NIST SP 800-66r2 ipd INITIAL PUBLIC DRAFT
IMPLEMENTING THE HIPAA SECURITY RULE: A CYBERSECURITY RESOURCE GUIDE
HIPAA Security Rule Resources (Informative)
1525 1526 1527 1528 1529 1530 1531
This appendix lists resources (e.g., guidance, templates, tools) that regulated entities may find useful for complying with the Security Rule [Sec. Rule] and improving the security posture of their organizations. For ease of use, the resources are organized by topic. This listing is not meant to be exhaustive or prescriptive, nor is there any indication of priority in the listing of resources within a topic. It is expected that regulated entities could consult these resources when they need additional information or guidance about a particular topic.
1532 1533 1534 1535 1536
Risk Assessment/Risk Management: The assessment, analysis, and management of risk to ePHI provides the foundation for a regulated entity’s Security Rule compliance efforts. While regulated entities are free to use any risk assessment/management methodology that effectively protects the confidentiality, integrity, and availability of ePHI, the resources listed may be helpful.
1537 1538 1539 1540 1541 1542 1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560 1561 1562 1563 1564 1565 1566 1567
•
• •
•
•
• •
•
Security Risk Assessment Tool [SRA Tool] – Designed to help regulated entities conduct a security risk assessment as required by the HIPAA Security Rule. Regulated entities should be aware that use of the SRA Tool or any risk assessment/management tool does not necessarily equate to compliance with the HIPAA Security Rule’s risk analysis requirement. Security Risk Assessment Tool v3.2 User Guide – Assists regulated entities in completing the SRA tool. Framework for Improving Critical Infrastructure Cybersecurity [NIST CSF] – Consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps the owners and operators of critical infrastructure manage cybersecurity-related risk. Health Industry Cybersecurity Practices (HICP) Managing Threats and Protecting Patients – Sets forth a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes to cost-effectively reduce cybersecurity risks for regulated entities. Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations – Contains technical details for implementing cybersecurity practices. It provides an overview of cybersecurity practices that have been outlined by the industry as highly effective at mitigating risks to the healthcare industry. Protecting the Healthcare Digital Infrastructure: Cybersecurity Checklist – Outlines several hardware, software, and cybersecurity educational items that organizations should consider and implement to protect their digital infrastructure. Health Sector Cybersecurity Coordination Center (HC3) Threat Briefs – Highlights relevant cybersecurity topics and raises the Healthcare and Public Health (HPH) sector’s situational awareness of current cyber threats, threat actors, best practices, and mitigation tactics. Health Sector Cybersecurity Coordination Center (HC3) Sector Alerts – Provides high-level, situational background information and context for technical and executive audiences. Designed to assist the sector with the defense of large-scale and high-level vulnerabilities. 128
