Using NIST Special Publications (SP) 800-171r2 and 800-172/800-172A to assess and evaluate the Cybersecurity posture of Information Systems in the Healthcare sector

TL;DR

This paper demonstrates how NIST SP 800-171r2, 800-172, and 800-172A can be used to evaluate and improve the cybersecurity posture of healthcare information systems, aligning security standards with HIPAA and HITECH requirements.

Contribution

It provides a methodology for applying NIST security publications to assess healthcare IT security and supports formal risk assessment processes.

Findings

NIST publications align with HIPAA requirements.

The approach enhances cybersecurity evaluation in healthcare.

Supports formal risk assessment procedures.

Abstract

This paper describes how NIST Special Publications (SP) 800-171r2 (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations), SP.800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information) and SP.800-172A (Assessing Enhanced Security Requirements for Controlled Unclassified Information) can be used to evaluate the cybersecurity posture of information systems and supporting frameworks relative to HIPAA and HITECH . It will demonstrate that provisions and baseline security requirements outlined in SP.800-171r2 and SP.800-172/172A for the protection of Controlled Unclassified Information (CUI) can be applied to Electronic Protected Health Information (ePHI). An explanation of how these publications align with HIPAA and how this alignment suffices for evaluating IT environment security will be given along with the process and procedure for performing such evaluation. Finally, the benefits of using this approach to support formal risk assessment will be presented.