doctor crossed arms

06 Apr 2020

With the halt of HIPAA (Health Insurance Portability and Accountability Act of 1996) audits by the Department of Health and Human Services’ Office (HHS) for Civil Rights (OCR), the healthcare industry is seeing a decline of about 2% annually in compliance with HIPAA’s Security Rule (NIST 800-66).  With that, however, has been a rise in the National Institute of Standards and Technology’s (NIST) “Cyber Security Framework” (CSF) guidelines, which is a truly interesting trend.  One that makes us wonder if NIST CSF will one day replace the Security Rule.

HIPAA Security Rule Overview

For those who need a quick refresher, the HIPAA Security Rule is a supplement of HIPAA that was created to ensure that patients’ electronic protected health information (ePHI) is adequately protected.  There are six main categories:

  1. Security Standards Include the general requirements all covered entities (CEs) must meet:
    • Establishes flexibility of approach.
    • Identifies standards and implementation specifications
    • Outlines decisions a covered entity must make regarding addressable implementation specifications
    • Requires maintenance of security measures to continue reasonable and appropriate protection of electronic protected health information.
  2. Administrative Safeguards These are the administrative actions and policies and procedures CEs must implement:
    • They manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information.
    • Also manage the conduct of the covered entity’s workforce in relation to the protection of that information.
  3. Physical Safeguards The physical protections that must be put in place:
    • Physical measures, policies, and procedures.
    • Relate to buildings and equipment.
    • Range from natural and environmental hazards to unauthorized intrusions.
  4. Technical Safeguards Technological policies and procedures to:
    • Protect ePHI.
    • Control access to ePHI.
  5. Organizational Requirements  These are the standards for business associates (BAs), contracts and other arrangements, that include:
    • Written proof of understanding between a CE and a BA.
    • Requirements for group health plans.
  6. Policies and Procedures and Documentation Requirements Require implementation of:
    • “Reasonable and appropriate” policies and procedures to comply with the standards.
    • Specifications and other requirements of the Security Rule.
    • Maintenance of written documentation and/or records required by the Security Rule, including:
      • Policies.
      • Procedures.
      • Actions.
      • Activities.
      • Assessments.
    • Retention, availability, and updates related to documentation.

NIST CSF Overview

The NIST CSF differs from the Security Rule in that it was developed in response to an executive order to improve critical infrastructure for cybersecurity, and its robust framework allows it to be scaled, beyond JUST critical infrastructure.

It is comprised of five “Functions,” each of which contain “Categories”:

  1. Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
    • Asset Management
    • Business Environment
    • Governance
    • Risk Assessment
    • Risk Management Strategy
  2. Protect: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.
    • Asset Control
    • Awareness and Training
    • Data Security
    • Information Protection & Procedures
    • Maintenance
  3. Detect: Develop and implement the appropriate activities to identify the occurrence of a security event.
    • Anomalies and Events
    • Security & Continuous Monitoring
    • Detection Procedures
  4. Respond: Develop and implement the appropriate activities when facing a detected security event.
    • Response Planning
    • Communications
    • Analysis
    • Mitigation
    • Improvements
  5. Recover: Develop and implement the appropriate activities for resilience and to restore any capabilities or services that were impaired due to a security event.
    • Recover Planning
    • Improvements
    • Communications

In addition to these Functions and Categories, there are also four “Tiers” that build on top of each other and indicate where a company is in their journey to compliance (CMMC, anyone?):

  • Tier 1 – Partial: The company does not have formal cyber security policies or procedures in place and are running the risk of an attack.
  • Tier 2 – Risk-Informed: Though there aren’t necessarily formal cyber security policies and procedures in place across the company, at least the management team is aware and somewhat knowledgeable about threats, meaning they are still reactive.
  • Tier 3 – Repeatable: There are formal cyber security policies and procedures in place, though there is room for improvement.
  • Tier 4 – Adaptable: The organization is well-trained and well-prepared.  They learn from former mistakes and there is company-wide awareness of potential threats and vulnerabilities.  The company is pro-active in their approach.

CSF vs Security Rule

While the Security Rule APPEARS to be both detailed and exhaustive, the NIST CSF is actually one of the most commonly adopted frameworks for cyber security across numerous industries, not just healthcare.  For example, it was the cyber security muse to create a number of noteworthy regulations::

  • DFARS – Department of Defense (DoD) contractors
  • CMMC – All federal contractors and sub-contractors; currently being implemented, will replace DFARS and NIST SP 800-171
  • NYDFS –  Financial services
  • Model Law – Insurance Companies

One critical difference between the HIPAA Security Rule and NIST CSF is that while the Security Rule requires its users to check off boxes, NIST CSF requires critical thinking.  NIST CSF is proactive whereas the HIPAA Security Rule is merely reactive.  As hackers grow more and more sophisticated, businesses will be forced to learn and actually think about cyber security, not just mark it off and move along.

This is important, especially in the healthcare industry, because a growing trend has been to attack hospitals and medical facilities.  They make, unfortunately, fantastic targets because people’s health is essentially an inelastic demand; meaning that patients and medical facilities will pay just about any price to protect their patients.  Couple that with the fact that, even with HIPAA, the healthcare industry is well-known to be woefully under prepared regarding its cyber security measures.

Easy pickings.

What it boils down to, however, is that the need for cyber security is vitally important, and the NIST CSF – NOT the Security Rule, has essentially morphed into THE gold-standard across multiple industries.  When companies in the healthcare industry implement NIST CSF, they are better prepared for an attack.

Is HIPAA Enough?

Yes and no.

If you are speaking strictly about patient privacy, HIPAA is great.  But if you get into cybersecurity, it just might not be enough, which is why they are so often the target of cyberattacks.

What Should I Do?

Lucky for you, PTG is well-versed in ALL cyber security regulations.  If you are ready to protect your business, or you just have questions about getting started, call us at 919-422-2607, or schedule a free consultation online.  We are always here to help.

Schedule an Appointment

Schedule an Appointment

    Our clients are awesome!

    Based on 55 reviews.
    Jeremy Richards
    Jeremy Richards
    2020-03-13
    Petronella provides great advanced digital marketing and automation solutions for my business!
    Kate Swenson
    Kate Swenson
    2020-02-14
    Highly recommended for CMMC certification assistance! Excellent and affordable options for secure data hosting on local infrastructure. 5 stars!
    Tom Matzen
    Tom Matzen
    2020-01-25
    Petronella Technology Group helped us setup our sales and marketing automation, cybersecurity and compliance for our new Blockchain startup. Great to work with! Craig in particular really knows his stuff, can translate into non-tech speak, and has wisdom beyond his years. Highly recommend them.
    Justin Summers
    Justin Summers
    2020-01-14
    Craig is awesome! He is very professional and efficient with his work. I would definitely recommend Petronella Technology to anyone who needs state of the art service.
    Blake Rea
    Blake Rea
    2020-01-14
    Craig is an expert in his field. Impressed by his knowledge, A true pioneer in Cybersecurity. My business is safer thanks to Petronella Tech!
    Robert Friedman
    Robert Friedman
    2020-01-10
    For the last five years Craig has been the Contributing Editor for Cybersecurity for NC Triangle Attorney Law Magazine which I publish. His base of knowledge is always leading edge, pragmatic and early to understand for our readers who are not techies. He is patient and easy to work with.
    Tammy Everett
    Tammy Everett
    2020-01-10
    Craig Petronella, CEO of Petronella Technology Group provided the members of the Defense Alliance of North Carolina expert advice on cybersecurity and NIST compliance. Eye opening experience! Thanks so much!
    Julie Brown
    Julie Brown
    2020-01-09
    Craig and the Petronella Technology Group, Inc. team made HIPAA compliance for my small practice so simple and easy! They helped me with all of my HIPAA training, HIPAA Security Risk Assessment, Penetration Test, and HIPAA secure hosting so I can rest easy.
    Pivot Point
    Pivot Point
    2020-01-03
    Petronella Technology Group helped us with our marketing strategy for our new web startup. Awesome experience!!!!
    Richard Brunet
    Richard Brunet
    2019-12-30

    SCHEDULE AN APPOINTMENT

    Make It Happen Now

    CLIENT SUPPORT

    Don't Feel Stranded

    CONSULTATION

    Get Best Advice

    PAYMENTS

    Make A Payment

    Top