By Jack Anderson
April 27, 2015
NIST guidelines are the Industry Standard for HIPAA Risk Assessment
Here is what HHS has to say:
“Although only federal agencies are required to follow guidelines set by NIST, the guidelines
represent the industry standard for good business practices with respect to standards for
securing e-PHI.” Guidance on Risk Analysis Requirements under the HIPAA Security Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf
There is a lot of confusion and misinformation about HIPAA risk assessment or risk analysis, starting with those who think a short HIPAA Checklist will suffice. If you are a sole proprietor with a single computer and very limited access to PHI that might work but if you have staff or access to even modest quantities of PHI that will not suffice.
As the statement above from HHS states the National Institute of Standards and Technology (NIST) guidelines are the industry standard. There are 102 questions that must be answered to meet the NIST guidelines. Like the Ten Commandments you don’t get to choose which ones you want to obey, it is a package deal. Some consultants and vendors give lip service to the NIST standards but don’t obey all of them.
The key to making the NIST standards work is automation. For example the federal government developed the Security Content Automaton Protocol (SCAP) scanner to enable them to quickly and efficiently measure compliance of computers in government organizations. The task would have been impossible using manual methods. A SCAP scanner when hooked up to a workstation will report back on the status of the security of that workstation in seconds. This answers a number of the critical questions contained in the NIST guidelines.
Another set of questions are centered around policies and procedures. They need to be up to date, tailored to the organization and followed by staff. And of course you need documented training of staff.
Once the NIST HIPAA Risk Assessment has been completed the Gap Analysis delivers a prioritized list of risks that must be remediated. This begins the cycle of compliance: Risk Assessment, Remediation, Training, and then a new Risk Assessment demonstrating progress. That is what HHS is looking for, a plan, implementation of the plan, and documentation of compliance.