Securing protected health information (PHI) is one of the paramount cybersecurity concerns of many organizations, both inside and outside the healthcare industry. This information, if released to unauthorized parties, could lead to significant personal harm to patients that organizations must avoid at all costs.
The Healthcare Insurance Portability and Accessibility Act (HIPAA) governs the protection of PHI, and in doing so, provides the framework by which healthcare organizations must act toward that mission. However, HIPAA isn’t the only source of truth for securing PHI. For additional guidance, compliance and security officers and technical managers will look to another document, NIST 800-66.
How Does NIST Connect to HIPAA?
HIPAA is a federal regulation connected to the Department of Health and Human Services (HHS). As such, it relates to the larger ecosystem of governmental regulations regarding cybersecurity and protection.
However, HIPAA itself doesn’t lay out the minutiae of its implementation. For example, the HIPAA Security Rule (responsible for outlining the requirements a Covered Entity or Business Associate faces in protecting PHI at rest or in transit) demands that organizations encrypt PHI. Still, it doesn’t specify an algorithm or method. Instead, it leaves this decision open to interpretation with the understanding that the encryption selected must reasonably secure data from access–an encryption algorithm that hasn’t been cracked.
To help CEOs and BAs better understand the nuts and bolts of compliance, the National Institute of Standards and Technology (NIST) maintains Special Publication 800-63, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule.”
This document purports to “summarize the HIPAA security standards and explain some of the structure and organization of the Security Rule.” That is, it basically provides some structure for the security rule requirements to help organizations implement regulations effectively.
To this effect, NIST 800-66 addresses the three key aspects of the security rule:
- Administrative Security
- Physical Security
- Technical Security
NIST 800-63 and Administrative Safeguards
Administrative security is the development of programs, policies, and procedures to promote and maintain security and compliance. While these will inevitably overlap with other technical and physical safeguards, they also represent unique approaches to overall organizational security.
- Systems Management: It’s crucial for organizations to have policies in place to define, structure and operationalize their HIPAA efforts. This includes programs to structure how configurations and upgrades work, how to adopt new security standards and what the standard operating procedures (SOPs) are around everything related to compliance and cybersecurity.
- Risk Management: Risk is quickly becoming a defining paradigm for cybersecurity and compliance, if for no other reason than the complex challenges of modern cyber threats call for comprehensive and forward-thinking mitigation. NIST 800-66 calls for a series of questions about how an organization can approach risk, including reference to NIST SP 800-30, “Guide for Conducting Risk Assessments.”
- Acquisition: Simply put, the protocols and assessments necessary to acquire, inventory, and remove data systems over time.
- Education and Sanctions: Employees need to understand their responsibilities as part of your organization, including training for regulations and an understanding of the repercussions for non-compliance for both the individual and the organization.
- Roles and Clearance: There must be a comprehensive, role-based system in place to define who is authorized to access PHI and how, and clearance related to roles must be enshrined in documented organization hierarchies. Additionally, clear roles related to security and compliance (compliance officers, CISOs, etc.) must also be defined in company documentation.
NIST 800-63 and Physical Safeguards
As the name states, physical security is related to the external security measures implemented by your organization.
- Facility Access Control: Data centers and any location with PHI must have physical security in place, including security personnel, required guest logging, security cameras and locks with security panels for all data storage rooms or work areas.
- Workstation Security: On top of physical location security, workstations (including stationary computers, laptops and tablets. This includes restricting physical access to these devices, using restraints like cords or locks to keep these devices in a centralized location and identifying heightened security for more sensitive devices.
- Device and Media Controls: Organizations must have clear procedures and implemented practices to store, transfer, backup and destroy PHI securely. Additionally, all use of storage devices must be logged for auditing purposes, with unique identifiers for all storage media.
NIST 800-63 and Technical Safeguards
Technical safeguards are the hard metal and software of security–encryption, anti-malware measures, and so on. This is probably what most organizations think of when they think of HIPAA compliance and draws a not-insignificant number of controls and practices from NIST SP 800-53, “Security and Privacy Controls for Information Systems and Organizations.”
- Access Controls: All systems must have access controls to limit authorization and authentication to legitimate users. These systems must utilize privileged user management, multifactor authentication, automatic log-off and encryption and other controls.
- Audit Controls: All activities must be logged for auditing purposes, from system-level events to user behaviors and file access. Healthcare organizations must secure these audit logs immutable and create an audit trail for both compliance and forensic purposes.
- System Integrity: Aside from audits as a record of activity, the system must also have records in place for determining when and where file changes have occurred and identify all users with access to PHI. Additionally, the organization must have a policy in place to guarantee data integrity throughout the entire system.
- Transmission and Storage: All PHI must be obfuscated with encryption at rest and in transit. Systems must stand behind anti-malware and firewall software to protect from a breach. All data transmissions must operate under security and integrity policies.
Gain Control Over Your HIPAA Implementation
Healthcare organizations face a real challenge when approaching their overall HIPAA strategies. Risk management, encryption, policies-these are massive, ongoing and necessary components of securing PHI. Having key personnel work with NIST 800-66 documentation can make pursuing compliance much easier.
Working with Continuum GRC, you get a platform that can handle both compliance and risk management. More importantly, you get a team that knows HIPAA, that knows NIST standards and that can help your technical team stay ahead of the curve for effective, efficient cybersecurity.
Working with NIST 800-66 and HIPAA?
Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:
- NIST 800-53
- DFARS NIST 800-171
- SOC 1, SOC 2, SOC 3
- PCI DSS
- IRS 1075
- COSO SOX
- ISO 27000 Series
And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.
Continuum GRC is proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.