OCR Releases Crosswalk between HIPAA Security Rule and NIST Cybersecurity Framework | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

OCR Releases Crosswalk between HIPAA Security Rule and NIST Cybersecurity Framework

February 25, 2016
by Heather Landi
| Reprints
Click To View Gallery

In an effort to help healthcare organizations bolster their cybersecurity strategy, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a crosswalk to address gaps between two commonly used security frameworks.

Healthcare organizations are responsible for safeguarding patients’ information and as health information has become an increasingly attractive target for cyberattacks, there is a need for healthcare providers and health plans to strengthen their data security, according to the OCR in a press release.

“Entities covered by HIPAA must implement strong data security safeguards in their environments, and in particular, comply with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of all of the electronic protected health information (ePHI) they create, receive, maintain or transmit,” the OCR stated.

In February 2014, the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework), which provides a voluntary, risk-based approach to help organization manage cybersecurity risks. Many healthcare organizations have voluntarily relied on detailed security guidance and specific standards contained in the Cybersecurity Framework.

To help health care organizations covered by HIPAA to bolster their security posture, the OCR released a crosswalk, developed with the NIST and the Office of the National Coordinator for Health IT (ONC), that identifies “mappings” between the NIST Cybersecurity Framework and the HIPAA Security Rule, OCR stated in the release. The crosswalk also includes mappings to other commonly used security frameworks.

“We hear frequently from covered entities and business associates who say they are working hard in an increasingly challenging atmosphere to assure their PHI is adequately protected. We also know from our HIPAA enforcement work that far too frequently entities are leaving PHI vulnerable to breach and access by unauthorized persons,” the OCR stated.

“Organizations that have already aligned their security programs to either the NIST Cybersecurity Framework or the HIPAA Security Rule may find this crosswalk helpful in identifying potential gaps in their programs. Taking specific action to address these gaps can bolster compliance with the Security Rule and improve an entity’s ability to secure ePHI from a broad range of threats,” OCR stated.

The Security Rule does not require use of the NIST Cybersecurity Framework, officials said, and use of the Framework does not guarantee HIPAA compliance, but the crosswalk was developed as an informative tool to help healthcare organizations manage security risks in a more comprehensive way.

The agency also noted that Congress, in both the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) as well as the Cybersecurity Information Sharing Act of 2015 (CISA), called for guidance on implementation of NIST frameworks.

“In response, this crosswalk provides a helpful roadmap for HIPAA covered entities and their business associates to understand the overlap between the NIST Cybersecurity Framework, the HIPAA Security Rule, and other security frameworks that can help entities safeguard health data in a time of increasing risks. The crosswalk also supports the President’s Cybersecurity National Action Plan (CNAP) by encouraging HIPAA covered entities and their business associates to enhance their security programs, increase cybersecurity awareness, and implement appropriate security measures to protect ePHI,” OCR stated.

 

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Study: Use of EHRs Does Not Reduce Administrative Costs

A recent study by Duke University and Harvard Business School researchers found that costs for processing a single bill ranged from $20 for a primary care visit to $215 for an inpatient surgical procedure, or up to 25 percent of revenue.

Kibbe to Step Down as CEO of DirectTrust

David Kibbe, M.D., M.B.A., announced he would step down as president and CEO of DirectTrust at the end of the year.

Sequoia Project Exec Appointed to HITAC’s Interoperability Task Force

The Sequoia Project’s CIO/CTO, Eric Heflin, has been appointed to the Health Information Technology Advisory Committee’s (HITAC) U.S. Core Data for Interoperability Task Force (USCDI).

Healthcare Orgs Report Improvements in Quality, Cost Using Data and Analytics

In 2017, nearly three dozen organizations ranging in size from small community hospitals to some of the nation’s largest integrated delivery systems documented 125 improvements in quality, cost and efficiency using technology and improvement processes.

Consortium to Promote Implementation of a FHIR Genomics Platform

At this week’s HL7 Genomics Conference in Washington, D.C., a new group was introduced to promote implementation of a FHIR Genomics platform.

Cedars-Sinai Collaborates on Organs-on-Chip Precision Medicine Project

Scientists at Los Angeles-based Cedars-Sinai, in partnership with biotechnology startup Emulate, are pioneering a Patient-on-a-Chip program to help predict which disease treatments would be most effective based on a patient's genetic makeup and disease variant.