On July 21, The National Institute of Standards and Technology (NIST) published revised Special Publication 800-66 , “Implementing the [HIPAA] Security Rule: A Cybersecurity Resource Guide,” and is accepting comments on the revised draft guidance until September 21. 

(ISC)² is encouraging members with expertise in this area to submit their comments on the proposed changes to NIST prior to deadline.

This updated guidance is aimed at helping healthcare organizations that fall under the regulatory umbrella of the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule.

According to NIST, the updated NIST SP 800-53’s latest draft has mapped all the elements of the HIPAA Security Rule to the Cybersecurity Framework subcategories.

NIST describes these changes as a refresh rather than an overhaul and an emphasis has been made on risk assessments and risk management. The guidance describes how to prepare for a risk assessment; how to identify potential threats and their likelihood of exploiting a vulnerability; how to determine the impact of a threat and risk levels; and how to document the results.

“One of our main goals is to help make the updated publication more of a resource guide,” Jeff Marron, a NIST information technology specialist said in a press release. “The revision is more actionable so that healthcare organizations can improve their cybersecurity posture and comply with the Security Rule .”

HIPAA prohibits sensitive patient health information from being disclosed without patients’ consent or knowledge, while HIPAA’s Security Rule specifically focuses on protecting ePHI created, received, maintained, or transmitted by a healthcare organization. “NIST does not create regulations to enforce HIPAA, but the revised draft is in keeping with NIST’s mission to provide cybersecurity guidance,” the agency stated.

NIST is accepting comments on the revised draft guidance until Sept. 21.

For additional resources on this topic check out these sources: NIST Releases Draft Cybersecurity Resource Guide on Implementing the HIPAA Security Rule and NIST Updates Guidance on HIPAA Security Rule Compliance .