HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OCR Issues Crosswalk Between NIST Cybersecurity Framework and HIPAA Security Rule

The risk of cyberattack faced by healthcare providers and other HIPAA-covered entities is greater than ever before. It is therefore essential for robust data security measures to be implemented to keep electronic protected health information secure.

However, the healthcare industry lags behind other industries when it comes to implementing cybersecurity protections. Many vulnerabilities have been allowed to persist and cybercriminals have taken advantage. Targeted attacks on covered entities had led to record numbers of data breaches. 2015 was a particularly bad year for the healthcare industry. More than one in three Americans had their confidential medical data exposed or stolen in 2015. Over 113 million healthcare records were obtained by unauthorized individuals.

Over the past 3 years, more that 40% of data breaches have affected the healthcare industry. USAToday reports that 91% of healthcare organizations have experienced a breach of electronic protected health information.

Addressing Security Gaps and Improving Cybersecurity Posture

In 2014, the Framework for Improving Critical Infrastructure Cybersecurity was released by NIST. The cybersecurity framework is voluntary risk-based approach to cybersecurity based on existing standards and guidelines. Many HIPAA-covered entities adopted this framework in order to improve their cybersecurity posture, while others implemented a host of measures in order to comply with the requirements of the HIPAA Security Rule.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The problem is that many healthcare entities have allowed security vulnerabilities to persist, and those vulnerabilities could potentially be exploited by hackers seeking access to ePHI.

To help HIPAA-covered entities address these gaps, OCR has released a crosswalk between the HIPAA Security Rule and the NIST Cybersecurity Framework. The aim of the crosswalk is to help HIPAA-covered entities identify and address any gaps in their cybersecurity protections ant better safeguard ePHI.

The Security Rule does not stipulate the technology that covered entities must implement. Instead, it was developed to be flexible and scalable. The Security Rule therefore allows the NIST cybersecurity framework to be incorporated.

The NIST cybersecurity framework can help covered entities to improve their security posture, but simply adopting this framework does not guarantee HIPAA compliance.

OCR felt the crosswalk was necessary to help covered entities ensure that cybersecurity protections are improved, security gaps are addressed, and ePHI is better secured.

According to OCR, “The crosswalk provides an informative tool for entities to use to help them more comprehensively manage security risks in their environments.”

The HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework can be downloaded here.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.