OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule
The risk of cyberattacks faced by healthcare providers and other HIPAA-covered entities is greater than ever before. It is therefore essential for robust data security measures to be implemented to keep electronic protected health information secure.
However, the healthcare industry lags behind other industries when it comes to implementing cybersecurity protections. Many vulnerabilities have been allowed to persist and cybercriminals have taken advantage. Targeted attacks on covered entities have led to record numbers of data breaches. 2015 was a particularly bad year for the healthcare industry. More than one in three Americans had their confidential medical data exposed or stolen in 2015. Over 113 million healthcare records were obtained by unauthorized individuals.
Over the past 3 years, more than 40% of data breaches have affected the healthcare industry. USAToday reports that 91% of healthcare organizations have experienced a breach of electronic protected health information.
Addressing Security Gaps and Improving Cybersecurity Posture
In 2014, the Framework for Improving Critical Infrastructure Cybersecurity was released by NIST. The cybersecurity framework is a voluntary risk-based approach to cybersecurity based on existing standards and guidelines. Many HIPAA-covered entities adopted this framework in order to improve their cybersecurity posture, while others implemented a host of measures in order to comply with the requirements of the HIPAA Security Rule.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The problem is that many healthcare entities have allowed security vulnerabilities to persist, and those vulnerabilities could potentially be exploited by hackers seeking access to ePHI.
To help HIPAA-covered entities address these gaps, OCR has released a crosswalk between the HIPAA Security Rule and the NIST Cybersecurity Framework. The aim of the crosswalk is to help HIPAA-covered entities identify and address any gaps in their cybersecurity protections and better safeguard ePHI.
The Security Rule does not stipulate the technology that covered entities must implement. Instead, it was developed to be flexible and scalable. The Security Rule therefore allows the NIST cybersecurity framework to be incorporated.
The NIST cybersecurity framework can help covered entities improve their security posture, but simply adopting this framework does not guarantee HIPAA compliance.
OCR felt the crosswalk was necessary to help covered entities ensure that cybersecurity protections are improved, security gaps are addressed, and ePHI is better secured.
According to OCR, “The crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.”
