In an effort to help healthcare organizations protect patients’ personal health information, the National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for the healthcare industry. 

NIST’s new draft publication, titled Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (NIST Special Publication 800-66, Revision 2), is designed to help the industry maintain confidentiality, integrity and availability of electronic protected health information, or ePHI. The term covers a wide range of patient data, including prescriptions, lab results, and records of hospital visits and vaccinations. 

“One of our main goals is to help make the updated publication more of a resource guide,” said Jeff Marron, a NIST cybersecurity specialist. “The revision is more actionable so that health care organizations can improve their cybersecurity posture and comply with the Security Rule.” 

Part of HIPAA is the Security Rule, which specifically focuses on protecting ePHI that a health care organization creates, receives, maintains or transmits. NIST does not create regulations to enforce HIPAA, but the revised draft is in keeping with NIST’s mission to provide cybersecurity guidance. NIST’s updated guidance is particularly timely as the U.S. Department of Health and Human Services has noted a rise in cyberattacks affecting health care. 

One of the main reasons NIST developed the revision is to integrate it with other NIST cybersecurity guidance that did not exist when Revision 1 was published in 2008. Since then, NIST has developed its well-known Cybersecurity Framework and repeatedly updated its collection of Security and Privacy Controls (NIST SP 800-53) that organizations can use to tailor their risk management approaches. The new HIPAA Security Rule guidance draft makes explicit connections to these and other NIST cybersecurity resources.

NIST is accepting comments on the draft until Sept. 21, 2022, by email to