Background: NIST Special Publication (SP) 800-66
Healthcare organizations face many challenges from cybersecurity threats. This can have serious impacts on the security of patient data, the quality of patient care, and even the organization’s financial status. Healthcare organizations also must comply with regulatory requirements, such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, which focuses on safeguarding the electronic protected health information (ePHI) held or maintained by HIPAA covered entities and business associates (collectively, ‘regulated entities’).
Draft NIST Special Publication (SP) 800-66 Revision 2 provides practical guidance and resources that can be used by regulated entities of all sizes to safeguard ePHI. To that end, Draft NIST SP 800-66 Revision 2 aims to help organizations improve their overall cybersecurity posture, while also complying with the Security Rule.
What changes can we expect to see?
A draft of NIST SP 800-66 Revision 2 was released for public comment in July of 2022 and we received 250+ unique comments from several dozen individuals and organizations. Our goal is to publish a final version later this year.
Based on an adjudication of the comments, the following changes are planned for the final version of NIST SP 800-66 Revision 2 (we have plans for additional small updates, but this list covers the most impactful ones):
- We will include more specific resources for small, regulated entities.
We plan to collaborate with other public and private sector entities to help create these resources, which may include tools, use cases, or more specific guidance. We view the development of these resources as a separate effort from the final publication of NIST SP 800-66—but please stay tuned for more information about this in the coming months.
- We will clarify some areas of the document.
Many respondents asked for clarification on the terms ‘risk analysis’ and ‘risk assessment.’ The term ‘risk analysis’ cannot be eliminated because it is the term used in the Security Rule, and we will consistently refer to risk analysis as that which is required by the Security Rule—namely, an accurate and thorough assessment of the threats and vulnerabilities to ePHI. Risk assessment will refer to the process by which a regulated entity can determine the level of risk to ePHI. Draft NIST SP 800-66 Revision 2 provides a risk assessment process that regulated entities may use (see Section 3) and small, regulated entities may find benefit in using the HHS Security Risk Assessment (SRA) Tool.
We also received feedback that Draft NIST SP 800-66 Revision 2 referenced multiple versions of the SRA Tool—which could confuse readers. The final version will consistently point to the SRA Tool’s landing page.
- We will adjust the appendices.
We will make Appendix E - Security Rule Standards and Implementation Specifications Crosswalk more useful. Appendix E maps the Security Rule’s standards and implementation specifications to applicable security controls detailed in NIST SP 800-53, to Cybersecurity Framework (CSF) Subcategories, and to other relevant NIST publications. Our plan is to remove the Appendix E mapping from Draft NIST SP 800-66 Revision 2 and place it online in NIST’s Cybersecurity and Privacy Reference Tool (CPRT) website (there will still be an Appendix E, but it will simply contain a pointer to the mapping stored in CPRT). This will allow the mapping to be updated separate from the SP 800-66 update cycle.
Additionally, we will merge the existing mapping from Appendix E with the tables of key activities, descriptions, and sample questions for regulated entities in Section 5. We’re not removing the Section 5 tables; they will remain a useful reference for readers. But the mapping hosted in CPRT will be merged with the tables in Section 5—with a few columns added to illustrate for readers the relevant CSF Subcategories, SP 800-53 controls, and other NIST resources that map to each of the Security Rule standards and implementation specifications (as well as to the key activities, descriptions, and sample questions).
We will adjust Appendix F - HIPAA Security Rule Resources. We received many suggestions to extract the Resources, so we thought the Resources could instead be hosted online. Like Appendix E, this change would allow the Resources to be kept up-to-date separate from the NIST SP 800-66 update cycle. We’ve also decided to reorganize the resources within each topic area to progress from more foundational resources to more complex resources. This will allow small, regulated entities to focus on the earlier resources within each topic area. We also plan to add a full list of topic areas to the beginning of the resource listing with active links that will take the reader directly to each respective topic area.
We truly appreciate your support, encouragement, and feedback along this journey. Feel free to reach out with any questions or comments to sp800-66-comments [at] nist.gov (sp800-66-comments[at]nist[dot]gov) (and follow us on @NISTcyber and subscribe to our Cybersecurity Insights blog to stay updated in the future).