Supply chain, Compliance Management, Asset Management, Cloud Security

New guidance by cloud group, federal agency target HIPAA compliance and vendor risk

New CSA guidance and an update from NIST aim to support healthcare entities with addressing HIPAA Security Rule requirements and prevalent third-party vendor risks. Photo credit: (“College of DuPage Hosts Multi-Discipline Health Simulation 126” by COD Newsroom is licensed under CC BY 2.0.)
New CSA guidance and an update from NIST aim to support healthcare entities with addressing HIPAA Security Rule requirements and prevalent third-party vendor risks. (Photo credit: "College of DuPage Hosts Multi-Discipline Health Simulation 126" by COD Newsroom is licensed under CC BY 2.0.)

The Cloud Security Alliance released new guidance aiming to support healthcare delivery organizations with managing third-party vendor risk, while NIST has updated its healthcare cybersecurity insights to support compliance with the Health Insurance Portability and Accountability Act Security Rule.

Issued July 21, the NIST update targets HIPAA Security Rule implementations to ensure the confidentiality and integrity of electronic protected health information, including lab results, prescriptions, vaccinations, and hospital records.

NIST cybersecurity specialist Jeff Marron said the updates are meant to make the previously released publication “more of a resource guide” and “more of a refresh than an overhaul.” It includes actionable steps organizations can take to improve their overall cybersecurity posture and HIPAA Security Rule compliance.

To be clear, NIST is not authorized to create HIPAA regulations. Rather, the guide aligns with the agency’s mission to provide entities with cybersecurity guidance. The update accounts for the more than 400 industry responses it received to its pre-draft call for feedback last year.

The guidance structure has only shifted slightly and now has an increased emphasis on risk assessments and management. According to Marron, NIST mapped all of the HIPAA Security Rule elements to the NIST Cybersecurity Framework subcategories and controls.

In the end, NIST intends to integrate the finalized healthcare cybersecurity guidance with the NIST CF. 

NIST is seeking comment on the proposed changes, including the format, possible improvements, and potential additions to the techniques and threats, among other elements noted in the document’s note to reviewers. The comment period is open until Sept. 21.

CSA guidance on third-party risks for healthcare sector

The latest Cloud Security Alliance insights were drafted by the Health Information Management Working Group and provide an overview of healthcare’s greatest third-party vendor security risks, as well as program tools, examples, and use cases. The report tackles just why third-party risks hit healthcare the hardest and best practice means for identifying, assessing, and mitigating vendor risks.

Given vendors were behind the largest healthcare data breaches reported so far this year, the guidance should support healthcare entities with understanding and addressing ongoing vendor risks to the enterprise.

Vendor “risks are even more prevalent in the healthcare industry due to the lack of automation and the proliferation of digital applications and medical devices used, time-consuming and costly vendor risk assessment procedures, and the lack of fully deployed critical vendor management controls,” said James Angle, the paper’s lead author and co-chair of the Health Information Management Working Group, said James Angle, Ph.D., co-chair of the HIM Working Group, in the release.

Healthcare entities should leverage the CSA paper to better understand those risks, as well as suggestions for creating a plan to detect, respond to, and mitigate those threats to meet regulatory and compliance requirements. The guidance also includes additional vendor considerations, such as cloud, automation, and tracking program effectiveness.

“Failing to assess risks and implement effective monitoring controls appropriately can be costly in terms of both potential penalties and reputation,” said Michael Roza, a CSA contributor, in a statement.

As healthcare entities continue to “focus limited resources on core organizational objectives and contract out support services, making an effective third-party risk management program [is] essential,” he added.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.