HIPAA Compliance v. NIST Risk Assessments for Healthcare Facilities: What’s the Difference?

Traditionally, the gold standard for healthcare cybersecurity has been HIPAA compliance. HIPAA rules set solid guidelines for how to protect patient information, and failing to comply can result in high fines.

More and more, though, it is becoming clear that while the HIPAA Security Rule provides solid guidelines for providers, it may not be sufficient on its own to deal with all of the cybersecurity challenges of the twenty-first century. In the first half of 2019, 32 million patient records were breached, and the majority of these breaches were caused by hacking. The majority of providers have experienced a breach, with the most common problem being ransomware. Healthcare cybersecurity is, thus, a growing field, especially with more and more patient information being stored digitally and transferred to different devices.

What is the HIPAA Security Rule?

The HIPAA Security Rule is a regulatory framework to assist institutions in managing HIPAA compliance. It contains six main sections:

  1. General rules that all covered entities must meet.
  2. Administrative safeguards, which includes policies and procedures to select and maintain security measures.
  3. Physical safeguards, that is to say security access limitations, and protection from natural hazards.
  4. Technical safeguards, that is to say actions taken by IT, use of software, etc.
  5. Organizational requirements, including standards for working with vendors and partners.
  6. Policies and documentation requirements, including ensuring that policies and procedures are in place and properly recorded.

The specific ways to implement the Rule vary by provider, and are affected by an entity's size, specific nature, etc.

What is NIST CSF?

The National Institute of Standards and Technology's Cybersecurity Framework for healthcare was introduced in the fall of 2013. These are voluntary standards that call for a much higher level of security and compliance.

Much of the NIST framework is not, in fact, industry specific and can be applied across industry, but the health industry version takes into account HIPAA standards, clinical engineering (including smart medical devices that connect to the network), differences in inactivity timeouts, etc. It can be further customized to your institution's specific needs and concerns.

The goals of the framework are to help identify risks, protect systems from them, and respond to cybersecurity events.

The HIPAA Security Rule also requires risk assessment, but it is generally limited to protecting covered patient information. It does require a proper security management process, workforce training, facility access, etc. However, the CSF goes further. First of all, it scales beyond the critical infrastructure covered by HIPAA.

It also moves away from typical checkbox thinking, which regulatory compliance tends to lead towards. The framework includes:

  • Guidance for risk management
  • Common language for addressing risk
  • A structure to understand and apply cybersecurity risk management
  • Identifying effective standards and guidelines, based on business and industry needs.

The goal is to increase awareness of risk in general; while HIPAA risk assessment is important, NIST goes a little further than that and helps organizations limit liability and the risk of a breach. It also covers areas that were not originally involved in HIPAA compliance. The NIST risk management framework is also easy for vendors and contractors to adopt, and contractors in other industries may be using a framework which is at least somewhat similar.

The framework provided by NIST is cohesive and can be used in a continuous cycle to ensure that updates happen frequently and as needed. As a voluntary set of guidelines, it can be adjusted and customized as needed, and institutions can provide feedback into the system to help them improve their cybersecurity and pass on what they have learned to others.

Why is HIPAA Alone Not Enough?

HIPAA compliance has long been considered sufficient, but a variety of factors have combined to make protecting healthcare information a priority. These include:

  • The growth of the Internet of Things. Connected medical devicies and real time location systems are coming together to form smart hospitals, but these networks are potentially vulnerable to attack. This is only going to get worse as smart devices move into patient's homes and even their bodies.
  • Healthcare providers are increasingly a target for cyberattacks, particularly ransomware attacks. Thieves have learned that healthcare providers may be likely to pay up due to the need to access records as quickly as possible.
  • The majority of health records are now stored electronically. Digital records are no longer an "add on," but rather the standard way in which patient information is stored and propagated. This has led to a reduction in certain issues, especially medication errors, but makes patient information vulnerable in a new way. It also requires long-term preservation of digital records through a person's life.

The very technologies which are improving patient outcomes and safety are also making providers more vulnerable to cyberattacks than ever before, and in some cases, convenience is racing ahead of privacy and security.

Personal information is now being stored on patients' phones, on implanted or wearable devices, on hospital beds, etc, rather than in one centralized location. This provides far more points of entry to a hacker and requires a new approach to network security.

Finally, HIPAA, by its nature, moves slowly. Updating regulations takes time and technology moves faster than the law can be adjusted. NIST, on the other hand, can be changed frequently to allow for new developments, especially in fast-growing areas. Information security teams are able to stay flexible and keep updating, and thus stay not just in compliance, but ahead of the regulators.

HIPAA compliance is no longer enough for healthcare providers. If you are concerned about cybersecurity risk (and you should be), then you need to do both HIPAA and NIST risk assessments to help you know how to move forward to protect the vital information your institution works with. The framework protects both patients and employees and can help you avoid costly (and reputation-destroying) databreaches, ransomware, issues with malicious insiders, and more.

GreyCastle Security offers both HIPAA and NIST risk assessments for healthcare providers. Contact us to find out how we can help you assess your risk and put together your own framework for protecting critical infrastructure and futureproofing your cybersecurity plans.

Preview: Next Generation Patient Safety from an Executive Perspective

Next Generation Patient Safety from an Executive Perspective

Healthcare has experienced many cyberattacks in the last few years. Making this a top safety issue in a healthcare organization is challenging – a challenge that executives must make a top priority.

Unlike any other business, healthcare leaders go to work every day with the knowledge that they have the ability to protect and enhance lives and unintentionally hurt them as well.

This white paper is directed at the fundamentals that must be undertaken in the healthcare environment to protect the organization and its patients from cybercrime.