Originally released in March 2005 and first revised in October 2008, the U.S. National Institute of Standards and Technology (NIST) has again modified Special Publication (SP) 800-66 to update its cybersecurity guidance for the healthcare industry.
SP 800-66 was developed to help healthcare delivery organizations (HDOs) understand the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and provide a framework to support its implementation. The HIPAA Security Rule applies to any organization managing electronic protected health information (ePHI), whether they are a covered entity or a business associate (e.g., third-party vendor, supplier or partner). The rule requires organizations to:
This post examines the scope of HIPAA Security Rule risk assessments for third-party business associates, aligns SP 800-66 guidance to the Security Rule, and identifies capabilities in the Prevalent Third-Party Risk Management Platform that can address the requirements.
The HIPAA Security Rule includes provisions that require covered entities to conduct risk assessments, including:
The Security Rule goes on to recommend seven steps to include in a comprehensive risk assessment process.
Objectives: Understand where ePHI is created, received, maintained, processed or transmitted. Define the scope of the assessment.
How Prevalent Helps: Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program based on proven best practices and extensive real-world experience. Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding.
Prevalent can identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map depicts information paths and dependencies that could expose your environment to risk. Suppliers discovered through this process are continuously monitored for financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening.
Once third and fourth parties are identified, you can leverage the 200+ pre-defined assessment templates available in the Prevalent Platform to assess third-party business associates against NIST, HIPAA or other requirements.
Objectives: Identify the potential threat events and threat sources that are applicable to the regulated entity and its operating environment.
How Prevalent Helps: Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. All monitoring data is correlated to assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.
Objectives: Use internal and external sources to identify potential vulnerabilities. Internal sources may include previous risk assessments, vulnerability scan and system security test results (e.g., penetration tests), and audit reports. External sources may include internet searches, vendor information, insurance data, and vulnerability databases.
How Prevalent Helps: Prevalent normalizes, correlates and analyzes information across inside-out risk assessments and outside-in monitoring. This unified model provides context, quantification, management and remediation support for risks. It also validates the presence and effectiveness of internal controls with external monitoring.
Objectives: Determine the likelihood (Very Low to Very High) of a threat successfully exploiting a vulnerability; Determine the impact (operational, individual, asset, etc.) that could occur to ePHI if a threat event exploits a vulnerability; Assess the level of risk (Low, Medium, High) to ePHI, considering the information gathered and determinations made during the previous steps.
How Prevalent Helps: The Prevalent Platform enables you to define risk thresholds and categorize and score risks based on likelihood and impact. The resulting heat map enables teams to focus on the most important risks.
Objectives: Document the results of the risk assessment.
How Prevalent Helps: With Prevalent, you can generate risk registers upon survey completion, integrating real-time cyber, business, reputational and financial monitoring insights to automate risk reviews, reporting and response. From the risk register, you can create tasks related to risks or other items; check task status via email rules linked to the platform; and leverage built-in remediation recommendations and guidance.
The solution automates third-party risk management compliance auditing by collecting vendor risk information, quantifying risks, and generating reports for dozens of government regulations and industry frameworks, including NIST, HIPAA and many more.
The NIST 800-66 Third-Party Compliance Checklist
Learn about SP 800-66 HIPAA Security Rule risk assessments and management guidance for third-party business associates.
NIST SP 800-66r2 presents security measures that are relevant to each standard of the HIPAA Security Rule. Here we identify specific business associate measures and map Prevalent capabilities that help to satisfy the requirements.
NOTE: This information is presented as summary guidance only. Organizations should review NIST 800-66r2 and HIPAA Security Rule requirements in full on their own in consultation with their auditors.
1. Identify Entities that are Business Associates Under the HIPAA Security Rule
Prevalent identifies fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open paths into an environment. Note: This capability can also be used to address 5.4.1 Business Associate Contracts or Other Arrangements (§ 164.314(a)) – 4. Other Arrangements; and 5. Business Associate Contracts with Subcontracts.
Prevalent offers a pre-contract due diligence assessment with clear scoring based on eight criteria to capture, track and quantify inherent risks for all third parties and business associates during onboarding. From this inherent risk assessment, your team can centrally manage all business associates; automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.
2. Establish a Process for Measuring Contract Performance and Terminating the Contract if Security Requirements Are Not Being Met
Prevalent helps to centrally measure third-party KPIs and KRIs to reduce risks from gaps in vendor oversight by automating contract and performance assessments.
When a third party is found to be out of contract compliance, the Platform automates contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.
3. Written Contract or Other Arrangement
Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts. It also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding.
With these capabilities, you can ensure that the right clauses – such as security protections over ePHI and training – are in the contract, and that they are enforceable and efficiently communicated to all stakeholders.
Note: This capability can also be used to address 5.4.1 Business Associate Contracts or Other Arrangements (§ 164.314(a)) – 1. Contract Must Provide that Business Associates Will Comply with the Applicable Requirements of the Security Rule; and 2. Contract Must Provide that the Business Associates Enter into Contracts with Subcontractors to Ensure the Protection of ePHI.
3. Contract Must Provide that Business Associates Will Report Security Incidents
In addition to contract lifecycle management, Prevalent offers a Third-Party Incident Response Service that enables teams to rapidly identify and mitigate the impact of third-party breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance.
Customers can also access a database containing 10+ years of data breach history for thousands of companies around the world. The database includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications. Combined with continuous cyber monitoring, it provides organizations with a comprehensive view of external information security risks that can impact operations.
Prevalent can help organizations apply the principles of NIST SP 800-66r2 to address HIPAA Security requirements for business associates. The Prevalent Third-Party Risk Management Platform:
For specific guidance on how Prevalent can help address the requirements in NIST SP 800-66r2 and support implementing the HIPAA Security Rule, download the complete compliance checklist or request a demo a demo today.