With the halt of HIPAA (Health Insurance Portability and Accountability Act of 1996) audits by the Department of Health and Human Services’ Office (HHS) for Civil Rights (OCR), the healthcare industry is seeing a decline of about 2% annually in compliance with HIPAA’s Security Rule (NIST 800-66). With that, however, has been a rise in the National Institute of Standards and Technology’s (NIST) “Cyber Security Framework” (CSF) guidelines, which is a truly interesting trend. One that makes us wonder if NIST CSF will one day replace the Security Rule.
HIPAA Security Rule Overview
For those who need a quick refresher, the HIPAA Security Rule is a supplement of HIPAA that was created to ensure that patients’ electronic protected health information (ePHI) is adequately protected. There are six main categories:
- Security Standards Include the general requirements all covered entities (CEs) must meet:
- Establishes flexibility of approach.
- Identifies standards and implementation specifications
- Outlines decisions a covered entity must make regarding addressable implementation specifications
- Requires maintenance of security measures to continue reasonable and appropriate protection of electronic protected health information.
- Administrative Safeguards These are the administrative actions and policies and procedures CEs must implement:
- They manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information.
- Also manage the conduct of the covered entity’s workforce in relation to the protection of that information.
- Physical Safeguards The physical protections that must be put in place:
- Physical measures, policies, and procedures.
- Relate to buildings and equipment.
- Range from natural and environmental hazards to unauthorized intrusions.
- Technical Safeguards Technological policies and procedures to:
- Protect ePHI.
- Control access to ePHI.
- Organizational Requirements These are the standards for business associates (BAs), contracts and other arrangements, that include:
- Written proof of understanding between a CE and a BA.
- Requirements for group health plans.
- Policies and Procedures and Documentation Requirements Require implementation of:
- “Reasonable and appropriate” policies and procedures to comply with the standards.
- Specifications and other requirements of the Security Rule.
- Maintenance of written documentation and/or records required by the Security Rule, including:
- Policies.
- Procedures.
- Actions.
- Activities.
- Assessments.
- Retention, availability, and updates related to documentation.
NIST CSF Overview
The NIST CSF differs from the Security Rule in that it was developed in response to an executive order to improve critical infrastructure for cybersecurity, and its robust framework allows it to be scaled, beyond JUST critical infrastructure.
It is comprised of five “Functions,” each of which contain “Categories”:
- Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
- Asset Management
- Business Environment
- Governance
- Risk Assessment
- Risk Management Strategy
- Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
- Asset Control
- Awareness and Training
- Data Security
- Information Protection & Procedures
- Maintenance
- Detect: Develop and implement the appropriate activities to identify the occurrence of a security event.
- Anomalies and Events
- Security & Continuous Monitoring
- Detection Procedures
- Respond: Develop and implement the appropriate activities when facing a detected security event.
- Response Planning
- Communications
- Analysis
- Mitigation
- Improvements
- Recover: Develop and implement the appropriate activities for resilience and to restore any capabilities or services that were impaired due to a security event.
- Recover Planning
- Improvements
- Communications
In addition to these Functions and Categories, there are also four “Tiers” that build on top of each other and indicate where a company is in their journey to compliance (CMMC, anyone?):
- Tier 1 – Partial: The company does not have formal cyber security policies or procedures in place and are running the risk of an attack.
- Tier 2 – Risk-Informed: Though there aren’t necessarily formal cyber security policies and procedures in place across the company, at least the management team is aware and somewhat knowledgeable about threats, meaning they are still reactive.
- Tier 3 – Repeatable: There are formal cyber security policies and procedures in place, though there is room for improvement.
- Tier 4 – Adaptable: The organization is well-trained and well-prepared. They learn from former mistakes and there is company-wide awareness of potential threats and vulnerabilities. The company is pro-active in their approach.
CSF vs Security Rule
While the Security Rule APPEARS to be both detailed and exhaustive, the NIST CSF is actually one of the most commonly adopted frameworks for cyber security across numerous industries, not just healthcare. For example, it was the cyber security muse to create a number of noteworthy regulations::
- DFARS – Department of Defense (DoD) contractors
- CMMC – All federal contractors and sub-contractors; currently being implemented, will replace DFARS and NIST SP 800-171
- NYDFS – Financial services
- Model Law – Insurance Companies
One critical difference between the HIPAA Security Rule and NIST CSF is that while the Security Rule requires its users to check off boxes, NIST CSF requires critical thinking. NIST CSF is proactive whereas the HIPAA Security Rule is merely reactive. As hackers grow more and more sophisticated, businesses will be forced to learn and actually think about cyber security, not just mark it off and move along.
This is important, especially in the healthcare industry, because a growing trend has been to attack hospitals and medical facilities. They make, unfortunately, fantastic targets because people’s health is essentially an inelastic demand; meaning that patients and medical facilities will pay just about any price to protect their patients. Couple that with the fact that, even with HIPAA, the healthcare industry is well-known to be woefully under prepared regarding its cyber security measures.
Easy pickings.
What it boils down to, however, is that the need for cyber security is vitally important, and the NIST CSF – NOT the Security Rule, has essentially morphed into THE gold-standard across multiple industries. When companies in the healthcare industry implement NIST CSF, they are better prepared for an attack.
Is HIPAA Enough?
Yes and no.
If you are speaking strictly about patient privacy, HIPAA is great. But if you get into cybersecurity, it just might not be enough, which is why they are so often the target of cyberattacks.
What Should I Do?
Lucky for you, PTG is well-versed in ALL cyber security regulations. If you are ready to protect your business, or you just have questions about getting started, call us at 919-422-2607, or schedule a free consultation online. We are always here to help.