The NIST[1] and the OCR[2] has published its final version of guidance to increase cybersecurity and compliance with the HIPAA Security Rule.
The new guidance gives tailored direction to covered entities to improve cybersecurity risk assessment and management. It replaces the July 2022 cybersecurity HIPAA guidance draft.
The Security Rule:
For example, plan sponsors are given individual guidance that are specified in tables โdesignated to initiate the thought process for regulated entities to implement the requirements of the Security Rule.โ
This Guidance is meant to be used as a resource to assist regulated entities be compliant with the HIPAA Security Rule and with cybersecurity.
The guidance also emphasizes the importance of general cybersecurity training for the entire organization.ย It also emphasizes the importance of ensuring that HIPAA security standards work within the existing IT architecture.ย As far as workforce security, the guidance recognizes that training should coincide with positionโs job descriptions and responsibilities.ย For example, if the organization has a self-insured health plan and is a manufacturer, should the entire organization receive HIPAA training or should the identified positions receive HIPAA training based on its roles and responsibilities that correlate with access to ePHI.
The guidance extends past the HIPAA Security Rule to highlight an organizationโs business need to safeguard data as โmission-critical.โย It cites ransomware attacks and large data breaches that cost millions of dollars that makes the safeguarding of data a business necessity.ย While the guidance cites patient protection, the application of such guidance may be applied across various industries that have federal mandates to protect data.
