Dedicated to providing the latest
HIPAA compliance news

OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule

Share this article on:

The risk of cyberattack faced by healthcare providers and other HIPAA-covered entities is greater than ever before. It is therefore essential for robust data security measures to be implemented to keep electronic protected health information secure.

However, the healthcare industry lags behind other industries when it comes to implementing cybersecurity protections. Many vulnerabilities have been allowed to persist and cybercriminals have taken advantage. Targeted attacks on covered entities had led to record numbers of data breaches. 2015 was a particularly bad year for the healthcare industry. More than one in three Americans had their confidential medical data exposed or stolen in 2015. Over 113 million healthcare records were obtained by unauthorized individuals.

Over the past 3 years, more that 40% of data breaches have affected the healthcare industry. USAToday reports that 91% of healthcare organizations have experienced a breach of electronic protected health information.

Addressing Security Gaps and Improving Cybersecurity Posture

In 2014, the Framework for Improving Critical Infrastructure Cybersecurity was released by NIST. The cybersecurity framework is voluntary risk-based approach to cybersecurity based on existing standards and guidelines. Many HIPAA-covered entities adopted this framework in order to improve their cybersecurity posture, while others implemented a host of measures in order to comply with the requirements of the HIPAA Security Rule.

The problem is that many healthcare entities have allowed security vulnerabilities to persist, and those vulnerabilities could potentially be exploited by hackers seeking access to ePHI.

To help HIPAA-covered entities address these gaps, OCR has released a crosswalk between the HIPAA Security Rule and the NIST Cybersecurity Framework. The aim of the crosswalk is to help HIPAA-covered entities identify and address any gaps in their cybersecurity protections ant better safeguard ePHI.

The Security Rule does not stipulate the technology that covered entities must implement. Instead, it was developed to be flexible and scalable. The Security Rule therefore allows the NIST cybersecurity framework to be incorporated.

The NIST cybersecurity framework can help covered entities to improve their security posture, but simply adopting this framework does not guarantee HIPAA compliance.

OCR felt the crosswalk was necessary to help covered entities ensure that cybersecurity protections are improved, security gaps are addressed, and ePHI is better secured.

According to OCR, “The crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.”

The HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework can be downloaded here.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On