Using NIST Guidance for HIPAA ComplianceLeveraging Guides to Build an Effective Security Program
"Right now, we have very few healthcare organizations that have security programs based on the NIST framework. ... It's a level of discipline in developing an information security environment that's not mainstream in healthcare," says McMillan, CEO of CynergisTek Inc.
With the HIPAA Omnibus Rule enforcement deadline looming on Sept. 23, and random HIPAA security audits expected to resume in the months to come, HIPAA compliance is now top-of-mind for many healthcare organizations.
One of the most important reasons for healthcare entities to consider using the NIST guidelines "is because those are the ones the Department of Health and Human Services Office for Civil Rights references in all of their documentation and rules they publish for HIPAA privacy and security," he says in an interview with Information Security Media Group.
For instance, to avoid having to report a breach under the HIPAA breach notification rule, including the updated version under HIPAA Omnibus, organizations must encrypt data in conformance with NIST guidance, he points out. And the HIPAA Security Rule's risk assessment requirement is "patterned after NIST guidelines for risk analysis," he says.
"The government has always opted to reference guidance that is developed by a credible government source," he says. "In this case, NIST actually produces guidelines for the industry to follow with respect to security and IT systems."
One of the biggest mistakes that healthcare organizations make when considering applying the NIST guidance to their data security efforts is incorrectly concluding that they all represent strict requirements with little flexibility, McMillan says. "They basically present an approach and methodologies that are considered best practices ... but they leave latitude to the user or system owner to determine what makes sense in their environment."
In the interview, McMillan also discusses:
- Other guidelines besides those from NIST that healthcare organizations can consider for their information security programs;
- How the NIST guidelines can help healthcare entities in conducting a risk analysis;
- Suggestions for navigating and implementing NIST guidelines.
McMillan is co-founder and CEO of CynergisTek Inc., an Austin, Texas-based consulting firm specializing in information security and regulatory compliance in healthcare, financial services and other industries. He has more than 30 years of security and risk management experience, including 20 years at the Department of Defense, most recently at the Defense Threat Reduction Agency. He is also chair of the Healthcare Information and Management Systems Society's privacy and security task force.
McMillan is the featured speaker in an webinar on HIPAA audit preparation.