Risk and Maturity Assessments In Health Care And The NIST CSF
Conducting a cybersecurity risk or control maturity assessment in the healthcare industry is a complicated undertaking with unique industry-specific challenges. This article provides a brief synopsis of a few of the risk assessment frameworks currently used in the healthcare industry. It also discusses how the National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST CSF)1 has influenced health-care-based assessments.
Overview: Cybersecurity Risk Assessments in Health Care
The Health Insurance Portability and Account Act (HIPAA) of 19962 and subsequent modifications and proposals to HIPAA laws directly influence cybersecurity compliance and protections in the healthcare industry.
For example, as of January 2021, the Office of Civil Rights (OCR) has proposed modifications to HIPAA laws3 to strengthen privacy and on-line access rights for individuals reviewing their private electronic health records (EHRs).4 EHRs are protected by the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009.5
Covered Entities and Business Associates (referred to as CEs and BAs for this article) are considered any individual, organizational, or agency that conducts activities related to information about an individual's medical treatment.6 Any organization meeting the HIPAA definition of a CE or BA is required to conduct an annual cybersecurity risk assessment.
Health-industry risk assessments are big business as there is no specific framework, model, or method to conduct a HIPAA-based cybersecurity assessment. Currently, health-care-related risk assessments are based on the HIPAA Security Risk Assessment (SRA) Tool, the HITRUST CSF, the NIST CSF, or other types of in-house security frameworks.
Integration of the NIST CSF and Health Care Risk Assessments
The network attack surface of most CEs and BAs continues to grow through the widespread use of EHRs, online-patient portals, legacy medical software and hardware, and the inter-connected procedures of healthcare organizations.7 Additional challenges include unwillingness or financial constraints of healthcare executives to augment cyber-protections, misconfigurations in cloud security, unsecured mobile devices, ransomware, and IoT exploits through wearable or implanted devices.8
The NIST CSF addresses general cybersecurity protections for critical infrastructure's electronic data at rest or in transit. By itself, it is not an effective tool to evaluate cyber-safeguards for personally identifiable health information.9 HIPAA-specific requirements for ensuring protections for Electronic Protected Health Information (ePHI) are mandatory for compliance with the HIPAA Security Rule.10 Established on the integration of the NIST CSF and the HIPAA Security Rule, various tools were developed and made available to health-industry businesses, such as the frameworks listed below:
- Crosswalk/NIST CSF Matrix11
- HIPAA Security Risk Assessment Tool (SRA) version 3.212
- HITRUST CSF Ver. 9.2 to NIST CSF ver. 1.113
NIST CSF/HIPAA-Based Risk Assessment Tools
Crosswalk/NIST CSF Matrix: The "Crosswalk" matrix assessment tool integrates the HIPAA Security Rule and the NIST CSF. "Crosswalks" was developed by NIST and the Office of the National Coordinator for Health IT (ONC IT),14 in response to the HITECH Act of 2009 and the Cybersecurity Information Sharing Act of 2015 (CISA).15 The Crosswalk Framework correlates privacy protections between the Security Rule and the NIST CSF. The tool is available as a downloadable PDF from the Department of Health and Human Services website.16
HIPAA Security Risk Assessment Tool (SRA) version 3.2: The SAR is available for download from HealthIT.gov. A complete review of the SAR is beyond the scope of this article. The SAR covers administrative, physical, and technical controls that should be in place to safeguard protected ePHI.
HITRUST CSF: This method is a compliance and certification path developed by the Health Information Trust Alliance (HITRUST). It integrates the NIST CSF's functional domains, NIST SP 800-53, the HIPAA Security Rule, and ISO 27001. The framework can be tailored to achieve an organization's HIPAA cybersecurity compliance targets. The HITRUST framework reviews three implementation levels correlated to the organization's size and capabilities to protect ePHI and related health data. Depending on the implementation level, the tool will be free or require a substantial certification cost.17
Conducting a HIPAA-Based Risk Assessment
Undertaking a healthcare cybersecurity risk assessment should always begin with activities addressing due care, due diligence, and ensuring best practices are implemented. Then determine if the organization meets the HIPAA Covered Entity or Business Association requirements defined in CFR 160.103.18
This can be easily done by completing the on-line Q&A Decision Tool.19 A second step is to research the available healthcare risk assessment tools and determine which framework will best meet the business's compliance and security needs. Financial, staffing, and overall available resources should be known before selecting a HIPAA-based cybersecurity assessment tool.
Last, if the organization has a cyber-security framework, evaluate how it can be incorporated to support integration with HIPAA-specific risk assessments. Overall, selecting a healthcare risk assessment framework should be appropriate to the size and capabilities of an organization towards identifying and reducing risks and vulnerabilities.
Risk assessments in the health care industry are complex and require a combination of research and planning. It also requires a unique combination of cybersecurity skills related to healthcare IT, auditing, security governance, and knowledge of regulatory and legal compliance requirements. "HIPAA Training," "Implementing a HIPAA Compliance Program," and the "HCISPP Certification Path" are courses offered by Cybrary towards augmenting this unique skill-set.
- NIST. (2021). The NIST Cybersecurity Framework. The National Institute of Standards and Technology (NIST). Retrieved on January 28, 2021, from: https://www.nist.gov/cyberframework
- U.S. Congress. (1996, Aug. 21). Public Law 104-191-Aug. 21, 1996, Health Insurance Portability and Accountability Act of 1996. 104th Congress, H.R. 3103. Retrieved on February 25, 2021, from: https://www.congress.gov/104/plaws/publ191/PLAW-104publ191.pdf
- (2021, Jan. 21). Proposed modifications to the HIPAA Privacy Rule to support, and remove barriers to, coordinated care and individual engagement. Department of Health and Human Services, 45 CFR Parts 160 and 164 [Docket No.: HHS-OCR-0945-AA00] RIN 0945-1100. Federal Register, Vol. 86, No. 12, Thursday, January 21, 2021. Retrieved on February 25, 2021, from: https://www.govinfo.gov/content/pkg/FR-2021-01-21/pdf/2020-27157.pdf
- (2021, Feb. 23). 45 CFR § 164.524 (Title 45, Subtitle A, Subchapter C, Part 164, Subpart E, 164.524), Access of individuals to protected health information. Code of Federal Regulations. National Archives. Retrieved on February 25, 2021, from: https://ecfr.federalregister.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.524
- (2017, Jun. 16). HITECH Act Enforcement Interim Final Rule. Office for Civil Rights (OCR). Retrieved on February 25, 2021, from: https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html
- HHS. (2017, Jun. 16). Covered entities and business associates. Department of Health and Human Services. Retrieved on February 25, 2021, from: https://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html
- (2017, Jun. 13). Ten biggest problems in healthcare cybersecurity. Calyptix Security. Retrieved on February 25, 2021, from: https://www.calyptix.com/hipaa/10-biggest-problems-in-healthcare-cybersecurity/
- Eddy, N. (2019, Feb. 8). Five cybersecurity threats healthcare faces in 2019 and beyond. Healthcare IT News. Retrieved on February 25, 2021, from: https://www.healthcareitnews.com/news/5-cybersecurity-threats-healthcare-faces-2019-and-beyond
- Hales, M. (2020, Feb. 25). NIST and HIPAA Risk Analysis. The HIPAA E-Tool. ET&C Group, LLC. Retrieved on February 25, 2021, from: https://thehipaaetool.com/nist-and-hipaa-risk-analysis/
- OCR. (2020, Sept. 30). The Security Rule. Office for Civil Rights (OCR). Department of Health and Human Services. Retrieved on February 25, 2021, from: https://www.hhs.gov/hipaa/for-professionals/security/index.html
- (2021). Crosswalk Assessment tool. Department of Health and Human Services. Retrieved on February 26, 2021, from: https://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf
- (2010). Security Risk Assessment Tool. Heath IT.gov. Retrieved on February 26, 2021, from: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
- (2021). HITRUST CSF. National Institute of Standards and Technology. Retrieved on February 26, 2021, from: https://www.nist.gov/cyberframework/informative-references/informative-reference-catalog/hitrust-csf-v92-nist-csf-v11
- OCR. (2016, Feb. 23). Addressing gaps in cybersecurity: OCR releases Crosswalk between HIPAA Security Rule and NIST Cybersecurity Framework. Office for Civil Rights. Department of Health and Human Services. Retrieved on February 25, 2021, from: https://www.hhs.gov/hipaa/for-professionals/security/nist-security-hipaa-crosswalk/index.html
- (2015, Mar. 17). S.754 – 114th Congress (2015-2016) - To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes. U.S. Congress. Retrieved on February 25, 2021, from: https://www.congress.gov/bill/114th-congress/senate-bill/754
- (n.d.) HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework. Department of Health and Human Services. Retrieved on February 25, 2021, from: https://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf
- Pierce, R. (2018, Sept. 26). What is HITRUST? A practical guide to certification. Linford & CO, LLP. Retrieved February 26, 2021, from: https://linfordco.com/blog/what-is-hitrust/
- (2021, Feb. 23). 45 CFR § 160.103 Definitions. Title 45, Subtitle A, Subchapter C, Part 160, Subpart A, § 160.103 Definitions. Code of Federal Regulations. National Archives. Retrieved on February 25, 2021, from: https://ecfr.federalregister.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-A/section-160.103
- (n.d.). Are you a covered entity? Centers for Medicare and Medicaid Services (CMS). Retrieved on February 25, 2021, from: https://www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/AreYouaCoveredEntity