Cybersecurity is a community practice. Different innovations and discussions about new vulnerabilities, threats and controls inevitably influence security implementations in multiple markets and industries, depending on their applicability. This is just as true for healthcare, an industry generally governed by HIPAA. HIPAA, however, is complex, and organizations working in healthcare often look outside their own industry to help them better understand cybersecurity outside just hitting compliance checklists. That’s where NIST 800-66 comes in.
In this article, we’ll discuss HIPAA security and how it relates to NIST 800-66. This NIST document helps healthcare providers under HIPAA understand more advanced security controls that could support their compliance, privacy and cybersecurity controls.
What is the HIPAA Security Rule?
HIPAA is an encompassing compliance framework for the healthcare industry that carries jurisdiction over two types of organizations:
- Hospitals, doctors’ offices or insurance agencies, or any business that provides some sort of primary service for patients (coverage, treatment etc.). These entities are known as Covered Entities.
- Vendors that provide services to Covered Entities, including payment processing, data storage or cloud applications. These entities are known as Business Associates.
The shared feature of both of these entities is that they will handle Personal Health Information (PHI) in some form. In the case of CEs, they’ll store, process and share PHI as part of their care work or insurance claim management. In the case of BAs, they’ll perform some tasks with that information as part of their relationship with a CE.
While HIPAA law is quite extensive, there are three primary rules in place that define the overall requirements of these organizations:
- The Privacy Rule defines what constitutes PHI, what privacy and disclosure rules organizations must meet when handling PHI and what, if any, exceptions there are to privacy and HIPAA rules.
- The Security Rule defines the reasonable and expected steps CEs and BAs must take to secure PHI. This includes specifying how information must remain protected at rest and in transit and how those security and privacy requirements extend across technical, physical and administrative contexts.
- The Breach Notification Rule that specifies the steps organizations must take when PHI is subject to unauthorized disclosure during a breach. This rule includes how organizations notify patients, the public and authorities as well as the media they should use to do so.
The Security Rule is where we find the directives for handling PHI securely. Specifically, this rule states that organizations must ensure the confidentiality, integrity and availability of PHI. This means that organizations must protect against unauthorized disclosure, prevent the alteration or destruction of PHI through unauthorized means and maintain the availability of that data for authorized people.
Furthermore, the Security Rule calls for these entities to analyze their systems and implement appropriate and effective security measures. What it doesn’t do, however, is defining what those specific measures should be. Instead, HIPAA leaves the CE or BA to determine, based on their work, their infrastructure and their needs, the appropriate controls that should be implemented.
All things considered, that kind of leeway in determining security can be intimidating. Rather than specify, say, AES-256 encryption for data, HIPAA leaves the door open to decide (through analysis and review) what they must implement based on their specific context to adhere to HIPAA rules.
That footing doesn’t leave organizations hanging out to dry, however. There are several resources to help businesses align their systems with HIPAA compliance. One of these is NIST SP 800-66.
What is NIST Special Publication 800-66?
NIST SP 800-66, according to the Department of Health and Human Services, is a document intended to help entities attempting to meet requirements under the HIPAA Security Rule leverage the NIST Cybersecurity Framework (CSF) to better prepare their systems to do so.
The NIST CSF is a comprehensive cybersecurity compliance framework that brings together best practices and evolving standards to help federal and state government agencies and contractors better approach information security with a centralized lexicon.
How does the NIST accomplish this? The CSF draws from several NIST publications to promote best practices across several security-focused areas of interest. Some of these documents include:
- NIST 800-53: This document defines an extensive list of security controls and control families that can be used to define compliance requirements across several applications. For example, NIST 800-53 controls are used to inform federal agency security requirements for cloud service providers working with federal agencies and contractors in the Defense Industrial Base (DIB).
- NIST 800-39: This document provides guidelines on how to approach information security risk (more generally speaking, how to assess and mitigate risk in large, content-based infrastructures).
- NIST 800-160: This publication provides, from an engineering perspective, how to engineer secure and resilient information systems that conform, in part, to standards released by the International Organization of Standardization (ISO) and the International Electrotechnical Commission (IEC).
CSF is strong, robust and evolving under the direct management of the NIST and the government. It stands to reason that it would benefit organizations in several industries (civil service, defense, healthcare, retail, manufacturing, etc.). There isn’t a one-to-one relationship between NIST regulations and industry-specific frameworks, however, which makes it challenging for compliance experts and officers to utilize them to help their own security strategies. Likewise, these same professionals may struggle with understanding what it means to meet compliance under certain regulations as opposed to implementing controls that are truly secure.
NIST 800-66 attempts to create, according to the HHS, a “crosswalk” between HIPAA compliance and the CSF. This pathway is intended to help healthcare providers and other entities under HIPAA jurisdiction implement truly secure systems, rather than simply check compliance items off a list. NIST 800-66 maps HIPAA requirements to NIST controls under CSF and, where possible, provides guidance on how to implement these controls in ways that may contribute to HIPAA compliance.
Understanding HIPAA and Compliance with Lazarus Alliance
Covered Entities and Business Associates bear a significant burden in terms of ensuring the privacy and integrity of the PHI that they manage. Fortunately, with a partner like Lazarus Alliance, they can streamline compliance and build up their HIPAA security posture without sacrificing their attention to patient care. We provide compliance and auditing support for our partners from a perspective of holistic security… that is, we work in a variety of industries, including healthcare, federal and defense compliance to best understand what best practices emphasize comprehensive cybersecurity.
Interested in Learning More About Lazarus Alliance HIPAA and NIST Compliance Audit Services?
Call us at 1-888-896-7580 or fill our this form to learn more on our compliance and risk consulting and auditing services.
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
Related Posts