Aiming to help HIPAA covered entities strengthen their cybersecurity preparedness, HHS Office for Civil Rights has published a crosswalk identifying mappings between NIST's Framework for Improving Critical Infrastructure Cybersecurity and the HIPAA Security Rule.
Developed in partnership with NIST and ONC, the crosswalk also includes mappings to other commonly used security frameworks, officials said.
In February 2014, NIST released the framework to help organizations better understand and manage cybersecurity risks. Many organizations in healthcare and other industries voluntarily rely on detailed security guidance and specific standards issued by NIST.
[Also: HIMSS presses NIST to keep cybersecurity framework voluntary]
Entities bound by HIPAA, meanwhile, are required to implement strong data security safeguards to comply with the HIPAA Security Rule and protect the health data they create, receive, maintain or transmit.
"We hear frequently from covered entities and business associates who said they are working hard in an increasingly challenging atmosphere to assure their PHI is adequately protected," OCR officials said. "We also know from our HIPAA enforcement work that far too frequently entities are leaving PHI vulnerable to breach and access by unauthorized persons."
The goal with this new crosswalk is to help health organizations that have aligned their security programs to either the NIST Cybersecurity Framework or the HIPAA Security Rule to identify potential gaps in their programs, they said.
[Also: Cybersecurity Information Sharing Act sails through Senate]
By addressing those gaps, covered entities can improve their compliance with the Security Rule and better protect patient data.
OCR noted that the HIPAA is meant to be flexible, scalable and technology-neutral, enabling it to better integrate with frameworks such as the NIST's.
[Like Healthcare IT News on Facebook]
The Security Rule doesn't mandate use of the NIST Cybersecurity Framework, officials said – and at the same time, use of the framework doesn't guarantee HIPAA compliance. But the crosswalk is meant as a tool to help health organizations manage security risks in a more comprehensive way.
Noting that both the HITECH Act of 2009 and the Cybersecurity Information Sharing Act passed this past October called for guidance on implementation of NIST frameworks, OCR officials said the crosswalk "provides a helpful roadmap for HIPAA covered entities and their business associates to understand the overlap between the NIST Cybersecurity Framework, the HIPAA Security Rule, and other security frameworks that can help entities safeguard health data in a time of increasing risks."
Twitter: @MikeMiliardHITN