Skip to main content

NIST guidance on managing IoT(Internet of Things) cybersecurity and privacy

Compliance Key -  HIPAA Webinar in United States
Overview
To date the only specific requirement relating to the National Institute of Standards and Technology ("NIST") Standards in the Security Rule does not require compliance with any NIST Standard but rather exempts covered entities from having to report breaches if they meet either of two NIST standards-the encryption standard or the disposal standard. The Security Breach Notification Rule only requires reporting of breaches of "unsecured" PHI. 45 C.F.R.  164.400-414. If data is encrypted or disposed of consistent with those two standards, it is secured, and, hence, unreportable

With the increasing number of cybersecurity breaches since HIPAA became law, DHHS recognized that more attention needed to be paid to improving cybersecurity and focused on the NIST Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) and developed a crosswalk between it and the HIPAA Security Rule. It provides a policy framework of computer security guidance for how private sector organizations in the U.S. can improve their ability to prevent, detect, and respond to cyber attacks.

NIST publications, many of which are required for federal agencies, can serve as voluntary guidelines and best practices for state, local, and tribal governments and the private sector, and may provide enough depth and breadth to help organizations of many sizes select the type of implementation that best fits their unique circumstances. NIST security standards and guidelines (Federal Information Processing Standards [FIPS], Special Publications in the 800 series), which can be used to support the requirements of HIPAA and may be used by organizations to help provide a structured, yet flexible framework for selecting, specifying, employing, and evaluating the security controls in information systems.

Although not a specific reference like the one above re reporting, HHS has referenced the NIST standards in several places as a valuable resource and has provided a crosswalk between the HIPAA
Why should you attend this webinar?
With the increasing number of cybersecurity breaches since HIPAA became law, DHHS has become more aggressive in penalizing covered entities and business associates for breaches of Protected Health Information ("PHI") Privacy and Security with civil money penalties (fines) as high as high as $5.5 million and with the majority in the seven-figure range. Many of these fines could have been avoided if the entity had encrypted or destroyed the PHI consistent with the NIST standards. While HIPAA does not require encryption or that level of destruction, in terms, if encryption or destruction consistent with the NIST standards is employed, the possible compromise is not considered a breach and need not be reported to the Department of Health and Human Services ("DHHS") for possible enforcement action.
Additionally, the Security Rule is very vague and only requires "reasonable and appropriate security measures. But what are such measures? In recent guidance, DHHS has released a crosswalk developed with NIST and the Office of the National Coordinator for Health IT ("ONC"), that identifies "mappings" between the NIST Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) and the HIPAA Security Rule. Use of this crosswalk will help covered entities and business asssociates ensure that their security measures are reasonable and appropriate. If one follows the NIST guidance, it would be extremely difficult for HHS or any court to find that a healthcare information security system was anything but reasonable and appropriate.
Areas Covered in the Session:
  • What is IoT
  • What is NIST?
  • What are the NIST Standards?
  • What does NIST have to do with HIPAA?
    • The HIPAA Security Rule's reporting requirement.
    • What is Secured PHI that need not be reported?
    • How does the NIST Encryption Standard secure data so it is not reportable?
    • How does the NIST Disposal Standard secure data?
  • What is the NIST Framework for Improving Critical Infrastructure Cybersecurity?
  • What is the Purpose of the Framework?
  • NIST Cybersecurity Risk and Privacy Risk Considerations.
  • Relationship Between Cybersecurity Risks and Privacy Risks.
  • Organizational Level Cybersecurity Risk and Privacy Risk Considerations.
  • Device-level Security Risk Mitigation.
  • Device-level Privacy Risk Mitigation.
  • Control Sets, Baselines, and Overlays.
  • Possible Pre-Market Controls for IoT Device Acquisitions.
  • NIST Key Steps in Risk Assessment.
  • Conclusion and Question and Answer
Who can Benefit:
HIPAA compliance officers, HIPAA Security Officers, HIPAA Privacy Officers, Healthcare IT Officers, CFOs, CEOs, COOs, CIOs, human resources directors, business office managers, administrators, medical records personnel, health information management professionals, health care attorneys, patient accounts managers, billing services, physicians, dentists, pharmacists, physical and occupational therapists, mental and behavioral health professionals, speech and language pathologists and audiologists, nurses, chiropractors, and business associates.


Labels:
Location: United States

Comments

Post a Comment

Popular posts from this blog

New 2019 HIPAA Guidance on De-Identifying Protected Health Information

Compliance Key  -   HIPAA Compliance Training Overview This seminar will be addressing how practice/business managers or compliance officers need to get their HIPAA house in order, as HIPAA is now fully enforced and the government is not using kid gloves anymore. It will also address major 2019 changes taking place with the Health and Human Services regarding the enforcement of the HIPAA law as well as detailed discussions on the Phase 2 audit process and current events regarding HIPAA cases (both in courtrooms and from real-life Audits). Our instructor - Mr. Brian Tuttle  has over 20 years of experience in working as Compliance auditor and has been an expert witness on multiple HIPAA cases. He`ll thoroughly explain on HOW and in WHAT scenarios patients can claim for cash remedies. More importantly, Brian will show you how to limit those risks by simply taking proactive steps and utilizing best practices. Why should you attend this seminar? This Seminar will go over s
Post a Comment
Read more

SOX Compliance: Accounts Receivable Risks and Controls

Overview The accounts receivable process includes the sub-cycles of acquiring and accepting customer orders; writing sales contracts; granting customer credit; shipping or otherwise delivering products or services; billing and recording sales and lease transactions; maintaining and monitoring accounts receivable; instituting effective collection procedures; recording and controlling cash receipts; establishing pricing and promotional activities; and properly valuing receivable balances. In management's selection of procedures and techniques of control, the degree of control implemented is a matter of reasonable business judgment. The common guideline used in determining the degree of internal controls implementation is that the cost of a control should not exceed the benefit derived. The Order to Cash Process (O2C) Process is comprised of several sub-processes that must have a foundation of internal controls for SOX 404 certification process. This webinar wil
Post a Comment
Read more

How to Return Manufacturing to America Using Total Cost of Ownership Analysis?

How to Return Manufacturing to America Using Total Cost of Ownership Analysis? Michele Nash-Hoff Michele is founder and president of ElectroFab Sales, a sales agency specializing in helping manufacturers select the right processes for their products since 1985. She is currently a director on the board of the and the San Diego Inventors Forum and is also Chair of the California chapter of the Coalition for a Prosperous America. Michele is the author of Rebuild Manufacturing - the key to American Prosperity and Can American Manufacturing Be Saved? Why We Should and How We Can available at www.amazon.com. She has written regular articles for IndustryWeek?s e newsline, as well as many other e........ Read More Overview Moving manufacturing offshore led to the loss of 5.8 million manufacturing jobs and the loss of 60,000 companies and since the year 2000. What was the impact on the American economy? Is manufacturing returning to America? In this webinar, expert
Post a Comment
Read more