A big update for organizations building HIPAA-compliant software: in February 2024, the National Institute of Standards and Technology (NIST) finalized its updated resource guide. This document helps you understand and follow the HIPAA Security Rule, building on NIST’s earlier work from 2008.
The Vitamin cybersecurity department examined these regulations and how they relate to creating compliant SaaS products. Let’s see what they’ve discovered.
NIST Updates Its HIPAA Guidebook
Although the HIPAA Security Rule was established in 1998, many healthcare entities remain vulnerable to cybersecurity threats and leaks. Among other reasons, that’s because covered entities may struggle to implement HIPAA-compliant software and procedures.
The HHS periodically releases updates and adjustments to the Act to accommodate these entities and their evolving needs. The latest update arrived this February when the National Institute of Standards and Technology (NIST) released updated HIPAA guidance. Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide is meant to help covered entities comply with the HIPAA Security Rule.
What Does the Guide Say?
The HIPAA Security Rule is flexible and adaptable, with scalable procedures for PHI protection. The Resource Guide provides a range of customizable recommendations, suiting various needs and levels of cybersecurity maturity.
This guide breaks down each Security Rule standard into key PHI protection activities. As such, it’s helpful for regulated entities who can’t adopt HIPAA successfully using the Act alone.
The NIST HIPAA Guide contains these helpful sections:
- Key activities. Everything an organization might do to achieve HIPAA compliance, like security management, assigning responsibilities, and having procedures for incidents.
- Descriptions. Expansions of each activity, complete with suggested implementation strategies. It’s a step-by-step guide to assessing risks and finding ways to mitigate them.
- Sample questions. Our favorite section because it encourages organizations to think critically about their cybersecurity practices. If the answer to any is ‘no,’ it’s grounds for further work.
Here’s how it looks in practice:
Then there’s risk assessment.
HIPAA-compliant software includes two types of controls: required and addressable. The former is necessary for all covered entities and third parties, while each organization may choose some of the latter. The new guide contains a section on risk assessments, detailing the seven steps to evaluate your organization and determine the necessary addressable controls.
Additional Resources
The Cybersecurity and Privacy Resource Tool (CPRT) has been updated. Companies can click through from basic to specific tools to help them understand and adopt cybersecurity measures.
Within this document, the latest NIST HIPAA guide is available in PDF form. Have your teams examine them to emphasize security.
Also, check out the revised NIST’s Cybersecurity Framework (CSF). It provides guidelines and best practices for organizations to improve their cybersecurity posture, regardless of sector or industry. While not specific to healthcare, many providers and third parties use the NIST CSF as a foundation for their security programs.
CSF 2.0 Informative References contain practical tips to apply this standard. The Quick Start Guides are great for organizations starting their security journey.
Other resources for good healthcare technology practies include ONC's strategy for health IT for 2030. Security is one of its core features, as are broader implementation and health equity.
What Does This Mean for Healthcare Software Development?
According to NIST, what is the key to HIPAA compliance? Here are our takeaways:
- Understand NIST guidelines. Familiarize yourself with NIST Special Publication 800-66 Rev 2. It outlines best practices and recommendations for securing ePHI.
- Conduct risk assessments. Follow NIST’s recommended risk assessment methods to identify potential risks to ePHI.
- Determine access controls. Control employee access to sensitive data by restricting it based on necessity and implementing strict access protocols.
- Install cybersecurity measures. Implement cybersecurity practices like network security and malware protection to safeguard data per NIST and HIPAA.
- Data encryption. Encrypt data during transmission and storage to mitigate security risks in case of breaches.
- Audit your HIPAA-compliant software. Conduct periodic audits, including policy reviews, access control assessments, and encryption checks.
- Train the end-users. Provide comprehensive training on HIPAA principles and data security policies to all staff who handle medical information. As a developer, you can organize demos to ensure everybody’s on the same page.
The risk assessment and mitigation have to be long-term, too. Assess and update procedures, policies, and security systems regularly to meet compliance requirements.
The Vitamin Approach to Healthcare Security
The Vitamin team considers security a top priority while developing HIPAA-compliant software for healthcare. The infographic below contains the basics of our approach. To learn more, visit our healthcare compliance and security page.
Final Thoughts & Next Steps
The updated NIST guide for HIPAA-compliant software is a milestone in boosting healthcare cybersecurity. It clarifies existing regulations and lets healthcare providers efficiently improve their security standing.
Healthcare providers and vendors, as well as software developers, should prioritize NIST guidelines. This guide made the task easier and brought us closer to a secure, digitized ecosystem of secure patient data and excellent healthcare outcomes.
Need help with creating and maintaining HIPAA-compliant software? The Vitamin team is several clicks away as your trusted strategic partner for building compliant healthcare SaaS. Talk with our leadership, cybersecurity, or engineering teams about the best implementation and adherence strategies.