Cyber threats and cybersecurity controls have evolved significantly over the past two decades since the HIPAA Security Rule were originally promulgated. During this same time, healthcare entities have increasingly become a prime target of hackers seeking to extort payment using ransomware, exfiltrate patient data to commit fraud, or disrupt operations in other nefarious ways. Recognizing these challenges, some security professionals have sought further clarity on the HIPAA Security Rule that they deem to be “long in the tooth”. Yet, regulators have not made any significant modifications – perhaps driven by the original policy considerations of the HIPAA Security Rule that: “the standard should be comprehensive and coordinated to address all aspects of security”; that it be “scalable, so that it can be effectively implemented by covered entities of all types and sizes”; and that it “not be linked to specific technologies, allowing covered entities to make use of future technology advancements.”
As we previously discussed, the HITECH Act was recently modified to require that HIPAA regulators take into account “recognized security practices” in the context of investigation and enforcement actions. One such source of “recognized security practices” has historically been the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-66, Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Yet, this NIST guidance also appears to be “long in the tooth” as it was issued nearly 13 years ago in October of 2008.
In the absence of significant regulatory changes to the HIPAA Security Rule, NIST called for comments from healthcare industry stakeholders regarding how to revise guidance SP 800-66. This will help clarify what “recognized security practices” are in today’s highly digitized, increasingly distributed and technology-driven world. NIST’s move brings its considerable cybersecurity expertise and resources to bear on updating the guidance to address the current cybersecurity threat landscape that healthcare entities face.
Chiefly, NIST seeks to update the guidance to:
- Increase awareness of relevant NIST cybersecurity resources,
- Increase awareness of relevant non-NIST resources relevant to compliance with the HIPAA Security Rule, and
- Provide HIPAA Security Rule implementation guidance that reflects the current cyber threat landscape and best practices.
NIST is encouraging comments on stakeholder experiences leveraging SP 800-66 in practice in an effort to identify gaps in the guidance. NIST is also curious to hear from stakeholders who found the guidance not to be applicable to their organization in order to determine ways to make it more useful, relatable, and actionable. Specifically, NIST is seeking information on useful tactics, tools, resources, and techniques that stakeholders have leveraged in their compliance efforts including, but not limited to:
- managing both practical and compliance aspects of security,
- assessing risks to ePHI such as determining if security measures are effective, and
- documenting adequate implementation for purposes of compliance.
To gain out-of-the-box perspectives, NIST is also seeking comment on any recognized security practices that stakeholders employ which diverged from compliance with the HIPAA Security Rule. While stakeholders may not want to go on the record describing how their own security practices “diverge” from the HIPAA Security Rule, they may more generally discuss industry practices. In that regard, perhaps these comments will be most interesting of all, as they will illustrate if practical security has diverged in a way that requires regulators to revisit the HIPAA Security Rule.
NIST encourages submission of comments here through June 15, 2021. Feel free to contact EBG’s Privacy, Cybersecurity, and Data Asset Management Team if you are interested in developing and submitting comments to shape what will likely constitute “recognized security practices” for the foreseeable future.
- Member of the Firm
- General Counsel / Chief Privacy Officer