Close Close
Popular Financial Topics Discover relevant content from across the suite of ALM legal publications From the Industry More content from ThinkAdvisor and select sponsors Investment Advisor Issue Gallery Read digital editions of Investment Advisor Magazine Tax Facts Get clear, current, and reliable answers to pressing tax questions
Luminaries Awards

Life Health > Health Insurance

HHS asks health data handlers to study NIST security standards

Your article was successfully shared with the contacts you provided.

The U.S. Department of Health and Human Services (HHS) wants entities that handle health data to look outside the health sector when they’re thinking about how to protect the data.

The HHS Office for Civil Rights (HHS OCR) is pushing the organizations to read the National Institute of Standards and Technology (NIST) security guidelines.

See also: Data security gurus to corporate lawyers: Get to know the FBI

HHS has developed its own Health Insurance Portability and Accountability Act (HIPAA) Security Rule. That rule, which is meant to be flexible and general enough to fit with any technology, applies to hospitals, doctors, health insurers, insurance brokers, and other people and organizations that handle personal health data.

NIST released a more technical, more detailed Cybersecurity Framework in February 2014.

The entities that handle protected health information still need to meet the HIPAA security requirements, but they ought to look hard at the NIST framework, to see whether there are any gaps between what their organizations are doing and what NIST recommends, HHS OCR officials say in an announcement of the availability of a new HIPAA-NIST standards comparison chart.

The HIPAA Security Rule does not require the affected organizations to use the NIST framework, and using the NIST framework does not necessarily mean that an organization is complying with every part of the HIPAA requirements, HHS OCR officials say.

But studying the comparison chart may be a good way for organizations that handle protected health information to find security gaps, officials say.

“Addressing these gaps can bolster their compliance with the Security Rule,” officials say.

In one column, for example, HHS OCR shows that a HIPAA subcategory rule for “asset management” requires an organization to inventory its physical devices and systems. In a “relevant control mappings” column, officials give a long list of the HIPAA Security Rule regulation sections, NIST framework sections, and other relevant standards sections that apply to device inventories.

The chart provides similar types of information for matters such as making systems as resilient as possible and identifying internal and external threats.

See also:

American Airlines, Sabre said to be hit in hacks backed by China

China’s hack of U.S data tied to health care record thefts


Are you following us on Facebook?


© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.