Using NIST 800-66 to Achieve HIPAA Security Rule Third-Party Risk Management Compliance

Learn how NIST SP 800-66 can help you simplify business associate assessments against HIPAA Security Rule requirements.
Scott Lang
VP, Product Marketing
August 09, 2022
Blog nist 800 66 0822

Originally released in March 2005 and first revised in October 2008, the U.S. National Institute of Standards and Technology (NIST) has again modified Special Publication (SP) 800-66 to update its cybersecurity guidance for the healthcare industry.

SP 800-66 was developed to help healthcare delivery organizations (HDOs) understand the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and provide a framework to support its implementation. The HIPAA Security Rule applies to any organization managing electronic protected health information (ePHI), whether they are a covered entity or a business associate (e.g., third-party vendor, supplier or partner). The rule requires organizations to:

  • Ensure the confidentiality, integrity, and availability of all ePHI that they create, receive, maintain, or transmit
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information
  • Protect against impermissible uses or disclosures of ePHI that are reasonably anticipated
  • Ensure compliance by their workforce

This post examines the scope of HIPAA Security Rule risk assessments for third-party business associates, aligns SP 800-66 guidance to the Security Rule, and identifies capabilities in the Prevalent Third-Party Risk Management Platform that can address the requirements.

HIPAA Security Rule Business Associate Provisions

The HIPAA Security Rule includes provisions that require covered entities to conduct risk assessments, including:

  • Risk Analysis (R) – 164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.
  • Risk Management (R) – 163.308(a)(1)(ii)(B): Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with Section 164.306(a).

The Security Rule goes on to recommend seven steps to include in a comprehensive risk assessment process.

1. Prepare for the Assessment

Objectives: Understand where ePHI is created, received, maintained, processed or transmitted. Define the scope of the assessment.

How Prevalent Helps: Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program based on proven best practices and extensive real-world experience. Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding.

Prevalent can identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map depicts information paths and dependencies that could expose your environment to risk. Suppliers discovered through this process are continuously monitored for financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening.

Once third and fourth parties are identified, you can leverage the 750+ pre-defined assessment templates available in the Prevalent Platform to assess third-party business associates against NIST, HIPAA or other requirements.

How to Apply NIST SP 800-66 to Meet HIPAA Third-Party Risk Management Requirements

Join compliance expert Thomas Humphreys as he breaks down what you need to know about NIST 800-66 and how the requirements impact your third-party business associates.

2. Identify Realistic Threats

Objectives: Identify the potential threat events and threat sources that are applicable to the regulated entity and its operating environment.

How Prevalent Helps: Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. All monitoring data is correlated to assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

3. Identify Potential Vulnerabilities and Predisposing Conditions

Objectives: Use internal and external sources to identify potential vulnerabilities. Internal sources may include previous risk assessments, vulnerability scan and system security test results (e.g., penetration tests), and audit reports. External sources may include internet searches, vendor information, insurance data, and vulnerability databases.

How Prevalent Helps: Prevalent normalizes, correlates and analyzes information across inside-out risk assessments and outside-in monitoring. This unified model provides context, quantification, management and remediation support for risks. It also validates the presence and effectiveness of internal controls with external monitoring.

4.-6. Determine the Likelihood (and Impact) of a Threat Exploiting a Vulnerability; Determine the Level of Risk

Objectives: Determine the likelihood (Very Low to Very High) of a threat successfully exploiting a vulnerability; Determine the impact (operational, individual, asset, etc.) that could occur to ePHI if a threat event exploits a vulnerability; Assess the level of risk (Low, Medium, High) to ePHI, considering the information gathered and determinations made during the previous steps.

How Prevalent Helps: The Prevalent Platform enables you to define risk thresholds and categorize and score risks based on likelihood and impact. The resulting heat map enables teams to focus on the most important risks.

7. Document the Risk Assessment Results

Objectives: Document the results of the risk assessment.

How Prevalent Helps: With Prevalent, you can generate risk registers upon survey completion, integrating real-time cyber, business, reputational and financial monitoring insights to automate risk reviews, reporting and response. From the risk register, you can create tasks related to risks or other items; check task status via email rules linked to the platform; and leverage built-in remediation recommendations and guidance.

The solution automates third-party risk management compliance auditing by collecting vendor risk information, quantifying risks, and generating reports for dozens of government regulations and industry frameworks, including NIST, HIPAA and many more.

The NIST 800-66 Third-Party Compliance Checklist

Learn about SP 800-66 HIPAA Security Rule risk assessments and management guidance for third-party business associates.

Read Now
Feature nist 800 66 compliance checklist 0822

Mapping Prevalent Capabilities to NIST SP 800-66r2 HIPAA Security Rule Requirements

NIST SP 800-66r2 presents security measures that are relevant to each standard of the HIPAA Security Rule. Here we identify specific business associate measures and map Prevalent capabilities that help to satisfy the requirements.

NOTE: This information is presented as summary guidance only. Organizations should review NIST 800-66r2 and HIPAA Security Rule requirements in full on their own in consultation with their auditors.

5.1.9 Business Associate Contracts and Other Arrangements (§ 164.308(b)(1))

1. Identify Entities that are Business Associates Under the HIPAA Security Rule

Prevalent identifies fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open paths into an environment. Note: This capability can also be used to address 5.4.1 Business Associate Contracts or Other Arrangements (§ 164.314(a)) – 4. Other Arrangements; and 5. Business Associate Contracts with Subcontracts.

Prevalent offers a pre-contract due diligence assessment with clear scoring based on eight criteria to capture, track and quantify inherent risks for all third parties and business associates during onboarding. From this inherent risk assessment, your team can centrally manage all business associates; automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

2. Establish a Process for Measuring Contract Performance and Terminating the Contract if Security Requirements Are Not Being Met

Prevalent helps to centrally measure third-party KPIs and KRIs to reduce risks from gaps in vendor oversight by automating contract and performance assessments.

When a third party is found to be out of contract compliance, the Platform automates contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

3. Written Contract or Other Arrangement

Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts. It also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding.

With these capabilities, you can ensure that the right clauses – such as security protections over ePHI and training – are in the contract, and that they are enforceable and efficiently communicated to all stakeholders.

Note: This capability can also be used to address 5.4.1 Business Associate Contracts or Other Arrangements (§ 164.314(a)) – 1. Contract Must Provide that Business Associates Will Comply with the Applicable Requirements of the Security Rule; and 2. Contract Must Provide that the Business Associates Enter into Contracts with Subcontractors to Ensure the Protection of ePHI.

5.4.1 Business Associate Contracts or Other Arrangements (§ 164.314(a))

3. Contract Must Provide that Business Associates Will Report Security Incidents

In addition to contract lifecycle management, Prevalent offers a Third-Party Incident Response Service that enables teams to rapidly identify and mitigate the impact of third-party breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance.

Customers can also access a database containing 10+ years of data breach history for thousands of companies around the world. The database includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications. Combined with continuous cyber monitoring, it provides organizations with a comprehensive view of external information security risks that can impact operations.

Next Steps for HIPAA Security Rule Compliance Using NIST 800-66

Prevalent can help organizations apply the principles of NIST SP 800-66r2 to address HIPAA Security requirements for business associates. The Prevalent Third-Party Risk Management Platform:

  • Delivers comprehensive pre-contract due diligence assessments to calculate the inherent risk that business associates bring to a relationship
  • Simplifies contracting processes to ensure that all business associate key performance indicators (KPIs) and ePHI provisions are in place and tracked
  • Profiles and tiers all third parties, right-sizing ongoing due diligence according to criticality
  • Maps fourth parties to understand risk among subcontractors
  • Adds workflow to automate the assessment, risk scoring and remediation process
  • Continuously monitors business associates for cyber, business, reputational and financial risk, and correlates risks against assessment results and validate findings
  • Automates incident response processes, speeding time to resolution
  • Includes compliance and risk reporting by framework or regulation

For specific guidance on how Prevalent can help address the requirements in NIST SP 800-66r2 and support implementing the HIPAA Security Rule, download the complete compliance checklist or request a demo a demo today.

Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo