[ Wednesday, September 28, 2016 ]
HHS' HIPAA guidance doesn't reach NIST standards:
Jeff [1:09 PM]
That's the GAO's conclusion
, and they're right. However, while NIST's CyberSecurity Framework (CSF) is a good place to get guidance and a worthy goal of any entity looking for data security, it's not really required. HIPAA is for every covered entity, and the vast majority of HIPAA covered entities (think one-doctor practices) won't have the infrastructure, much less the potential risk of loss or breach, that would warrant a full-blown CSF-compliant security plan.
Expectations and requirements must both be reasonable. HIPAA-covered entities should look at CSF, especially the crosswalk provided by OCR
. But don't feel inadequate if you can't hit every target; instead, try for the reasonable stuff. Besides, your Privacy Rule compliance is going to give you a lot more comfort in meeting Security Rule requirements than fretting about technical compliance requirements that are beyond your organization's ability.
Blogger: HIPAA Blog - Edit your Template