NIST Releases Draft Cybersecurity Resource Guide on HIPAA Security Rule Implementation | Foley & Lardner LLP
The National Institute of Standards and Technology (NIST) has released an early draft of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (Resource Guide ) for public comment. With this resource guide, NIST seeks to help HIPAA Regulated Entities – Covered Entities and Business Associates – understand and implement the HIPAA Security Rule and provides guidance on conducting the required periodic risk assessment. Notably, the Resource Guide is an update to NIST’s 2008 publication on implementing the HIPAA security rule.
The resource guide includes a brief overview of the HIPAA security rule, provides guidance on risk assessment and management for electronic protected health information (ePHI), identifies typical activities a regulated entity might consider implement as part of an information security program, and includes additional information resources that regulated entities may find helpful in implementing the security rule, such as a cross-reference between the rule standards of HIPAA security and the NIST cybersecurity framework.
Below is an overview of the content covered by the resource guide:
Considerations when applying the HIPAA security rule
Perhaps most useful is that NIST has broken down each HIPAA security rule standard into key activities that a regulated entity may consider implementing, adding a detailed description and providing sample questions that a regulated entity regulated could arise to help implement the safety rule. . For example, for the standard assigned security responsibility: “Identify the security officer who is responsible for developing and implementing the policies and procedures required by this subpart for the covered entity or associate commercial.”1 NIST provides examples of questions such as:
- Who in the organization is responsible for overseeing security policies, conducting risk assessment and management, managing the results of periodic security assessments and ongoing monitoring, and directing IT security purchases and investments?
- Does the security manager have adequate access and communication with senior management in the organization?
- Who in the organization is authorized to accept system risk on behalf of the organization?
These detailed guidance for each HIPAA security rule standard will be useful for regulatees who are struggling to adopt it with only the language of the HIPAA security rule and guidance from the Office for Civil Rights (OCR) at this point. topic. The resource guide should provide more practical considerations for regulated entities operating in today’s complex cybersecurity environment.
Risk Assessment Guidelines
The Risk Assessment Guidelines section of the Resource Guide provides a methodology for conducting a risk assessment. HIPAA security rules require that all regulated entities”[c]perform an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the Covered Entity or Business Associate” then “[i]implement sufficient security measures to reduce risks and vulnerabilities to a reasonable and appropriate level.”2 This is called the risk analysis (often referred to as the risk assessment) and the risk management plan, respectively. The results of the risk assessment should enable regulated entities to identify appropriate security controls to reduce risk to ePHI. The OCR does not prescribe any particular risk assessment or risk management methodology, but has provided guidance such as the Risk Analysis Guide and the Security Risk Assessment Tool in the past.
NIST’s advice in this area is similar to previous OCR advice:
- Prepare for the assessment. Before beginning the risk assessment, understand where ePHI is created, received, stored, processed, or transmitted. This should include all parties and systems to which ePHI is transmitted, including remote workers, external service providers, and medical devices that process ePHI.
- Identify realistic threats. Identify potential threat events and sources, including (but not limited to) ransomware, insider threats, phishing, environmental threats (eg, power failure), and natural threats (eg, a flood).
- Identify potential vulnerabilities and predisposing conditions. Identify vulnerabilities or conditions that can be exploited for the threats identified in step 2 to have an impact.
- Determine the likelihood of a threat exploiting a vulnerability. For each threat identified in Step 2, determine the likelihood of a threat exploiting a vulnerability. A low, moderate or high risk scale is commonly used but is not required.
- Determine the impact of a threat exploiting a vulnerability. The regulated entity must select an impact rating for each threat/vulnerability pair identified and may consider how the threat event may affect the loss or degradation of the confidentiality, integrity and/or availability of ePHI . Examples of impacts would include an inability to perform business functions, financial loss and reputational damage. Again, a low, moderate or high risk scale is commonly used but not required.
- Determine the level of risk. The level of risk is determined by analyzing the overall likelihood of the threat occurring (step 4) and the resulting impact (step 5). A risk level matrix can be useful in determining risk levels for each threat/vulnerability event pair.
- Document the results.
Similar to previous OCR guidelines, NIST reminds regulated entities that risk assessment is an ongoing activity, not a one-time, static task, and should be “updated periodically so that risks are properly identified, documented, and managed. afterwards”. .”
Failure to have a thorough and up-to-date risk assessment is one of the major failures documented by OCR in resolution agreements with regulated entities. Therefore, regulated entities should take this opportunity to determine when their last risk assessment was performed, ensure that the risk assessment adheres to previous OCR guidance, and also consider NIST guidance in this resource guide.
Risk Management Guidelines
NIST says the risk management guidelines introduce a “structured, flexible, extensible, and repeatable process” that regulated entities can use to manage identified risks and provide risk-based protection of ePHI. The regulated entity will need to determine which risk rating presents an unacceptable level of risk to the ePHI, given the regulated entity’s risk tolerance and appetite. Ultimately, the regulated entity’s risk assessment processes should inform its decisions regarding the implementation of sufficient security measures to reduce the risks to ePHI to levels consistent with the organizational risk tolerance.
The resource guide is still in draft form, with NIST continuing to accept public feedback on the guide’s usefulness and possible improvements through September 21, 2022.