<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

How Healthcare IT Teams Can Unify HIPAA Security and Privacy Regulations Using NIST


The Health Insurance Portability and Accountability Act (HIPAA) seeks to ensure that patients’ data, protected health information (PHI), is reasonably protected from both a privacy and security perspective. As we have shifted into the digital age, healthcare providers have had to account for the rise of electronic protected health information (EPHI) and the wealth of new technologies available to both enhance the patient experience and improve patient outcomes. While these technologies have made great strides to their respective ends, they have also opened up a wealth of new opportunities for bad actors to attack organizations that store some of the most intimate information people can imagine.

The HIPAA Privacy Rule

According to the Department of Health and Human Services: The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

In short, the Privacy Rule seeks to protect the confidentiality of PHI that a covered entity handles.

The HIPAA Security Rule

The DHHS states: The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

The Security Rule seeks to ensure that electronic PHI has the necessary security measures protecting it to ensure that patient information is protected from outside actors.

How Do HIPAA Security and Privacy Rules Differ

The difference between the HIPAA Security and Privacy Rules comes down to the empiric difference between privacy and security. Thinking of EPHI like a house, security may be able to put bars on the windows, but that does not mean that people cannot see in. That’s where privacy (the curtains in this analogy) come into play. When effectively harmonized, security and privacy work together to enable the safety of patient information while also granting patients the ability to control who within and outside the organization has access.

Where the security rule mandates covered organizations to put administrative safeguards in place, as well as physical security and technical controls, the privacy rule applies more guidelines to protect patient anonymity both within the organization (i.e. health care professionals not working on a given case) as well as outside the organization (i.e.a specialist at a different hospital or worse, a bad actor who gained access to the system).

Using the NIST CSF and Privacy Frameworks to Align HIPAA Security and Privacy Teams and More

In January of 2020, the National Institute of Standards and Technology (NIST) introduced its much-anticipated Privacy Framework. The Privacy Framework built on the success of their wildly popular Cybersecurity Framework and enables organizations roll privacy program management alongside security and risk management using the CSF and Risk Management Framework. As we have discussed in this post, privacy and security are two sides of the same coin. If we think of security as a rectangle and privacy as a square - in the same way that all squares are rectangles but not all rectangles are squares, privacy programs inherently call upon security but not all security programs are inherently secure. Especially as it relates to HIPAA compliance, ensuring harmonization across security and privacy efforts is critical. However, catering to regulations (in this case HIPAA) and not preparing for the future and addressing risks and threats that have emerged since the Security and Privacy Rules were updated is equally as critical. As a result, leveraging outcomes, risk-based frameworks like the CSF and Privacy Framework enables organizations to meet compliance while also ensuring that their information systems are truly secure and prepared for the future.

The CyberStrong integrated risk management platform benchmarks all assessments against the NIST CSF as well as supports both HIPAA and the NIST Privacy Framework. To learn more about the CyberStrong platform, give us a call at 1 800 NIST CSF, or click, here, to schedule a conversation.

You may also like

Why You Need CIS Controls for ...
on June 17, 2022

The Center for Internet Security (CIS) is a non-profit organization that helps public sectors and private sectors improve their cybersecurity. The organization aims to help small, ...

Small Business Cybersecurity ...
on June 15, 2022

To achieve peace of mind in the modern threat landscape, small business owners must have a solid security strategy and budget in place. VIPRE’s SMB Security Trends report state ...

Do Small Businesses and Startups ...
on June 10, 2022

Did you know that about 60% of small businesses shut down within 6 months by falling victim to a data breach or cyber-attack, where the average global breach cost hovers at $3.62 ...

A Pocket Guide to ISO 27001
on June 9, 2022

Let’s begin with the complete title of what’s referred to as ISO 27001. It is officially known as “ISO/IEC 27001." If you're looking to have your company certified, you'll need to ...

Benefits Of An Automated Security ...
on June 6, 2022

Proactive recognition, remediation, and mitigation of security threats are rising challenges for global businesses today. Security risk assessment is an integral part of this ...

Kyndall Elliott
The Top 5 Automated Risk ...
on June 1, 2022

Automated risk assessment tools help you assess information security risks and related metrics in real-time based on the available data internally and externally. Connecting the ...