HIPAA Security Rule Guidance Sought
Tiger Team Wants HHS to Offer Updated, Detailed GuidanceAt a Nov. 15 meeting, members of the team, which advises HHS on a variety of issues, lamented that federal authorities have not provided enough updated guidance on how to maintain healthcare information security. As an example of valuable guidance, team leaders pointed to the National Institute of Standards and Technology's updated guidance for compliance with the Federal Information Security Management Act through its 800-53 special publication, updated every two years. Although FISMA only applies to federal agencies, many private sector firms use the updated 800-53 guidance.
"Healthcare lacks the equivalent of 800-53," said team member Dixie Baker, a senior vice president at Science Applications International Corp.
Both 800-53 and the ISO (International Organization for Standardization) 270001 standards are much more detailed than the Health Insurance Portability and Accountability Act's security rule, according to the team. For example, while 800-53 and ISO both describe network external boundary protections, the HIPAA security rule does not specifically require boundary controls.
The tiger team will continue work on a recommendation calling for HHS to "adopt a consistent, more dynamic process" for regularly updating security guidance, hoping for detailed updates along the lines of 800-53. "Let's start with an educational effort and documents that really give guidance," said team member Neil Calman, M.D., of the Institute for Family Health.
Gap Analysis
At the Nov. 15 meeting, Kevin Stine, an information security specialist at NIST, offered a preliminary "gap analysis" comparing HIPAA security rule requirements to the details included in 800-53 and ISO 27001. The tiger team plans to ask HHS to evaluate this gap analysis in more detail as a way to help develop HIPAA compliance guidance.
The team's final, refined recommendations will be presented to the Health IT Policy Committee, which will then vote on whether to endorse them for HHS consideration.
Meanwhile, as reported earlier, NIST soon will offer a HIPAA Security Toolkit to help with compliance.