to NIST, at some point, every organization is going to experience a cybersecurity incident. The resources in this section of the publication assist regulated entities in planning for incidents and properly handling those that threaten ePHI.
Resources provided in this section include "OCR Cyber Attack Checklist", "Cyber Attack Quick Response Infographic", "Best Practices for Victim Response & Reporting Cyber Incidents", and more.
Refer to the following Meditology resources for additional guidance on this topic:
- Blog: Fighting Cyber Fires: Cybersecurity Incident Response Checklist for Hospitals
- Infographic: The Secret Sauce for Cybersecurity Incident Response
- Podcast: In the Eye of the Hurricane: Business Continuity and Emergency Preparedness
- Podcast: People Get Ready, Cyber Incidents are Coming
- Blog: Shields Up: Cyberwar Preparation and Response for Healthcare
Equipment and Data Loss
ePHI can be put at risk due to loss of organizational equipment or data. These resources from NIST provide regulated entities with the information needed to prevent the loss of equipment or data and to mitigate the effects of loss.
Resources in this section include fact sheets and threat slides related to loss or theft of sensitive data.
Contingency Planning
Information systems are vital elements in most business processes. For regulated entities, these systems help to store, process, and transmit ePHI. It is critical for the services provided by these systems to operate effectively without excessive interruption.
Contingency planning supports this requirement by enabling the recovery of systems following disruptions. Regulated entities may find these resources helpful in creating and maintaining contingency plans.
The NIST publication includes links to a range of resources on business continuity and disaster recovery including contingency planning templates and planning guides.
Supply Chain
This is arguably one of the most critical risks facing healthcare entities today. Organizations obtain many products and services from third parties that can help in the protection of ePHI. However, regulated entities need to ensure the security of these products and services.
The NIST publication includes links to a healthcare industry cybersecurity supply chain risk management guide and several other related documents.
Meditology’s sister company, CORL Technologies, is dedicated to supply chain risk management for healthcare entities. Refer to CORL’s Resource Center for a wide array of educational materials on this topic.
Information Sharing
Regulated entities may find benefits in both the sharing and receiving of information related to cybersecurity and the protection of ePHI. These resources can assist regulated entities in setting up and maintaining organizational information sharing programs.
NIST provides resources including "Health Industry Cybersecurity Information Sharing Best Practices" and "Guide to Cyber Threat Information Sharing".
Access Control/Secure Remote Access
To protect ePHI, regulated entities need to ensure proper access control - both internal to the organization and remote access - to ePHI. The resources in this section can help regulated entities secure access to ePHI.
NIST’s resources referenced in this section include guides for telework and remote access security, guides for BYOD policies, two-factor authentication publications, and more.
Telework
This is perhaps one of the timeliest topics that NIST covers in this latest guidance. Many organizational personnel work remotely and/or telework, particularly following the organizational changes that resulted from the pandemic. To protect ePHI, regulated entities need to ensure that workers are securely connecting to organizational resources. The resources in this section may help regulated entities in securing organizational telework.
NIST provides six separate publications with recommendations for securing remote work environments.
Refer to the following Meditology resources for additional guidance on this topic:
Cybersecurity Workforce
A properly skilled and knowledgeable workforce is essential to meeting organizational missions and protecting ePHI. This section includes a single reference document: "Workforce Framework for Cybersecurity (NICE Framework)".
Conclusion
This is not the end of NIST’s efforts to support healthcare organizations with their HIPAA compliance needs. NIST is accepting comments on the publication until September 21.
Meditology will continue to keep you apprised up updates from HHS, NIST, OCR, and other federal bodies on ways to maintain compliance with the HIPAA Security Rule and lower cybersecurity risks for your organization.