This week the release of the NIST Cybersecurity Framework 2.0 has drawn a lot of attention.
But, this article is about the release of a different NIST publication that has almost been unnoticed by the public.
NIST SP 800-66 Rev. 2
Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide
In a move that has flown somewhat under the radar, the National Institute of Standards and Technology (NIST) has released the final version of Special Publication (SP) 800-66r2, titled "Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide." This pivotal document, developed in close collaboration with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, serves as a comprehensive guide for HIPAA-regulated entities, including covered entities and business associates. It aims to assist these organizations in assessing and managing risks to electronic Protected Health Information (ePHI), thereby enhancing their cybersecurity measures and ensuring compliance with the HIPAA Security Rule.
Key Highlights of SP 800-66r2:
Risk Management Guidance: Detailed advice on evaluating and mitigating risks associated with ePHI.
Implementation Activities: Suggestions for actions that entities might undertake as part of their information security programs.
Compliance Assistance: Strategies to aid entities in meeting the requirements of the HIPAA Security Rule.
Resources for Practitioners
A significant portion of the guidance provided in SP 800-66r2 is accessible through NIST’s Cybersecurity and Privacy Reference Tool (CPRT). This tool offers a wealth of information, including:
Key Activities and Sample Questions: Insights from Section 5 of SP 800-66r2, offering practical advice on implementing an effective information security program.
Mappings to Frameworks and Controls: Detailed correlations between the HIPAA Security Rule’s standards and the NIST Cybersecurity Framework Subcategories, as well as SP 800-53r5 security controls.
Relevant NIST Publications: A comprehensive list of NIST documents pertinent to each standard of the HIPAA Security Rule, providing a rich resource for entities seeking to enhance their cybersecurity posture.
This is an example of a HIPAA Security Rule standard and the guidance to be found within the CPRT. Please not the provided mapping to NIST CSF and NIST SP 800-53.
Where to Find More Information
For those looking to delve deeper into the specifics of SP 800-66r2 and explore the available resources, the following platforms offer a starting point:
SP 800-66r2 Web Page: Visit the official page for access to the publication and a host of supplemental materials.
Cybersecurity and Privacy Reference Tool (CPRT): Utilize this tool for an interactive experience, offering detailed guidance, mappings, and relevant publications.
Conclusion
With the release of SP 800-66r2, NIST continues to support HIPAA-regulated entities in their ongoing efforts to secure ePHI against evolving cybersecurity threats. By leveraging the comprehensive guidance and resources provided, organizations can strengthen their information security programs and achieve greater compliance with the HIPAA Security Rule.
What else is new?
After a long time, I have released another video on my YouTube Channel. If you are currently preparing for the CISM exam by ISACA, then you don’t want to miss this one.