CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecurityCybersecurity NewsHospitals & Medical Centers

NIST updates HIPAA cybersecurity guidance

By Maria Henriquez
healthcare-hipaa-freepik1170x658v57.jpg
July 27, 2022

In an effort to help healthcare organizations protect patients’ personal health information, the National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for the healthcare industry. 


NIST’s new draft publication, titled Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (NIST Special Publication 800-66, Revision 2), is designed to help the industry maintain confidentiality, integrity and availability of electronic protected health information, or ePHI. The term covers a wide range of patient data, including prescriptions, lab results, and records of hospital visits and vaccinations. 


“One of our main goals is to help make the updated publication more of a resource guide,” said Jeff Marron, a NIST cybersecurity specialist. “The revision is more actionable so that health care organizations can improve their cybersecurity posture and comply with the Security Rule.” 


Part of HIPAA is the Security Rule, which specifically focuses on protecting ePHI that a health care organization creates, receives, maintains or transmits. NIST does not create regulations to enforce HIPAA, but the revised draft is in keeping with NIST’s mission to provide cybersecurity guidance. NIST’s updated guidance is particularly timely as the U.S. Department of Health and Human Services has noted a rise in cyberattacks affecting health care. 


One of the main reasons NIST developed the revision is to integrate it with other NIST cybersecurity guidance that did not exist when Revision 1 was published in 2008. Since then, NIST has developed its well-known Cybersecurity Framework and repeatedly updated its collection of Security and Privacy Controls (NIST SP 800-53) that organizations can use to tailor their risk management approaches. The new HIPAA Security Rule guidance draft makes explicit connections to these and other NIST cybersecurity resources.

NIST is accepting comments on the draft until Sept. 21, 2022, by email to sp800-66-comments@nist.gov.

KEYWORDS: compliance cyber security healthcare HIPAA risk management

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Related Articles

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!