HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

NIST Small Business Cybersecurity Act of 2017 Approved by SST Committee

Cybercriminals may not be targeting small healthcare practices to the same extent as large health systems, but as the OCR’s data breach portal shows, cyberattacks on small healthcare organizations occur frequently.

When cyberattacks occur they can be catastrophic for small businesses. Figures from the National Cybersecurity Alliance suggest 60% of small businesses cease trading within 6 months of experiencing a cyberattack. Faced with the financial burden of resolving a data breach, it is no surprise that so many businesses fail to make it through the next six months.

In order to prevent cyberattacks and keep sensitive health data secure, small healthcare organizations must effectively manage cybersecurity risks. However, many cybersecurity resources and security frameworks have been developed for medium to large sized businesses. Smaller organizations typically lack the necessary resources to be able to implement highly effective cybersecurity defenses and few have skilled cybersecurity staff to monitor and manage cybersecurity risks.

NIST has developed a cybersecurity framework to help organizations protect critical infrastructure, and while adoption of the framework can be advantageous for many businesses, for smaller organizations the demands are too great.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Late last year, NIST released a new guide specifically to help small businesses improve their cybersecurity posture. The guide was based on the NIST Framework for Improving Critical Infrastructure Cybersecurity and outlined best practices and standards and explained how an information security program can be implemented that balanced security with the capabilities of small businesses. Now further guidance for small businesses will be issued, following the approval of new legislation by the U.S. House Committee on Science, Space, and Technology last week.

The NIST Small Business Cybersecurity Act of 2017 calls for the National Institute of Standards and Technology to provide small to medium sized businesses with new guidance to allow them to reduce cybersecurity risk.

The NIST Small Business Cybersecurity Act requires NIST to develop clear and concise guidelines and make available appropriate tools, best practices, standards and methodologies to help small businesses identify, assess, manage and reduce cybersecurity risks. Those tools and guidelines will be based on the NIST Framework for Improving Critical Infrastructure Cybersecurity.

The new act does not make it mandatory for small businesses to access and follow the new guidance and best practices, although using the new resources will help small businesses effectively manage risk and prevent data breaches. The guidance and best practices, when completed, will be made available through the NIST website.

According to Chairman Lamar Smith (R-Texas), “The NIST Small Business Cybersecurity Act will help ensure that our small businesses have the information they need to protect themselves from cyber-attacks.”

Due to a squeeze on spending at NIST, the costs of developing the new resources and guidelines will have to be found from its existing budget. NIST has been given a year to develop and release the new guidance and resources.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.