NIST Security Controls Enable HIPAA Compliance

Written by Maria Ramos, Eric Chuang and George Hondros on August 29, 2018

The exponential growth of new technologies is significantly reshaping the healthcare industry.

New trends such as cloud, mobile and wearable devices, among others, have given rise to innovative ways to manage, offer and deliver healthcare services.

As healthcare organizations adopt new technologies, they need to apply reasonable and adequate security controls to ensure compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Meanwhile, government contractors working in the healthcare space must also work to ensure their compliance with HIPAA.

The HIPAA Security Rule provides the standards that must be applied to safeguard electronic protected health information (ePHI) against threats, hazards and unauthorized disclosure. The HIPAA security rule requires the implementation of administrative, physical and technical controls to ensure the confidentiality, integrity and availability of ePHI. Healthcare organizations and government contractors are also required to conduct a risk analysis and to ensure that they have reduced the level of risk to an acceptable level.

The NIST SP 800-66 r1 and NIST 800-53 r4 publications contain a comprehensive set of controls that healthcare organizations can apply when pursuing HIPAA compliance.

Below are the NIST 800-53 r4 controls supporting the administrative, technical and physical safeguards of the HIPAA Security Rule:

Administrative Safeguards

Security Management Process (§ 164.308(a)(1)): Implement policies and procedures to prevent, detect, contain and correct security violations.

Supporting NIST SP 800-53 r4 controls: Risk Assessment (RA-1, RA-2, RA-3, RA-4), Planning (PL-6), Personnel Security (PS-8), Audit and Accountability (AU-6, AU-7), Security Assessment and Authorization (CA-7), Incident Response (IR-5, IR-6), Systems and Information Integrity (SI-4)

Assigned Security Responsibility (§ 164.308(a)(2)): Identify the security official responsible for the development and implementation of the entity’s policies and procedures.

Supporting NIST SP 800-53 r4 controls: Security Assessment and Authorization (CA-4, CA-6)

Workforce Security (§ 164.308(a)(3)): Implement policies and procedures to ensure that all workforce members have appropriate access to electronic protected health information and to prevent those who are unauthorized from obtaining access to this information.

Supporting NIST SP 800-53 r4 controls: Access Control (AC-1, AC-2, AC-3, AC-4, AC-5, AC-6, AC-13), Maintenance (MA-5), Media Protection (MAP-2), Personnel Security (PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7)

Information Access Management (§ 164.308(a)(4)): Implement policies and procedures for authorizing access to electronic protected health information.

Supporting NIST SP 800-53 r4 controls: Access Control (AC-1, AC-2, AC-3, AC-4, AC-5, AC-6, AC-13), Personnel Security (PS-6, PS-7)

Security Awareness and Training (§ 164.308(a)(5)): Implement a security awareness and training program for all workforce members, including management.

Supporting NIST SP 800-53 r4 controls: Awareness and Training (AT-1, AT-2, AT-3, AT-4, AT-5), Systems and Information Integrity (SI-3, SI-4, SI-5, SI-8), Access Control (AC-2, AC-13), Audit and Accountability (AU-2, AU-6), Identification and Authentication (IA-2, IA-4, IA-5, IA-6, IA-7)

Security Incident Procedures (§ 164.308(a)(6)): Implement policies and procedures to address security incidents.

Supporting NIST SP 800-53 r4 controls: Incident Response (IR-1, IR-2, IR-3, IR-4, IR-5, IR-6, IR-7)

Contingency Plan (§ 164.308(a)(7)): Implement policies and procedures for responding to an emergency or other occurrence (i.e., fire, vandalism, system failure and natural disaster) that damages systems that contain electronic protected health information.

Supporting NIST SP 800-53 r4 controls: Contingency Planning (CP-1, CP-2, CP-3, CP-4, CP-5 CP-6, CP-7, CP-8, CP-9, CP-10), Risk Assessment (RA-2)

Evaluation (§ 164.308(a)(8)): Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information.

Supporting NIST SP 800-53 r4 controls: Security Assessment and Authorization (CA-1, CA-2, CA-4, CA-6, CA-7)

Business Associate Contracts and Other Arrangements (§ 164.308(b)(1)): A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information.

Supporting NIST SP 800-53 r4 controls: Security Assessment and Authorization (CA-3), Personnel Security (PS-7), System and Service Acquisition (SA-9)

Physical Safeguards

Facility Access Controls (§ 164.310(a)(1)): Implement policies and procedures to limit physical access to its electronic information systems and the facility (or facilities) in which they are housed, while ensuring that properly authorized access is allowed.

Supporting NIST SP 800-53 r4 controls: Physical and Environmental Protection (PE-1, PE-2, PE-3, PE-4, PE-5)

Workstation Use (§ 164.310(b)): Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation, or class of workstation, that can access electronic protected health information.

Supporting NIST SP 800-53 r4 controls: Access Control (AC-3, AC-4, AC-11, AC-12, AC-15, AC-16, AC-17, AC-19), Physical and Environmental Protection (PE-3, PE-5, PE-6)

Workstation Security (§ 164.310(c)): Implement physical safeguards for all workstations that access electronic protected health information to restrict access to authorized users.

Supporting NIST SP 800-53 r4 controls: Media Protection (MP-2, MP-3, MP-4), Physical and Environmental Protection (PE-3, PE-4, PE-5, PE-18)

Device and Media Controls (§ 164.310(d)(1)): Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility.

Supporting NIST SP 800-53 r4 controls: Configuration Management, (CM-8), Media Protection (MP-1, MP-2, MP-3, MP-4, MP-5, MP-6), Personnel Security (PS-6), Contingency Planning (CP-9)

Technical Safeguards

Access Control (§ 164.312(a)(1)): Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.

Supporting NIST SP 800-53 r4 controls: Access Control, (AC-1, AC-3, AC-5, AC-6)

Audit Controls (§ 164.312(b)): Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Supporting NIST SP 800-53 r4 controls: Audit and Accountability (AU-1, AU-2, AU-3, AU-4, AU-6, AU-7)

Integrity (§ 164.312(c)(1)): Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.

Supporting NIST SP 800-53 r4 controls: Contingency Planning (CP-9), Media Protection (MP-2, MP-5) System and Information Integrity (SI-1, SI-7), System and Communication Protection (SC‑8)

Person or Entity Authentication (§ 164.312(d)): Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.

Supporting NIST SP 800-53 r4 controls: Identification and Authentication (IA-2, IA-3, IA-4)

Transmission Security (§ 164.312(e)(1)): Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

Supporting NIST SP 800-53 r4 controls: System and Communication Protection (SC-9)

Key Takeaways: The implementation of appropriate security controls is a critical task that, if lacking, can have major implications on the security posture of a healthcare organization or government contractor.

Selection of the proper security controls is a highly important process that requires the involvement of adequate resources to efficiently identify the proper security controls that will protect organizational assets and help manage security risk at an acceptable level.

 

Warren Averett is an independent member of the BDO Alliance USA. This article was borrowed with permission from BDO USA, LLP.

Back to Resources
Top