The National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for protecting healthcare data. The draft update will provide a more practical guide for healthcare providers to comply with government rules on personal health data security, it claimed.
The initial draft of the document is titled ‘Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide, (800-66).’ This draft is the second revision of the document following the first in 2008.
The healthcare and security community already had a chance to comment on this revision of the document as work progressed on it last year. This draft version accommodates over 400 responses during that call for comment.
NIST has designed the updated document as a resource guide with more actionable measures that can help healthcare organizations comply with the security rule, said its staff. It also mapped the guidance in the document to other publications produced since the first revision, including the Cybersecurity Framework and its Security and Privacy Controls. Finally, this draft has a stronger focus on risk management than the previous revision.
The updated guide will help companies to implement the security rule under HIPAA, which the US government first introduced as part of the Act in 1996. This rule, which complements a separate privacy rule, sets out a standard to protect electronic personal health information (ePHI). eHPI is a broad catch-all encompassing many kinds of personal data as handled by organizations in the healthcare ecosystem.
The organization is now inviting comments from the public on the revised document until September 21 2022.
The guidance is timely as healthcare breaches continue to mount. An analysis of US Health and Human Services data in February confirmed expectations that 2021 would be a landmark year for healthcare breaches, with breach numbers exceeding all records.
This month, US healthcare debt collector Professional Finance Company (PFC) reported a data breach affecting 1.9 million individuals across over 650 healthcare providers.