Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity was issued by President Obama in 2013, and called for the development of a voluntary risk-based cybersecurity framework (CSF) that is “prioritized, flexible, repeatable, performance-based, and cost-effective.” In response, the National Institute of Standards and Technology developed the NIST Cybersecurity Framework. The Framework was designed to help organizations manage and reduce cybersecurity risk, and to promote risk and cybersecurity management communications.

Healthcare and health technology companies must comply with numerous state and federal requirements, including HIPAA. In an effort to help companies improve their cybersecurity strategy, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a crosswalk to map the physical, technical and administrative safeguards in the HIPAA Security Rule to a CSF subcategory or subcategories.

“We hear frequently from covered entities and business associates who say they are working hard in an increasingly challenging atmosphere to assure their PHI is adequately protected. We also know from our HIPAA enforcement work that far too frequently entities are leaving PHI vulnerable to breach and access by unauthorized persons,” the OCR stated.

“Organizations that have already aligned their security programs to either the NIST Cybersecurity Framework or the HIPAA Security Rule may find this crosswalk helpful in identifying potential gaps in their programs. Taking specific action to address these gaps can bolster compliance with the Security Rule and improve an entity’s ability to secure ePHI from a broad range of threats,” OCR stated.

While the use of the Framework does not guarantee HIPAA compliance, and the HIPAA security Rule does not require use of the NIST Cybersecurity Framework, the crosswalk was developed as a tool to help health tech and healthcare organizations manage risks in a comprehensive manner.

Health tech Business Associates (or Covered Entities) can use the Crosswalk to evaluate their HIPAA obligations and take steps to achieve compliance.