HHS OCR and NIST Revamp Cybersecurity Guidance for the Health Care Industry

Introduction

The health care sector continues to experience a significant rise in cyberattacks, endangering care delivery and patient safety.¹ Consequently, the federal government—including the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) and the National Institute of Standards and Technology (“NIST”)— has issued a string of new guidance and efforts, consistent with the Biden administration’s March 2023 National Cybersecurity Strategy, to bolster cybersecurity practices.² The latest of these efforts include (1) HHS OCR and NIST jointly issuing the final version of the Special Publication 800-66 Revision 2, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (the “Cybersecurity Resource Guide”)³ on February 16, 2024, and (2) NIST releasing Version 2.0 of its Cybersecurity Framework (the “Cybersecurity Framework”)⁴ on February 26, 2024. As discussed in this alert, both the Cybersecurity Resource Guide and the Cybersecurity Framework offer actionable steps that health care entities can take to build or improve upon their cybersecurity risk mitigation strategies and compliance efforts.

Overview of Updates to the Cybersecurity Resource Guide

The HIPAA Security Rule is “flexible, scalable, and technology-neutral”⁵ and thus does not provide a standard compliance approach. As such, the Cybersecurity Resource Guide provides extensive, adaptable guidelines relevant to each standard of the HIPAA Security Rule, taking into consideration various entity sizes, risk thresholds and cybersecurity maturity levels. While the Cybersecurity Resource Guide largely reiterates the guidance set forth in the draft version published in July 2022,⁶ the Cybersecurity Resource Guide presents some substantive updates, including:

• Clarifying the difference between a HIPAA security “risk analysis” as “an accurate and thorough assessment of the threats and vulnerabilities to [electronic protected health information (ePHI)]” and a security “risk assessment” as a “process by which a regulated entity can determine the level of risk to ePHI”;⁷
• Replacing an appendix that mapped HIPAA Security Rule standards and implementations specifications to relevant NIST publications with the online NIST Cybersecurity and Privacy Reference Tool (“CPRT”), where users can interactively map the HIPAA Security Rule to a broader set of NIST cybersecurity and privacy standards, guidelines and frameworks in customizable formats; and
• Moving a list of cybersecurity resources for HIPAA regulated entities from an appendix to an online reference on specific topics (e.g., telehealth/telemedicine, mobile device security, ransomware and phishing, medical device security, cloud services, internet of things used in health care, application security and supply chain) organized based on an entity’s complexity.

The Cybersecurity Resource Guide provides detailed approaches that HIPAA covered entities and business associates may use in assessing and managing risk to ePHI. For example, the Cybersecurity Resource Guide provides detailed guidance for conducting a security risk assessment, as required by the HIPAA Security Rule, which largely mirrors previous guidance issued by HHS.⁸ Furthermore, the Cybersecurity Resource Guide provides “structured, flexible, extensible, and repeatable” risk management guidance that HIPAA covered entities and business associates can use to manage identified risks and implement risk-based protection of ePHI. These guidelines may be tailored based on the types, amount, and level of security risks that an organization’s senior leaders are willing to accept.

Overview of Updates to the Cybersecurity Framework

The updated Cybersecurity Framework seeks to assist all organizations to manage and reduce cybersecurity risks. Importantly, the Cybersecurity Framework expands the core functions (i.e., identify, protect, detect, respond, recover) of a successful cybersecurity program by adding a sixth function, “govern,” which focuses on corporate governance’s role in making informed cybersecurity decisions and especially managing supply chain risks. Governance specifically entails:

• Understanding and assessing your organization’s specific cybersecurity needs.
• Developing a tailored cybersecurity risk strategy.
• Establishing defined risk management policies.
• Developing and regularly communicating organizational cybersecurity practices.
• Establishing and monitoring cybersecurity supply chain risk management by incorporating requirements into contracts and involving partners and suppliers in planning, response, and recovery.
• Analyzing risks at regular intervals and monitoring them continuously.

Implications and Next Steps

HIPAA covered entities and business associates should consider carefully reviewing the Cybersecurity Resource Guide, in conjunction with the Cybersecurity Framework and supplementary, topic-specific guidance, to implement or enhance their HIPAA Security Rule compliance infrastructure in accordance with the benchmarks set forth therein.

For instance, when conducting security risk assessments, HIPAA covered entities and business associates should consider aligning their policies, procedures and practices to those benchmarks set forth in the Cybersecurity Resource Guide, as follows:

1. Prepare for a risk security assessment. Prior to conducting the security risk assessment, HIPAA covered entities and business associates should understand and note where ePHI is created, received, maintained, processed, transmitted and stored. This inventory must include all parties, systems and devices to which ePHI is transmitted, maintained, processed or stored, including, but not limited to, remote workers, third-party service providers, computing devices and applications.
2. Identify reasonably anticipated threats. Identify all potential natural, human and environmental threat events and sources that impact the entity’s ability to protect ePHI (e.g., ransomware, insider threats, phishing, environmental threats and natural threats).
3. Identify potential vulnerabilities and predisposing conditions. Identify vulnerabilities⁹ or predisposing conditions that can be exploited by threat events and sources.¹⁰
4. Determine the likelihood that a threat will exploit a vulnerability. For each threat event or source identified in #2, the HIPAA covered entity and business associate should consider the likelihood that the threat will occur and the likelihood that an occurred threat would exploit a vulnerability identified in #3 (e.g., very low, low, moderate, high, very high).
5. Determine the impact of a threat exploiting a vulnerability. Determine the impact to ePHI if a threat were to exploit a vulnerability, taking into consideration how the threat may affect the loss or degradation of the confidentiality, integrity and/or availability of ePHI.
6. Determine the level of risk. Assess the level of risk, taking into consideration the overall likelihood of threat occurrence in #4 and resulting impact in #5. The Cybersecurity Resource Guide provides a detailed risk-level matrix, which aligns the rating scales used for the likelihood and impact in #4 and #5.
7. Document the security risk assessment results. Document the security risk assessment results in a risk register. Notably, the results will allow HIPAA regulated entities and business associates to identify appropriate security controls to best reduce risk to ePHI.

When conducting risk management activities, covered entities and business associates should consider determining what constitutes an acceptable level of risk to ePHI and addressing any vulnerabilities as necessary. Thereafter, and consistent with the Cybersecurity Resource Guide, covered entities and business associates should assess whether the risks were reduced to acceptable levels. For example, an organization may determine that ransomware attacks pose a high level of risk to ePHI. After implementing required HIPAA Security Rule implementation specification standards, the organization may determine that the level of risk to ePHI due to ransomware attacks has been reduced to “low” even though the likelihood of a ransomware attack is still rated “high.” On the other hand, if it is determined that the risks cannot be reduced to acceptable levels, covered entities and business associates should consider implementing additional security safeguards. 

The Cybersecurity Resource Guide helpfully provides a catalog of HIPAA Security Rule implementation specification standards mapped to relevant NIST standards (e.g., data-at-rest is protected)¹¹ and NIST security controls (e.g., data encryption)¹² set forth in prior NIST guidance and suggests that covered entities and business associates may benefit from consulting the catalog to identify certain cybersecurity outcomes and related controls (e.g., technical and non-technical security controls) to reduce risk to ePHI. Importantly, the updated Cybersecurity Framework may provide additional cybersecurity risk mitigation best practices and implementation tools for a wide range of organizations with varied degrees of cybersecurity sophistication.

While neither the Cybersecurity Resource Guide nor the Cybersecurity Framework is binding on HIPAA covered entities and business associates, it is prudent for such entities to consult with these resources to ensure compliance with the HIPAA Security Rule and to demonstrate diligent efforts in the event they are ever investigated by HHS OCR. If you have any questions about interpreting or implementing the guidance set forth in the Cybersecurity Resource Guide or the Cybersecurity Framework, please do not hesitate to contact one of the authors or your Ropes & Gray advisor.