NIST Revises Cybersecurity Guidelines Specifically for HIPAA

Luis Alvarez/Getty Images

NIST will accept comments on the updated draft publication regarding HIPAA’s Security Rule until September 21. 

The National Institute of Standards and Technology updated its guidance on how healthcare organizations and companies can protect their patients’ data security through new cybersecurity recommendations. 

Published on Thursday, the new cybersecurity draft resource guide specifically works to help agencies comply with the federal Health Insurance Portability and Accountability Act Security Rule that stipulates the need to protect sensitive health data. Patient data confidentiality, availability and integrity are emphasized in the recommended implementation guidance. 

“The revision is more actionable so that healthcare organizations can improve their cybersecurity posture and comply with the security rule,” Jeff Marron, a NIST cybersecurity specialist said

The areas of coverage both HIPAA and NIST seek to safeguard fall within electronic protected health information, known as ePHI. Enhanced cybersecurity measures can help further protect ePHI-covered patient details such as prescription records, lab test results, vaccination records and hospital visit logs. 

Since HIPAA is a federal law, NIST does not individually create regulations to enforce it, but can develop cybersecurity guidance for federal agencies and related mandates. NIST will accept comments on the draft publication until Sept. 21.

“We have mapped all the elements of the HIPAA Security Rule to the Cybersecurity Framework subcategories and to controls in NIST SP 800-53’s latest version,” Marron said in a statement. “We have increased our emphasis on the guidance’s risk management component, including integrating enterprise risk management concepts.”