What is NIST 800-66, and How Does it Apply to HIPAA?

nist 800-66 featured

Cybersecurity is a community practice. Different innovations and discussions about new vulnerabilities, threats and controls inevitably influence security implementations in multiple markets and industries, depending on their applicability. This is just as true for healthcare, an industry generally governed by HIPAA. HIPAA, however, is complex, and organizations working in healthcare often look outside their own industry to help them better understand cybersecurity outside just hitting compliance checklists. That’s where NIST 800-66 comes in. 

In this article, we’ll discuss HIPAA security and how it relates to NIST 800-66. This NIST document helps healthcare providers under HIPAA understand more advanced security controls that could support their compliance, privacy and cybersecurity controls. 


What is the HIPAA Security Rule?

HIPAA is an encompassing compliance framework for the healthcare industry that carries jurisdiction over two types of organizations:

  1. Hospitals, doctors’ offices or insurance agencies, or any business that provides some sort of primary service for patients (coverage, treatment etc.). These entities are known as Covered Entities.
  2. Vendors that provide services to Covered Entities, including payment processing, data storage or cloud applications. These entities are known as Business Associates

The shared feature of both of these entities is that they will handle Personal Health Information (PHI) in some form. In the case of CEs, they’ll store, process and share PHI as part of their care work or insurance claim management. In the case of BAs, they’ll perform some tasks with that information as part of their relationship with a CE. 

While HIPAA law is quite extensive, there are three primary rules in place that define the overall requirements of these organizations:

  1. The Privacy Rule defines what constitutes PHI, what privacy and disclosure rules organizations must meet when handling PHI and what, if any, exceptions there are to privacy and HIPAA rules. 
  2. The Security Rule defines the reasonable and expected steps CEs and BAs must take to secure PHI. This includes specifying how information must remain protected at rest and in transit and how those security and privacy requirements extend across technical, physical and administrative contexts. 
  3. The Breach Notification Rule that specifies the steps organizations must take when PHI is subject to unauthorized disclosure during a breach. This rule includes how organizations notify patients, the public and authorities as well as the media they should use to do so. 

The Security Rule is where we find the directives for handling PHI securely. Specifically, this rule states that organizations must ensure the confidentiality, integrity and availability of PHI. This means that organizations must protect against unauthorized disclosure, prevent the alteration or destruction of PHI through unauthorized means and maintain the availability of that data for authorized people. 

Furthermore, the Security Rule calls for these entities to analyze their systems and implement appropriate and effective security measures. What it doesn’t do, however, is defining what those specific measures should be. Instead, HIPAA leaves the CE or BA to determine, based on their work, their infrastructure and their needs, the appropriate controls that should be implemented. 

All things considered, that kind of leeway in determining security can be intimidating. Rather than specify, say, AES-256 encryption for data, HIPAA leaves the door open to decide (through analysis and review) what they must implement based on their specific context to adhere to HIPAA rules. 

That footing doesn’t leave organizations hanging out to dry, however. There are several resources to help businesses align their systems with HIPAA compliance. One of these is NIST SP 800-66.


What is NIST Special Publication 800-66?

nist 800-66NIST SP 800-66, according to the Department of Health and Human Services, is a document intended to help entities attempting to meet requirements under the HIPAA Security Rule leverage the NIST Cybersecurity Framework (CSF) to better prepare their systems to do so. 

The NIST CSF is a comprehensive cybersecurity compliance framework that brings together best practices and evolving standards to help federal and state government agencies and contractors better approach information security with a centralized lexicon. 

How does the NIST accomplish this? The CSF draws from several NIST publications to promote best practices across several security-focused areas of interest. Some of these documents include:

  1. NIST 800-53: This document defines an extensive list of security controls and control families that can be used to define compliance requirements across several applications. For example, NIST 800-53 controls are used to inform federal agency security requirements for cloud service providers working with federal agencies and contractors in the Defense Industrial Base (DIB). 
  2. NIST 800-39: This document provides guidelines on how to approach information security risk (more generally speaking, how to assess and mitigate risk in large, content-based infrastructures). 
  3. NIST 800-160: This publication provides, from an engineering perspective, how to engineer secure and resilient information systems that conform, in part, to standards released by the International Organization of Standardization (ISO) and the International Electrotechnical Commission (IEC). 

CSF is strong, robust and evolving under the direct management of the NIST and the government. It stands to reason that it would benefit organizations in several industries (civil service, defense, healthcare, retail, manufacturing, etc.). There isn’t a one-to-one relationship between NIST regulations and industry-specific frameworks, however, which makes it challenging for compliance experts and officers to utilize them to help their own security strategies. Likewise, these same professionals may struggle with understanding what it means to meet compliance under certain regulations as opposed to implementing controls that are truly secure. 

NIST 800-66 attempts to create, according to the HHS, a “crosswalk” between HIPAA compliance and the CSF. This pathway is intended to help healthcare providers and other entities under HIPAA jurisdiction implement truly secure systems, rather than simply check compliance items off a list. NIST 800-66 maps HIPAA requirements to NIST controls under CSF and, where possible, provides guidance on how to implement these controls in ways that may contribute to HIPAA compliance. 


Understanding HIPAA and Compliance with Lazarus Alliance

Covered Entities and Business Associates bear a significant burden in terms of ensuring the privacy and integrity of the PHI that they manage. Fortunately, with a partner like Lazarus Alliance, they can streamline compliance and build up their HIPAA security posture without sacrificing their attention to patient care. We provide compliance and auditing support for our partners from a perspective of holistic security… that is, we work in a variety of industries, including healthcare, federal and defense compliance to best understand what best practices emphasize comprehensive cybersecurity.


Interested in Learning More About Lazarus Alliance HIPAA and NIST Compliance Audit Services?

Call us at 1-888-896-7580 or fill our this form to learn more on our compliance and risk consulting and auditing services. 

Lazarus Alliance