[ Wednesday, September 28, 2016 ]
HHS' HIPAA guidance doesn't reach NIST standards: That's
the GAO's conclusion, and they're right. However, while NIST's CyberSecurity Framework (CSF) is a good place to get guidance and a worthy goal of any entity looking for data security, it's not really required. HIPAA is for every covered entity, and the vast majority of HIPAA covered entities (think one-doctor practices) won't have the infrastructure, much less the potential risk of loss or breach, that would warrant a full-blown CSF-compliant security plan.
Expectations and requirements must both be reasonable. HIPAA-covered entities should look at CSF, especially
the crosswalk provided by OCR. But don't feel inadequate if you can't hit every target; instead, try for the reasonable stuff. Besides, your Privacy Rule compliance is going to give you a lot more comfort in meeting Security Rule requirements than fretting about technical compliance requirements that are beyond your organization's ability.
Jeff [1:09 PM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template