NIST and HIPAA Compliance

NIST and HIPAA Compliance


The National Institute for Standards and Technology (NIST) became involved in HIPAA after issuing the publication – “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule”. This publication provides guidelines for how organizations should implement and oversee a HIPAA security program within their organization. It also provides a crosswalk for how NIST publications map to HIPAA safeguards. Organizations building solutions that utilize protected health information (PHI) may utilize this document to guide to align NIST and healthcare regulatory requirements.


How is HIPAA Different Than NIST?

The NIST Cybersecurity Framework (NIST CSF) provides a standardized framework for securing infrastructure. The NIST CSF is a voluntary framework that security teams may adopt to set security standards across the organization. Unlike specific regulations, organizations face no penalties or fines for non-compliance of NIST. Nonetheless, the goal of NIST is to serve a single guidance that CISOs can look to when dealing with fragmented cybersecurity regulations.

The Health Insurance Portability and Accountability Act (HIPAA) dictates how patient data and protected health information (PHI) is protected. Business associates (BAs) or organizations that handle PHI must comply with all HIPAA regulations. This regulation requires that organizations address administrative safeguards via administrative policies and implement technical safeguards including audit logging, backup and disaster recovery, and vulnerability scanning. HIPAA allows for a lot of interpretation in terms of security implementation. But organizations facing fines of up to $250K per violation, creating a standardized security plan is a major priority for teams managing HIPAA. Organizations often and utilize the NIST CSF and implement NIST security controls alongside HIPAA safeguards and controls.


NIST and HIPAA Management

The Dash Compliance Automation Platform provides organizations with the ability to configure and manage HIPAA compliance in the public cloud. HIPAA safeguards in Dash are mapped to NIST security controls, so organizations can build a HIPAA security plan that connects into the NIST CSF and existing security standards. Dash provides custom HIPAA administrative policies built around the organizations structure and technologies. These policies and controls connect into Dash Continuous Compliance Monitoring which scans your cloud environment for compliance issues and provides steps for remediation. With Dash your team can streamline your HIPAA security program and connect it to your existing NIST controls and security plan. Dash empowers security teams to:

  • Create custom administrative policies and controls
  • Create HIPAA security controls alongside NIST security controls
  • Monitor for cloud security concerns related to HIPAA and NIST
  • Remediate and resolve compliance concerns in AWS