The Future of HIPAA and Changes to NIST 800-66: Access Control and Information Access Management
We can peer somewhat into the future of the Health Insurance Portability and Accountability Act (HIPAA) and overall healthcare data security policy by following the trend in heightened attacks against healthcare providers and proposals for new Federal policy, but there are also key signs for healthcare providers and Electronic Health Records (EHR) system vendors when reviewing the possible changes to National Institute of Standards and Technology (NIST) Special Publication 800-66 (NIST 800-66). NIST 800-66r2 Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide, is “designed to help the industry maintain the confidentiality, integrity and availability of electronic protected health information, or ePHI.” 1 There are two subjects emphasized and woven throughout the newly published NIST 800-66r2 Draft. The first is risk analysis and management, and the second is access management. Interestingly, an entire risk management section is injected into the document, and both topics have more net new content than others throughout the draft. It is for this reason I’d like to highlight some of the new guidance, implications for these additions, and potential capabilities within Microsoft 365 and Azure that can address it.
