HIPAA tries to force healthcare organizations to protect patient data – but does it work? Any health IT professional will tell you, HIPAA compliance alone does not guarantee security. HIPAA is not a complete security framework and it’s not enough to protect ePHI. Many hospitals, doctor’s offices, and others – while striving for HIPAA compliance – also follow one or more security frameworks that have earned widespread respect and adoption in the infosec industry.
What is a cyber security framework?A cyber security framework is a proven approach to developing the policies and procedures necessary to secure the confidentiality, integrity, and availability of information systems and data. In short: they roadmaps for securing IT systems. Healthcare organizations can select from a number of frameworks that are widely respected and regularly maintained. This table shows the most popular cyber security frameworks in healthcare, according to the 2018 HIMSS Cybersecurity Survey. HIMSS surveyed 239 healthcare information security professionals from Dec. 2017 through Jan. 2018 for the report. When asked to list the network security frameworks used at their organizations, respondents could select multiple answers. Below, we highlight the most popular frameworks listed and note a few that didn’t make the cut.
Framework #1. NISTThe most popular security framework in healthcare is listed as “NIST”, with 57.9% of respondents reporting its use at their organizations. NIST is the National Institute of Standards and Technology, the U.S. agency that develops many technical standards and guidelines, including for information security. It’s one of the many agencies under the U.S. Department of Commerce. NIST maintains several documents that are widely considered gold standards for network and data security. While they are typically intended for U.S. federal agencies, they are also widely used in the private sector. Here are three of the most popular:
- NIST Framework for Improving Critical Infrastructure Cybersecurity – Version 1.1, published April 2018.
- NIST SP 800-53: Security and Privacy Controls for Federal Information Systems and Organizations – Revision 4, published Jan. 2015. (a draft of revision 5 is also available).
- NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations – Revision 1, Published Feb. 2018.