Recommendations on NIST Resource Guide

Fortified recently responded to an opportunity from NIST to comment on the utility of NIST Special Publication (SP) 800-66, Revision 1, commonly referred to as the Resource Guide.

The Resource Guide and other industry standards are critical to the success of our clients to safeguard electronic protected health information (ePHI) and personally identifiable information (PII).

Although we do not store, process, transmit, or interact with client PHI in our environment, we hold ourselves to the same standards—if not higher—to demonstrate compliance to both the HIPAA Security rule and to NIST Cybersecurity Framework (CSF).

We strongly support the intentions of the Resource Guide, and believe a revision can make the guidance even more useful for healthcare organizations in the current threat landscape, which continues to pose significant risks to all industries—especially healthcare.

Four opportunities to improve NIST Resource Guide 

Overall, we feel the Resource Guide is well-suited for assessing compliance with the HIPAA Security Rule and addresses requirements within the rule. The sample questions contained within the Guide are a beneficial resource for determining how best to assess implementation of HIPAA Security Rule requirements.

The ability to leverage mapping to the NIST CSF is a great benefit to set a minimum level of compliance that is accepted by the industry and by health organization management. The coupling of NIST CSF and the HIPAA Security Rule creates the opportunity to bring best practices to compliance assessment and remediation, that ultimately increases confidence in the process.

We offered the following recommendations:

Tiered security approach

Assessing a healthcare organization with a less mature security program presents challenges in following some content within the Guide. A tiered security approach that differentiates maturity of an organization would be useful, as would assessment guidelines for various types of organizations, based on probability and impact.

Need for ePHI inventory

A requirement for organizations to maintain an inventory of authorized IT assets and applications that store, process, transmit or interact with ePHI data would be beneficial to address a common challenge that assessors have when defining scope of compliance for the assessment.

Many healthcare organizations do not have a comprehensive inventory of systems or IT assets that store, process, transmit, or interact with healthcare confidential information such as ePHI. This guidance would form the scope for any security assessment, that allows organizations to properly define compliance scope within their IT environments.

Organizational security program prioritization

Lack of organizational support and/or funding of security initiatives is often the root cause for security program immaturity and related security risks. We suggest additional guidance on the minimum size of an organization’s security apparatus based on the number of supported users in the organization.

A self-assessment tool or similar resources can help more immature organizations recognize and quantify the type of security structure they need to maintain security and compliance.

Common security protocols

A list of the top security protocols that present the greatest risk relevant to every organization, regardless of maturity, would help compliance with the most mission-critical systems, followed by an assessment of the security program maturity level of the organization.

More guidance related to security based on organization type (single hospital, small health system, larger health system) would also be useful.