Leviathan Security Group - Penetration Testing, Security Assessment, Risk Advisory

View Original

Leviathan Security Group Offers Pre-Draft Comments on NIST SP 800-66, Implementing the HIPAA Security Rule

Leviathan Security Group recently submitted comments to the National Institute of Standards and Technology (“NIST”) on proposed updates to NIST SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. NIST requested pre-Draft comments on revision 2 of SP 800-66 to be submitted by July 9, 2021.

Leviathan submitted general comments on what Revision 2 should cover, as well as specific feedback on updates needed to the standard, which was first published in 2008. As readers will be aware, a lot has changed in that time, including the explosive growth in cloud computing and Software As a Service (“SaaS”) tools. In our experience evaluating clients’ implementation of the HIPAA Security Rule and performing risk assessments, common problem areas are:

Risk Assessment and Risk Management
Smaller clients often have limited skills in this area and do not understand their obligations, nor do they have subject matter experts in risk who can readily implement recommendations in this space, such as those in SP800-30 and 800-39.

Incident Handling
Incident Handling is a wider industry problem, but given HIPAA breach determination and reporting requirements, robust incident handling is very important to this audience. Common pitfalls are incomplete plans, failure to follow plans, failure to maintain audit trails and other evidence, and failure to act with urgency to meet reporting obligations, often due to internal communication problems or unclear escalation paths.

Audit controls, logging, and monitoring
The lack of detailed logging and retention of logging records often makes it difficult to fully determine root cause and impact of incidents; it can also be beneficial to conduct thorough access reviews. The lack of monitoring and alerting, particularly through automated means, leads to missed early warnings of incidents, or leads to unproductive staff time manually reviewing logs looking for, and often missing, anomalous events.

Workstation Use and Security
The guidance and controls on workstations were written for a time when ePHI was primarily processed on workstations located in physically secured office areas.. Even before the pandemic, a significant number of workers were working in remote settings, on a wider range of devices than the rule anticipated, some of which may even be owned by the user. These all require different strategies to protect access to the data and processing tools, wherever it is now, on whatever device is capable of accessing it.

Reflecting an increased use of software tools by Covered Entities (“CEs”), Leviathan also commented that 800-66 r1 only refers to Business Associates (“BAs”) in those sections of the security rule which explicitly reference them. In our work, BAs are responsible for many parts, if not all, of the Security Rule as delegated from CEs; some BAs we work with process and hold far more ePHI volume than do many CEs.

As organizations continue to outsource computing services of all types and sizes to external providers, it is imperative companies map data flows within an organization and to its external service providers and partners. Leviathan suggested the addition of a section on data flow mapping and analysis to the guidance.  Understanding data flows between systems, into and out of the organization, and to users is essential to correctly implement HIPAA Security Rule mandated protections.

Leviathan further commented that the new draft should include examples that reflect the considerations for using a wide range of services. Leviathan raised the need to follow applicable guidance from the SP 800 series on topics such as cloud provider-based services. Existing examples primarily describe traditional healthcare delivery models of hospitals and clinics and do not cover the range of supporting services provided primarily by BAs. Many of these smaller service providers have limited security and privacy resources and are in particular need of practical guidance from NIST and others. Often, the most effective guidance for these smaller organizations is to procure services from established providers who can provide the needed controls and expertise to manage them.

Leviathan’s full comments are available to read online here.