As part of your efforts to comply with rigorous HIPAA rules, your healthcare organization might benefit from implementing security and privacy controls outlined in National Institute of Standards and Technology (NIST) Special Publication 800-53. NIST is a non-regulatory agency that is part of the U.S. Department of Commerce. NIST 800-53 establishes a risk management framework for federal information systems and provides guidance for implementing security and privacy controls.
While HIPAA rules and HITRUST certification are familiar to most healthcare organizations, this NIST framework might be less so. But implementing NIST 800-53 controls can help your organization reduce risks, even if you are not required to comply with the framework.
This blog post answers some key questions about NIST and can help you determine its relevance to your healthcare organization. Specifically: Does your organization need to follow NIST 800-53? How can doing so be beneficial to your organization? What types of controls are offered? And what are the best ways to begin applying those controls?
What is NIST?
Founded in 1901, and originally named the National Bureau of Standards, NIST is one of the oldest physical science laboratories in the United States. It is a measurement standards lab that is now part of the U.S. Department of Commerce.
What is the purpose of NIST?
The organization was initially created by Congress to spur innovation and help make the country more competitive with European industrial rivals. Today it continues the mission of promoting innovation and industrial competitiveness by advancing measurement science, standards, and technologies. NIST strives to be the world’s leader in creating critical measurement solutions and promoting equitable standards.
What is NIST 800-53?
NIST 800-53 is a special publication first created by NIST in 2005. After several updates, the most recent version is Special Publication (SP) 800-53 Rev. 5, released in 2020. The publication’s purpose is to provide a catalog of security and privacy controls in an effort to protect organizations—and the country—from a variety of threats.
Who must comply with NIST 800-53?
Complying with NIST 800-53 is mandatory for all U.S. federal information systems, government agencies, departments, and contractors. But many other organizations also follow the guidance in the publication, including state and local governments, as well as private businesses in a range of industries. In fact, any organization with highly sensitive or regulated data can benefit from following the guidelines in NIST 800-53.
What are the benefits of NIST 800-53 for healthcare organizations?
Offering a comprehensive framework for security and privacy controls, NIST 800-53 can help you protect your healthcare business, your partners, and your customers from a wide array of threats. If NIST 800-53 compliance is not mandatory for your organization, you can select the controls that make the most sense for your business. Though NIST 800-53 is not specific to the healthcare industry, several of the controls outlined in the publication can help you achieve HIPAA compliance.
NIST 800-53 controls
The NIST 800-53 publication includes more than 1,000 security and privacy controls. Those controls are organized into 20 families.
Security and privacy control families
Each control family has guidance for implementing multiple processes, policies, and tools.
- Access Control: Managing access and enforcing policies.
- Awareness and Training: Educating employees about key threats and conducting role-based training.
- Audit and Accountability: Auditing records, conducting analyses, and retaining records.
- Assessment, Authorization, and Monitoring: Conducting assessments, assigning authorizations, implementing continuous monitoring, conducting penetration testing.
- Configuration Management: Establishing change control policies, setting configurations, inventorying system components.
- Contingency Planning: Preparing for adverse events by implementing business continuity policies and solutions.
- Identification and Authentication: Implementing multi-factor authentication, single sign-on, and other technologies.
- Incident Response: Training team members, conducting testing, and establishing processes.
- Maintenance: Defining maintenance tools and processes, and establishing maintenance personnel authorizations.
- Media Protection: Setting policies and procedures for using, accessing, sanitizing, and transporting media.
- Physical and Environmental Protection: Defining policies for physically accessing and protecting facilities.
- Planning: Creating security and privacy architectures and plans.
- Program Management: Establishing programs and teams for a variety of information security and privacy tasks.
- Personnel Security: Implementing policies for screening, providing access to, and terminating personnel.
- Personally Identifiable Information (PII) Processing and Transparency: Creating policies for accessing, processing, and sharing PII.
- Risk Assessment: Developing processes for evaluating current risks and monitoring vulnerabilities.
- System and Services Acquisition: Setting policies for purchasing an array of systems and services while controlling risks.
- System and Communications Protection: Isolating security functions, protecting against denial-of-service attacks, safeguarding boundaries, ensuring transmission confidentiality, and more.
- System and Information Integrity: Protecting against malicious code; monitoring systems; generating alerts; remediating flaws; and ensuring the integrity of software, firmware, and information.
- Supply Chain Risk Management: Applying supply chain controls and processes, maintaining provenance, and establishing acquisition strategies.
NIST compliance best practices
Given the comprehensive nature of the framework, NIST 800-53 can be overwhelming. Whether you must comply or are looking to implement a subset of controls that are relevant to your business, following a few best practices can streamline your efforts.
- Classify your data: Begin by assessing the data that you generate, process, share, and store. NIST recommends classifying data using formulas provided in Federal Information Processing Standards (FIPS) publication 199. According to FIPS 199, you should determine whether losing confidentiality, integrity, and availability of particular types of data will have a low, moderate, or high impact on your business.
Even if you don’t follow these FIPS guidelines precisely, you can still prioritize protection of particular data. For example, you might distinguish protected health information (PHI) from non-confidential enterprise data and then prioritize protection of PHI. - Conduct a risk assessment: Before you modify your security and compliance strategy, you need to understand your existing security and privacy posture. Are you currently complying with HIPAA rules for privacy and security? Are you doing everything you can to safeguard highly sensitive patient data? Identifying gaps and vulnerabilities is essential for moving forward. Working with an external partner can often help with this process.
- Develop your plan, select relevant controls: Once you have identified any security and privacy shortcomings, you can develop your plan for improving HIPAA compliance and—if necessary—achieving compliance with the NIST 800-53 framework. If NIST compliance is not necessary, you might decide to select controls from the areas where your organization needs improvement. Partnering with healthcare experts can help you map NIST 800-53 controls to HIPAA rules so you maximize the regulatory benefits of NIST guidelines.
- Ongoing monitoring and management: Remember that implementing new controls is not the end of the journey. Once you’ve improved security and privacy, and achieved compliance with applicable regulations, you need to continuously monitor your environment. In many cases, healthcare organizations benefit from working with healthcare-focused managed service providers that can automate continuous monitoring so they can stay focused on their core business goals.
Start benefiting from NIST 800-53
Though compliance with NIST 800-53 is required only for federal information systems, government agencies, and contractors, many healthcare organizations can benefit from this comprehensive framework. Implementing controls that enhance security and privacy can help healthcare businesses comply with industry-specific regulations and better protect highly sensitive data from a growing array of threats.
Ready to implement NIST 800-53? Contact the team at Cloudticity to learn how our managed cloud services can help you achieve NIST compliance.