NIST's Revised Guidelines: Enhancing Healthcare Cybersecurity Compliance

As guardians of employees' well-being, employers know the critical importance of safeguarding healthcare data. In today's digital landscape, healthcare cybersecurity has become an increasing concern. Cyber threats can jeopardize patient data, impact the quality of care, and even put an organization's financial health at risk. To combat these challenges, it's imperative to stay compliant with regulations like the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

That's where NIST comes in. The National Institute of Standards and Technology (NIST) is on a mission to help employers navigate the complex world of healthcare cybersecurity with its draft Special Publication (SP) 800-66 Revision 2. This practical guidance document is designed to provide resources for organizations of all sizes, enabling them to safeguard electronic protected health information (ePHI) effectively. 

What's Changing?

A draft of NIST SP 800-66 Revision 2 was open for public comment in July 2022. NIST received over 250 unique comments, paving the way for a final version expected later this year. Here's what is expected:

• Tailored Support for Smaller Entities: Recognizing the diverse landscape of regulated healthcare organizations, NIST plans to include more specific resources for smaller entities. This extra support may involve tools, use cases, or guidance, fostering a more inclusive approach to cybersecurity compliance.
• Clarifications for Peace of Mind: NIST acknowledges that terms like 'risk analysis' and 'risk assessment' can be a bit puzzling. The final version of NIST SP 800-66 Revision 2 aims to provide clear distinctions. While 'risk analysis' stays consistent with the Security Rule's requirements, 'risk assessment' will refer to the process of determining the level of risk to ePHI. This distinction helps smaller entities, who may find the HHS Security Risk Assessment (SRA) Tool particularly valuable.
• More User-Friendly Appendices: Appendices E and F are getting a facelift. In Appendix E, the Security Rule Standards and Implementation Specifications Crosswalk will be moved online to NIST's Cybersecurity and Privacy Reference Tool (CPRT) website. This adjustment ensures that mapping can be updated independently, removing the confusion of multiple versions.
• HIPAA Security Rule Resources Upgrade: Appendix F, housing HIPAA Security Rule Resources, is also set for a transformation. NIST is reorganizing the resources within each topic area. It's designed to guide smaller entities, allowing them to navigate the wealth of information more effectively. Moreover, the resources will be hosted online, ensuring their up-to-date relevance.

These changes are a testament to NIST's commitment to enhancing healthcare cybersecurity. By streamlining resources, offering clarity, and expanding support for smaller entities, NIST aims to help employers achieve better compliance with HIPAA's Security Rule.

Benefit Allocation Systems (BAS) provides best-in-class, online solutions for: Employee Benefits Enrollment; COBRA; Flexible Spending Accounts (FSAs); Health Reimbursement Accounts (HRAs); Leave of Absence Premium Billing (LOA); Affordable Care Act Record Keeping, Compliance & IRS Reporting (ACA); Group Insurance Premium Billing; Property & Casualty Premium Billing; and Payroll Integration.

MyEnroll³⁶⁰ can Integrate with any insurance carrier for enrollment eligibility management (e.g., Blue Cross, Blue Shield, Aetna, United Health Care, Kaiser, CIGNA and many others), and integrate with any payroll system for enrollment deduction management (e.g., Workday, ADP, Paylocity, PayCor, UKG, and many others).