Using NIST Special Publications (SP) 800-171r2 and 800-172/800-172A to assess and evaluate the Cybersecurity posture of Information Systems in the Healthcare sector
This work addresses cybersecurity evaluation for healthcare systems, but it is incremental as it adapts existing NIST frameworks to a specific domain without introducing new methods.
This paper tackles the problem of assessing cybersecurity in healthcare information systems by applying NIST Special Publications 800-171r2 and 800-172/172A to evaluate and align with HIPAA and HITECH requirements for protecting Electronic Protected Health Information (ePHI). It demonstrates that these NIST provisions can be used to assess IT environment security and support formal risk assessment in the healthcare sector.
This paper describes how NIST Special Publications (SP) 800-171r2 (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations), SP.800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information) and SP.800-172A (Assessing Enhanced Security Requirements for Controlled Unclassified Information) can be used to evaluate the cybersecurity posture of information systems and supporting frameworks relative to HIPAA and HITECH . It will demonstrate that provisions and baseline security requirements outlined in SP.800-171r2 and SP.800-172/172A for the protection of Controlled Unclassified Information (CUI) can be applied to Electronic Protected Health Information (ePHI). An explanation of how these publications align with HIPAA and how this alignment suffices for evaluating IT environment security will be given along with the process and procedure for performing such evaluation. Finally, the benefits of using this approach to support formal risk assessment will be presented.