"NIST Updates Healthcare Cybersecurity, HIPAA Security Rule Guidance"

To assist organizations in safeguarding protected health information, the National Institute of Standards and Technology (NIST) issued updated healthcare cybersecurity and HIPAA Security Rule guidance. NIST is accepting comments on the draft publication until September 21. The revision makes it easier for health care organizations to improve their cybersecurity posture and comply with the Security Rule. The original guidance was published in 2008, and the updated guidance is intended to integrate seamlessly with the NIST Cybersecurity Framework and other resources developed after the original guidance. It should be noted that the HHS Office for Civil Rights (OCR) is in charge of enforcing HIPAA compliance. NIST's publication provides additional guidance on implementing HIPAA's provisions. The new guidance mapped HIPAA Security Rule elements to NIST Cybersecurity Framework subcategories. The guidance remains largely unchanged, with a few minor structural changes and a renewed emphasis on risk assessments and risk management. Identifying vulnerabilities or conditions that a threat could exploit to cause impact is a critical component of risk assessment. While examining threats and vulnerabilities as distinct elements is necessary, they are frequently considered together. NIST recommended that covered entities create a list of vulnerabilities that could be exploited and brainstorm ways in which PHI could be improperly disclosed. Following that, NIST recommended that organizations assess the potential consequences of a threat actor exploiting a vulnerability, determine the risk level, and document risk assessment results. This article continues to discuss NIST's new draft publication on healthcare cybersecurity and implementing HIPAA Security Rule requirements.

HealthITSecurity reports "NIST Updates Healthcare Cybersecurity, HIPAA Security Rule Guidance"