Toolkit Helps With Risk AssessmentsNIST HIPAA Security Rule Toolkit Offers Guidance
"My hope is that organizations will use this tool to gain a better understanding of the security controls that they have put in place to protect their health information and to support a more comprehensive risk assessment process," Stine says in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below).
Stine explains that use of the toolkit does not guarantee compliance with the HIPAA security rule. Rather, it helps organizations "identify areas where they may need either additional security safeguards to protect their information, or to improve upon existing ones."
The toolkit, which is based on content from a variety of resources, was reviewed by a variety of healthcare organizations before it was completed.
In the interview, Stine:
- Describes the goals of the kit as helping organizations gain a better understanding of the rule, implement the rule's requirements and assess their implementation.
- Points out that the kit is designed for use by HIPAA covered entities of all sizes, as well as their business associates. The kit offers a series of questions addressing each security rule standard and implementation specification. It offers 1,000 questions for larger organizations to address, plus a subset of about 600 questions for smaller organizations.
- Describes how the tool was developed in collaboration with a NIST contractor, Exeter Government Services (see: NIST Unveils Free HIPAA Toolkit).
- Notes that the tool likely will be updated once the final version of a rule modifying HIPAA, as mandated under the HITECH Act, is released.
The kit is available for download at the NIST website.
Stine is the acting manager of the security outreach and integration group within the National Institute of Standards and Technology's computer security division. His work at NIST focuses on applying information security standards, practices and technologies to the health information technology sector; publishing information security standards and guidelines; conducting outreach and awareness; and advancing security performance measurement.
NIST ProjectHOWARD ANDERSON: For starters, why don't you describe NIST briefly for those who may not be really familiar with it, and explain why NIST launched this particular project?
KEVIN STINE: NIST is the National Institute of Standards and Technology. We're a non-regulatory federal agency within the U.S. Department of Commerce. Generally speaking, our mission is to promote U.S. innovation and industrial competitiveness through the advancement of measurement science standards and technology.
As an agency, we carry that mission out through various research laboratories, programs and partnerships. I work in the computer security division, which is part of the information technology lab here at NIST. Our mission within the computer security division is to conduct research and development and perform outreach in support of standards, guidelines, tools and practices that organizations can use to protect information and information systems.
Much of our work within the computer security division revolves around these principles of risk management if you will - the idea of this process of identifying risks, implementing security controls to reduce those risks to more acceptable levels to the organization, and then monitoring those controls for continued effectiveness. This is really fundamental information security that's critical to protecting any type of information, whether it's federal information that's from a particular sector, such as the energy sector, or healthcare information.
In the past, NIST has issued resource guidelines on implementing the HIPAA security rule, and we view this project as another opportunity to present our security resources to the HIPAA security community in a form that's different than our traditional PDFs and special publications. It's more in the form of a software application.
Briefly, we have three overarching goals when we started this project. The first was to provide organizations with a better understanding of the requirements of the HIPAA security rule. The second goal was to help organizations implement those requirements. Then third would be to assess those implementations within their operating environment.
ANDERSON: Who are the intended users for the free toolkit, and how can it be accessed?
STINE: When we started the project, we envisioned a very broad user base that included certainly HIPAA-covered entities and business associates. As you know, these organizations can range in size from a large nationwide health plan with vast information technology resources to small healthcare providers with limited access to IT and security expertise. ... Because these organizations can vary greatly in terms of their size, their technology expertise and any resources they may have, we tried to create a toolkit - the questionnaires, the surveys, and things like that included in it - in a way that provides as much value to as many of these types of organizations as possible.
A secondary category of user we tried to focus on was those organizations that may provide HIPAA security rule implementation and assessment services to the covered entities or to the business associates. ...
The toolkit is freely available and downloadable from a NIST website.
ANDERSON: Why don't you describe the format of the toolkit a little bit? I understand it guides users through more than 1,000 questions to help identify compliance issues that need to be resolved and point to best practices. Have I got that right?
STINE: That's absolutely right. The toolkit application itself provides this software interface that guides the user through a series of questions for each security rule standard and implementation specification. The intent of these questions is to help organizations identify areas where they may need either additional security safeguards to protect their information or may need to improve upon existing ones.
Each question within the toolkit includes references to NIST standards and guidelines that provide relevant supporting information. Through our testing of the application, our original scope had about 1,000 questions in it. Then, through our testing and our understanding that there are organizations of varying sizes, we ended up coming up with two sets of questions, one being a smaller subset of the other. The larger set, which we call the enterprise set of questions, is about 1,000 questions, and the smaller subset, which we're referring to as the standard set of questions ,runs in the 500 to 600 range. We think that's probably a good subset for a smaller organization to start with.
Developing the Content
ANDERSON: Tell us briefly how the content was developed and then how you validated it.
STINE: The toolkit content was derived from a variety of resources, including the HIPAA security rule, existing NIST information security and NIST HIPAA security-specific publications, and then other publicly available resources from HHS (The Department of Health and Human Services). A key part of the process was once we developed this first round of content and then an early functional version of the application, we shared that with several organizations to get their feedback. We reached out to a very diverse set of potential users for this feedback on the application and the content as well.
As an example, we reached out to a state Medicaid office, a specialty clearing house, a community hospital, a non-profit regional hospital, as well as some industry and non-profit associations to get a diverse set of organizations that could provide feedback from a variety of different perspectives. The feedback was exceptional. We received a lot of great feedback on the functionality and the questions. We received a lot of constructive feedback on how to phrase the questions differently, how to maybe add some questions or remove some questions that may not be as pertinent to different types of organizations. It was a very worthwhile part of the project.
ANDERSON: Now you worked on this project with a partner that helped develop it, right?
STINE: We did. NIST contracted with a company called Exeter Government Services, and they put together a team of not only HIPAA subject matter experts but also information security experts and software development folks as well. Through this team, working very closely with our NIST team here, I think we came up with a great solution.
ANDERSON: What do you hope organizations will achieve by using the kit? I know it's not designed to ensure compliance - because nothing can do that - but rather, it's designed to help self-assessments, right?
STINE: You're absolutely correct. NIST is not a regulatory or an enforcement authority over the HIPAA security rule, so the toolkit doesn't provide any statement of compliance. Statements of compliance are the responsibility of the using organization as well as the regulator - in this case OCR, the HHS Office for Civil Rights. My hope is that organizations will use this tool to gain a better understanding of the security controls that they have put in place to protect their health information and to support a more comprehensive risk-assessment process of their environment as well. Having this improved understanding of their security posture is very powerful and certainly could, as a by-product, be supportive of their organization's compliance efforts as well.
Updates Pending Final Rule
ANDERSON: Will the toolkit be substantially updated once federal authorities issue the final, long-overdue rule outlining all the HIPAA modifications that were required under the HITECH Act? And given that changes are pending, how should the kit be used in the meantime?
STINE: I think future updates to the toolkit contents are really going to be dependent upon what types of modifications are made to the rule itself. I certainly don't have any insider information on what that's going to look like, so that's kind of a "we'll wait and see". In the meantime, organizations should consider using this toolkit as we intended to gain a better understanding of their security posture with respect to ePHI (electronic protected health information).
ANDERSON: Any final thoughts regarding how organizations can make the most of the kit once they access it?
STINE: This could potentially be one of many useful tools that organizations can have in their collection of tools to help them gain a better understanding of their security processes in support of the HIPAA security rule implementation. The more you put into it, the more you can get out of it. We tried to provide a lot of basic functionality in the application as well as a very comprehensive set of questions and links to resources, and hopefully organizations take full advantage of that. We're always open to feedback as well, as organizations begin to use the toolkit. We're certainly open to receiving any feedback from using organizations along the way.