To help healthcare organizations protect patients’ personal health information, the National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for the healthcare industry.
The guide – published on Thursday – is designed to help on complying with the Federal Health Insurance Portability and Accountability Act (HIPAA) Security Rule that stipulates the need to protect sensitive health data. Part of HIPAA is the Security Rule, which specifically focuses on guarding electronically protected health information that a health care organization creates, receives, maintains, or transmits.
NIST does not create regulations to enforce HIPAA, but according to the agency, the revised draft is in keeping with NIST’s mission to provide cybersecurity guidance.
“One of our main goals is to help make the updated publication more of a resource guide,” said Jeff Marron, a NIST cybersecurity specialist, in a press statement. “The revision is more actionable so that health care organizations can improve their cybersecurity posture and comply with the Security Rule.”
The guidance mapped all the elements of the HIPAA Security Rule to the Cybersecurity Framework subcategories. It increases the emphasis of the guidance’s risk management component, including integrating enterprise risk management concepts, Marron added.
One of the main reasons NIST has developed the revision is to integrate it with other NIST cybersecurity guidance that did not exist when the first version of the guidance was published in 2008. The guidance also comes as the U.S. Department of Health and Human Services notes a rise in cyberattacks affecting health care.
NIST is seeking comments on the draft publication until Sept. 21, 2022.