April 16, 2018 saw the release of an updated version of the NIST CsF. NIST CsF v1.1 was introduced. We know that compliance with HIPAA requires addressing several regulations including the HIPAA Privacy Rule, HIPAA Security Rule, HITECH Breach Notification, and the HIPAA Final Rule. Further, HIPAA regulations point to NIST as a reference in several areas. A key update in the latest version of NIST CsF is that it includes a requirement for managing cybersecurity within the supply chain – from a HIPAA perspective, think, business associates.
Aligning HIPAA Compliance with the NIST CsF
Senior executives, as well as compliance and cybersecurity professionals, must align an organization’s compliance challenges with its cybersecurity program. This is where NIST CsF provides a credible framework for HIPAA compliance.
NIST CsF Facts
The NIST CsF is designed to be a relevant cybersecurity framework for organizations of every size, across different industries, including healthcare and information technology. NIST CsF provides an approach to prioritize cybersecurity resources, make risk decisions, and take action to reduce risk. It enhances cybersecurity communication within an organization and with other organizations, such as business associates, suppliers, regulators, and auditors.
NIST CsF Organization
NIST CsF helps organizations identify, manage, and assess cybersecurity risks. The NIST CsF standard consists of three components:
1. Core: provides an easy-to-understand set of desired cybersecurity outcomes.
2. Profile: portrays organizations’ unique requirements, objectives, risk appetite, and resources.
3. Implementation Tiers: indicates how an organization manages cybersecurity risks.
Compliance with the several layers of the HIPAA regulation requires that covered entities and business associates identify a credible framework that addresses the mandates comprehensively. Organization will ensure a credible HIPAA compliance program when it is based on the NIST CsF.
The NIST CsF framework can be used by healthcare organizations that may be small or large, including business associates, physician practices, hospitals, IT firms, government agencies, and other entities.
Ensure that the HIPAA compliance program is aligned with the NIST CsF.
Two key words that senior executives are looking for in an enterprise compliance and cybersecurity program are “credible” and “evidence”. Organizations have to ensure that their HIPAA compliance program is evidence-based – NIST CsF provides the foundation for a credible, evidence-based program.
Hope you can join me on October 18, 2018 in Schaumburg, Illinois as I deliver the ecfirst Certified Cyber Security Architect Program – and we examine the application of the NIST CsF as the standard for enterprise cybersecurity. Email Pabrai@ecfirst.com for a complimentary NIST CsF infographic.
Date: October 2, 2018