Gerry Blass, President & CEO, ComplyAssistant
Ken J. Reiher, Vice President Operations, ComplyAssistant
With the exponential growth in vulnerabilities over the past decade, healthcare organizations look to supplement HIPAA regulations with other types of cybersecurity frameworks. The recent uptick in telehealth and telecommuting during the COVID-19 pandemic has added even more vulnerabilities to an already long list. Cybersecurity has become a core focus for healthcare leaders as more weaknesses are identified and exploited by bad actors.
A HIPAA compliance consultant, equipped with technical expertise and GRC software, can help providers expand what they are already doing in compliance with HIPAA, adding even deeper layers of security by assisting with the implementation of additional controls and procedures.
I already comply with HIPAA. Why do I need another framework?
The HIPAA Privacy and Security Rules were originally established to safeguard protected health information (PHI). The advent of HITECH and Meaningful Use prompted healthcare organizations, suppliers and other technology vendors to adopt electronic medical record (EMR) systems and interoperability standards to enable easier sharing of patient information across fragmented care providers. This digitization of patient information thus transformed PHI to ePHI.
Today, HIPAA, as a high-level policy with which healthcare providers are required to comply, is still an adequate starting point for healthcare providers when establishing standards and processes to protect organizational and patient data.
However, a knowledgeable HIPAA compliance consultant will tell you that while HIPAA is a good place to start, the Rules are not meant to offer defined, specific guidance on cybersecurity efforts, nor do they evolve over time. Rather, HIPAA is in place to ensure providers protect patient information. The means by which providers safeguard information is flexible. Cybersecurity frameworks – such as the NIST CSF – pick up where HIPAA leaves off.
How is the NIST Cybersecurity Framework different from HIPAA?
The NIST CSF was created to help providers understand, manage and reduce cybersecurity risks. HIPAA compliance consultants tend to recommend the NIST CSF because it employs an easy-to-understand structure and common-sense language to help healthcare organizations implement cybersecurity controls. And, unlike other cybersecurity frameworks, NIST is free to use.
While HIPAA offers high-level guidance on the protection of PHI, the NIST CSF is more granular, including five core functions:
- Identify—Find and inventory any risks to cybersecurity
- Protect—Create and implement safeguards for critical data (not just ePHI)
- Detect—Implement practices to discover cybersecurity threats
- Respond—Establish an appropriate action plan in the event of a breach
- Recover—Create and implement plans to restore capabilities or services impaired in the event of a cyber attack
For more on this topic, read our Guide to the NIST Cybersecurity Framework.
Providers and HIPAA compliance consultants alike tend to agree that HIPAA should be updated to reflect the vast evolution of healthcare technology since the Rule was signed into law in 1996. And though temporarily, the Office for Civil Rights (OCR) “will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency,” sweeping permanent updates are not in the near future.
NIST, on the other hand, will continue to be revised to address new threats and vulnerabilities, and offer guidance for more granular change management.
Can a HIPAA compliance consultant help with the NIST CSF?
Do you need a NIST specialist to help you with implementing the cybersecurity framework? The answer is no! A HIPAA compliance consultant can help you there too.
HIPAA compliance consultants are typically trained to:
- Assess threats and vulnerabilities to information at rest, in transit and in use,
- Recognize and document increases in locations of ePHI (e.g., cloud hosting, Internet of Things, health information exchanges), and
- Understand the impact of technology advances, which requires change management.
Many of the same HIPAA safeguards are also necessary when reviewing NIST CSF. Because of this inherent background and expertise, a HIPAA consultant will have the experience necessary to ensure healthcare organizations comply with the required HIPAA regulation while helping the organization expand its internal requirements to comply with the NIST CSF.
What other skills or tools should a HIPAA compliance consultant have to help with implementing the NIST CSF?
In order to help implement the NIST CSF, a HIPAA compliance consultant should have a combination of administrative, physical and technical knowledge.
Although a healthcare organization can complete a HIPAA audit without technical testing, we recommend always including technical components. Technical knowledge should include areas such as managed security operations centers (SOCs), technical testing for network and application vulnerability, and penetration testing. A NIST CSF audit will already include these types of technical requirements.
A knowledgeable consultant will understand overlapping controls from HIPAA to the NIST Cybersecurity Framework, and how to manage the two without duplicative work.
In addition, look for a consultant who comes equipped with GRC software to manage compliance with both HIPAA and NIST. You want a GRC software that will deliver the results of an assessment, manage follow-up action items, store documentation, track internal audits and investigate incidents. And, a solid GRC software should be able to make the cross between HIPAA and NIST.
ComplyAssistant’s team of HIPAA compliance consultants can help your organization implement the NIST CSF. Contact us for a free consultation and overview of our crosswalk from HIPAA to the NIST CSF.