NIST 800-66r2 is evolving HIPAA incident response guidelines – here’s what you need to know

By Shawn Hays, Senior Product Manager – Security, Compliance, and Identity, at Microsoft

When the Biden administration released its National Cybersecurity Strategy, it was the latest signal that the federal government plans to increase its focus on data protection. NIST 800-66r2 is another prominent signal for healthcare organizations in particular.

NIST 800-66r2 provides updated implementation guidance for HIPAA-regulated entities to use as they assess and manage electronic protected health information (ePHI) risks. When combined with the changing tides of consumer privacy, emerging regulations like the National Cybersecurity Strategy and NIST 800-66r2 underscore how crucial it is for healthcare organizations to protect sensitive patient data proactively.

Microsoft has broken down the proposed revisions to NIST 800-66r2 into a three-part series to help healthcare organizations understand what is needed to achieve compliance. This article covers part two of the series, which is focused on incident response. For even more insight into the implementation guidance, read the first article in the series that addresses identity and access management.

Incident response is becoming more comprehensive

Regarding implementation guidance around incident response, NIST 800-66r2 makes it a point to state twice that HIPAA-regulated entities must “ensure that the incident response program covers all parts of the organization in which ePHI is created, stored, processed, or transmitted.”

This has been – and continues to be – a big ask for healthcare organizations, as the growing adoption of telehealth and related virtual-care technologies has greatly increased the number of locations where ePHI is created, stored, processed and transmitted. No longer can healthcare organizations limit their efforts to on-premises repositories and physical files. Instead, they must broaden their scope to include OT and IoT devices, hybrid cloud and multicloud networks, third-party applications and more. In addition, the threat vectors created by virtual healthcare broaden the scope of “all parts,” and telehealth evokes additional HIPAA compliance implications.

This concern isn’t unique to the healthcare sector, either. The rising adoption of hybrid-cloud and multicloud solutions has created a complex security landscape for numerous industries. According to Gartner, 78% of CISOs have 16 or more tools in their cybersecurity vendor portfolio, while 12% have 46 or more. This creates an expanded attack surface that can be difficult for security teams to monitor accurately, with critical security alerts often getting lost in the shuffle. The Orca Security 2022 Cloud Security Alert Fatigue Report found that as many as 55% of IT professionals say that their team missed critical alerts in the past due to ineffective recommendation prioritization – often on a weekly, or even daily, basis.

This creates an opportunity for cybercriminals. Cybercrime now costs more than USD 6.9 billion, according to IC3, and Microsoft alone tracks a growing list of 35 ransomware families and more than 250 unique nation-states, cybercriminals and other threat actors. Looking at ransomware specifically, the healthcare sector accounted for 20% of all of Microsoft’s ransomware incident and recovery engagements in 2022. These figures point to an urgent need for healthcare organizations to develop comprehensive incident response plans.

NIST 800-66r2 breaks incident response down into four key parts. According to the guidance, organizations should:

So, what tools should healthcare organizations be looking at in order to align with NIST 800-66r2?

AI can lighten the security load

Cybersecurity solution providers have made enormous advances in recent years. A significant factor in this progress is the growing use of artificial intelligence (AI). With many organizations facing a shortage of resources and a critical cybersecurity skills gap, AI can help alleviate the burden on security teams while improving cyber protections overall. The key is to look for security solutions that can work holistically across the organization’s entire technology stack.

Because NIST 800-66r2 necessitates that organizations create an incident response plan for all areas in which ePHI is created, stored, processed or transmitted, the first step is to identify all of those places. After all, healthcare organizations can’t protect something if they don’t know that it exists. Unified cloud-native application protection platforms (CNAPPs) can help.

CNAPPs secure and protect cloud-native applications in development and production by integrating previously siloed security and compliance capabilities into a single, easy-to-reference platform. This can help reduce the risk of missed security alerts or gaps in protection by bringing unifying all security intelligence under a single umbrella. Another option is to look for a cloud infrastructure entitlement management (CIEM) solution that can manage permissions risks for any identity or resource within the infrastructure. CIEM solutions are especially useful in understanding what resources are being accessed and ensuring that the right identities have the right permissions to meet their security levels and needs.

Cyber threats are more prevalent than ever, particularly in the healthcare sector. However, with cybersecurity having made enormous advances in recent years, AI can go a long way towards alleviating the burden placed on security teams while also improving protections for patient data. Regulations like NIST 800-66r2 serve as a great starting point that healthcare organizations can reference to ensure they’re in compliance.

Source: Read Full Article