NIST Cybersecurity Resource Guide

SUMMARY

In July 2022,  the National Institute of Standards and Technology (NIST) released an updated draft cybersecurity resource guide [1] for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The purpose of the resource guide is to educate readers about the security standards included in the HIPAA Security Rule. It assists regulated entities in their implementation of this rule, which specifically focuses on protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI). The new draft cybersecurity resource guide serves as an update to Revision 1 [2], which was published in 2008. The differences between the two revisions are summarized below.

‍

UPDATES IN REV. 2 OF THE NIST CYBERSECURITY RESOURCE GUIDE INCLUDE:

• Rev. 2 makes explicit connections to NIST’s Cybersecurity Framework [3] and Security and Privacy Controls [4]
• An increased emphasis on risk assessment and risk management components, including integrating enterprise risk management [5] concepts
• It takes into account more than 400 unique responses that NIST received in its 2021 pre-draft call for comments [6].
• Overall, much more actionable to enable regulated entities to comply with the Security Rule

‍

The resource guide presents an overview of the HIPAA Security Rule, discusses risk assessment and risk management activities, and identifies typical activities that a regulated entity might consider for implementing the rule.

‍

BRIEF OVERVIEW OF THE HIPAA SECURITY RULE

The HIPAA Security Rule states that the ePHI that a regulated entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. The six main sections of the HIPAA Security Rule are reviewed in order to provide the reader with an understanding of areas that should be addressed during implementation of the Security Rule.  Those sections include: Security Standards: General Rules; Administrative Safeguards; Physical Safeguards; Technical Safeguards; Organizational Requirements; Policies and Procedures and Documentation Requirements.

‍

RISK ASSESSMENT AND RISK MANAGEMENT GUIDELINES RELATED TO ePHI

The HIPAA Security Rule includes a Security Management Process which requires regulated entities to “Implement policies and procedures to prevent, detect, contain and correct security violations.”

Risk analysis and risk management are critical to an entity’s compliance efforts with the Security Management Process. The resource guide provides foundational information about risk assessment and risk management in order to be in compliance. 

‍

For risk assessment, practical steps that a regulated entity can take are presented. Although there is no one-size-fits-all risk assessment methodology, the following steps are presented as an example of a comprehensive risk assessment process: 

1. Prepare for the Assessment: understand where ePHI is created, received, maintained, processed, or transmitted. Regulated entities should consider all parties and systems to which ePHI is transmitted. This includes, but is not limited to, physical devices or media that contain ePHI, remote workers who handle ePHI, and third party service providers that store, process, or transmit ePHI.
2. Identify Realistic Threats: identify potential threat events and threat sources that are applicable to the regulated entity and its operating environment. Information gathered from the preparation step can be used to aid in identifying realistic threats.
3. Identify Potential Vulnerabilities and Predisposing Conditions: develop a list of vulnerabilities (flaws or weaknesses) that could be exploited for the threats identified in Step 2 to have an impact. Internal sources (such as previous risk assessments, vulnerability scan and system security test results) and external sources (such as internet searches or National Vulnerability Database) can be used to develop this list.
4. Determine the Likelihood of a Threat Exploiting a Vulnerability: determine the likelihood of a threat successfully exploiting a vulnerability for threats identified in Step 2. A likelihood value can be assigned to each threat/vulnerability pairing, with a Very Low - Low - Moderate - High - Very High scale provided as an example.
5. Determine the Impact of a Threat Exploiting a Vulnerability: determine the impact that could occur to ePHI if a threat event exploits a vulnerability. An impact value can be assigned to each threat/vulnerability pairing. An impact rating scale similar to the one used in Step 4 can be used. 
6. Determine the Level of Risk: the likelihood value of a threat occurrence (Step 4) and its impact value (Step 5) are used to determine the level of risk. A Risk Matrix that aligns with the ratings scales used for Steps 4 and 5 can be helpful.  Sample Risk Matrices are provided to the reader as examples of ways to determine risk levels. 
7. Document the Results: once a risk assessment has been completed, the results should be documented, for example, in a risk register.

‍

Once risk levels are determined through a risk assessment, the NIST resource guide details considerations for regulated entities on how to manage risks related to ePHI. The way that an entity manages risks will vary from organization to organization, based on their risk tolerance level, but some practical approaches and examples are suggested. It is also noted that risk management activities should be performed with regular frequency to examine past decisions, reevaluate risk likelihood and impact levels, and assess the effectiveness of past remediation efforts.

‍

TYPICAL ACTIVITIES TO CONSIDER WHEN IMPLEMENTING AN INFORMATION SECURITY PROGRAM

The resource guide provides a set of tables that are designed to initiate the thought process for regulated entities to implement the requirements of the HIPAA Security Rule. Tables are organized by the various HIPAA Security Rule standards. Each table includes the following: 

• key activities associated with security functions suggested by each HIPAA Security Rule standard or associated with a robust security process.
• a description including an expanded explanation of each key activity.
• sample questions that a regulated entity can ask itself to determine whether the Security Rule standard has been adequately implemented.

‍

CONCLUSION

With this resource guide, NIST seeks to help HIPAA regulated entities in implementing and complying with the requirements of the HIPAA Security Rule. It includes a strong focus on risk assessment and risk management techniques specific to ePHI. It also provides a comprehensive, although not exhaustive, list of activities for regulated entities to consider during implementation of the HIPAA Security Rule. The resource guide is still in draft form, with the public comment period ending on September 21, 2022. 

‍

REFERENCES

1. NIST Special Publication 800-66 Rev. 2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-66r2.ipd.pdf 
2. NIST Special Publication 800-66 Rev. 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule:https://csrc.nist.gov/publications/detail/sp/800-66/rev-1/final
3. NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
4. NIST Security and Privacy Controls for Information Systems and Organizations: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
5. NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM): https://csrc.nist.gov/publications/detail/nistir/8286/final
6. NIST PRE-DRAFT Call For Comments: Implementing the HIPAA Security Rule: https://csrc.nist.gov/publications/detail/sp/800-66/rev-2/archive/2021-04-29