NIST and HIPAA Compliance

NIST and HIPAA Compliance


The National Institute for Standards and Technology (NIST) became involved in HIPAA after issuing the publication – “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule”. This publication provides guidelines for how organizations should implement and oversee a HIPAA security program within their organization. It also provides a crosswalk for how NIST publications map to HIPAA safeguards. Organizations building solutions that utilize protected health information (PHI) may utilize this document to guide to align NIST and healthcare regulatory requirements.


How is HIPAA Different Than NIST?

The NIST Cybersecurity Framework (NIST CSF) provides a standardized framework for securing infrastructure. The NIST CSF is a voluntary framework that security teams may adopt to set security standards across the organization. Unlike specific regulations, organizations face no penalties or fines for non-compliance of NIST. Nonetheless, the goal of NIST is to serve a single guidance that CISOs can look to when dealing with fragmented cybersecurity regulations.

The Health Insurance Portability and Accountability Act (HIPAA) dictates how patient data and protected health information (PHI) is protected. Business associates (BAs) or organizations that handle PHI must comply with all HIPAA regulations. This regulation requires that organizations address administrative safeguards via administrative policies and implement technical safeguards including audit logging, backup and disaster recovery, and vulnerability scanning. HIPAA allows for a lot of interpretation in terms of security implementation. But organizations facing fines of up to $250K per violation, creating a standardized security plan is a major priority for teams managing HIPAA. Organizations often and utilize the NIST CSF and implement NIST security controls alongside HIPAA safeguards and controls.


Why Are Healthcare Companies Are Utilizing NIST?

Healthcare organizations and vendors are required by law to comply with HIPAA when handling protected health information (PHI), but HIPAA regulations, can often have vague language such as, “Implement a mechanism to encrypt and decrypt electronic protected health information.” In cybersecurity, it is better to take a more objective approach to implementing safeguards, so security teams often turn to NIST.

The NIST CSF provides organizations with a cybersecurity framework with specific workflow and standards for implementing security controls. NIST is used by numerous Fortune 500 companies and can be objectively validated. Because of this, hospitals and enterprise healthcare organizations are often more comfortable working with organizations that have adopted an industry leading cybersecurity framework like NIST or ISO. Robust security programs can be created around NIST, and can indicate that organizations have a more established security team.


Using NIST and HIPAA Hand-in-hand

NIST provides a crosswalk that maps security standards to the HIPAA standards/safeguards. This means that it is possible to achieve compliance in both frameworks, by following one common framework.

NIST has released a guide to implementing HIPAA, that provide organizations with an outline for using framework standards to implement HIPAA security requirements. Organizations can use this guide as a starting reference for implementing NIST for HIPAA requirements.

NIST SP 800-66 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule


NIST and HIPAA Management

Dash ComplyOps provides organizations with the ability to configure and manage HIPAA compliance in the public cloud. HIPAA safeguards in Dash are mapped to NIST security controls, so organizations can build a HIPAA security plan that connects into the NIST CSF and existing security standards. Dash provides custom HIPAA administrative policies built around the organizations structure and technologies. These policies and controls connect into Dash Continuous Compliance Monitoring which scans your cloud environment for compliance issues and provides steps for remediation. With Dash your team can streamline your HIPAA security program and connect it to your existing NIST controls and security plan. Dash empowers security teams to:

  • Create custom administrative policies and controls
  • Create HIPAA security controls alongside NIST security controls
  • Monitor for cloud security concerns related to HIPAA and NIST
  • Remediate and resolve compliance concerns in AWS