Site icon

What is NIST 800-66?

nist 800-66 featured

Securing protected health information (PHI) is one of the paramount cybersecurity concerns of many organizations, both inside and outside the healthcare industry. This information, if released to unauthorized parties, could lead to significant personal harm to patients that organizations must avoid at all costs. 

The Healthcare Insurance Portability and Accessibility Act (HIPAA) governs the protection of PHI, and in doing so, provides the framework by which healthcare organizations must act toward that mission. However, HIPAA isn’t the only source of truth for securing PHI. For additional guidance, compliance and security officers and technical managers will look to another document, NIST 800-66. 

 

How Does NIST Connect to HIPAA?

HIPAA is a federal regulation connected to the Department of Health and Human Services (HHS). As such, it relates to the larger ecosystem of governmental regulations regarding cybersecurity and protection. 

However, HIPAA itself doesn’t lay out the minutiae of its implementation. For example, the HIPAA Security Rule (responsible for outlining the requirements a Covered Entity or Business Associate faces in protecting PHI at rest or in transit) demands that organizations encrypt PHI. Still, it doesn’t specify an algorithm or method. Instead, it leaves this decision open to interpretation with the understanding that the encryption selected must reasonably secure data from access–an encryption algorithm that hasn’t been cracked.

To help CEOs and BAs better understand the nuts and bolts of compliance, the National Institute of Standards and Technology (NIST) maintains Special Publication 800-63, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule.”

This document purports to “summarize the HIPAA security standards and explain some of the structure and organization of the Security Rule.” That is, it basically provides some structure for the security rule requirements to help organizations implement regulations effectively. 

To this effect, NIST 800-66 addresses the three key aspects of the security rule:

NIST 800-63 and Administrative Safeguards

Administrative security is the development of programs, policies, and procedures to promote and maintain security and compliance. While these will inevitably overlap with other technical and physical safeguards, they also represent unique approaches to overall organizational security.

NIST 800-63 and Physical Safeguards

As the name states, physical security is related to the external security measures implemented by your organization. 

NIST 800-63 and Technical Safeguards

Technical safeguards are the hard metal and software of security–encryption, anti-malware measures, and so on. This is probably what most organizations think of when they think of HIPAA compliance and draws a not-insignificant number of controls and practices from NIST SP 800-53, “Security and Privacy Controls for Information Systems and Organizations.” 

Gain Control Over Your HIPAA Implementation

Healthcare organizations face a real challenge when approaching their overall HIPAA strategies. Risk management, encryption, policies-these are massive, ongoing and necessary components of securing PHI. Having key personnel work with NIST 800-66 documentation can make pursuing compliance much easier. 

Working with Continuum GRC, you get a platform that can handle both compliance and risk management. More importantly, you get a team that knows HIPAA, that knows NIST standards and that can help your technical team stay ahead of the curve for effective, efficient cybersecurity.

 

Working with NIST 800-66 and HIPAA?

Continuum GRC is cloud-based, always available and plugged into our team of experts. We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

And more. We are also the only FedRAMP and StateRAMP authorized compliance and risk management solution in the world.

Continuum GRC is proactive cyber security®, and the only FedRAMP and StateRAMP Authorized cybersecurity audit platform in the world. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.

[wpforms id=”43885″]

Exit mobile version