[BreachExchange] HHS Office For Civil Rights Releases A Crosswalk Between HIPAA Security Rule And NIST Cybersecurity Framework

[Inga Goddijn]

http://www.jdsupra.com/legalnews/hhs-office-for-civil-rights-releases-a-25594/

At the end of February, the Department of Health and Human Services (“HHS”)
released a table, called a “crosswalk,” that maps standards and
implementation specifications of the Health Insurance Portability and
Accountability Act (“HIPAA”) Security Rule to the applicable National
Institute of Standards and Technology (“NIST”) Cybersecurity Framework
subcategories.  The HHS Office for Civil Rights (“OCR”) developed the
crosswalk with NIST and the Office of the National Coordinator for Health
IT in response to the “increasingly challenging atmosphere” of securing
electronic protected health information (“ePHI”).

The HIPAA Security Rule sets forth certain safeguards for ePHI.   HIPAA
covered entities and business associates must comply with the requirements
of the HIPAA Security Rule.  The NIST Cybersecurity Framework was designed
in February of 2014 to help organizations manage, identify, detect, and
respond to cybersecurity risks.  The Framework is a voluntary, risk-based
approach, and entities within and outside the health care sector have
relied on it when implementing and managing their cybersecurity practices.

According to the OCR, the crosswalk provides a helpful roadmap for HIPAA
covered entities and business associates to better understand the overlap
between the HIPAA Security Rule and NIST Cybersecurity Framework.
According to the OCR, “[a]lthough the security rule does not require use of
the NIST Cybersecurity Framework, and use of the [F]ramework does not
guarantee HIPAA compliance, the crosswalk provides an informative tool for
entities to use to help them more comprehensively manage security risks in
their environments.”

In its announcement about the crosswalk, the OCR recognized that health
information maintained by health care providers has become an “increasingly
attractive target for cyberattacks.”  It cited to a July 25, 2015 report in
USA Today, which states that the healthcare industry accounts for 42.5% of
all data breaches over the last three years.  The OCR hopes that entities
will use the crosswalk and take action to address any gaps they may have in
their cybersecurity programs.  Addressing these gaps “can bolster
compliance with the Security Rule and improve an entity’s ability to secure
ePHI from a broad range of threats.”

The crosswalk may be found here
<http://www.hhs.gov/sites/default/files/NIST%20CSF%20to%20HIPAA%20Security%20Rule%20Crosswalk%2002-22-2016%20Final.pdf>
.
Information on the HIPAA Security Rule may be found here
<http://www.hhs.gov/hipaa/for-professionals/security/>.
The NIST Framework may be found here
<http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf>
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160309/acaa0bbe/attachment.html>