In today’s connected world, cyber-attacks are increasing in impact, frequency, and complexity. Healthcare providers have become an attractive target for cyber-attacks because of the sensitive health information available on their digital networks. In this scenario, it becomes critical for healthcare organizations to up their game in maintaining data security. For the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) is the backbone of all CyberSecurity and Privacy initiatives. The objective of HIPAA is to protect electronically protected health information (ePHI) created or maintained through the implementation of appropriate technical capabilities that include conduct or review of security Risk Analysis, implementation of necessary security updates, and correction of identified security deficiencies as part of its Risk Management process.

As the CyberSecurity landscape evolves, HIPAA can be used as the starting point for a comprehensive CyberSecurity program in place. For example, mapping HIPAA security and privacy rules to the NIST CyberSecurity Framework (CSF), and implementing the gaps can be a robust step towards achieving mature CyberSecurity.

Integrate HIPAA into a Standard CyberSecurity Framework:

In the healthcare space, entities regulated by the HIPAA must comply with the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of electronically protected health information (ePHI) that they create, receive, maintain, or transmit. As CyberSecurity has a broad coverage and not limited to one system, any connected networks, systems, or servers can become attack vectors – even the printer, and organizations need to ensure that policies and procedures are in place for all interconnected systems, not just the EHR.

If a covered entity has an existing security program aligned to the HIPAA Security Rule, the entity can map sections of the HIPAA program to match with parts of the NIST CyberSecurity Framework and assess if it is already meeting the requirements and which of those represent new practices to incorporate into its risk management program.


Association between HIPAA, NIST CSF and other CyberSecurity Frameworks

There is a lot of commonality in security controls suggested by HIPPA and NIST CSF.

Organizations need to map controls between CyberSecurity frameworks and the HIPAA Security Rule and efficiently identify potential gaps in their programs. Addressing these gaps can bolster their compliance with the Security Rule and improve their ability to secure ePHI and other critical information and business processes without wasting effort and time in implementing duplicate controls.

Organizations need to put in place processes to access the business impacts and likelihoods of different risks, through a risk matrix and scoring algorithms.

Hospitals can integrate their information in one central library and achieve a Single source of truth. Risk assessments can be performed on a regular basis utilizing automation and removing human effort and error.

The following table show some of the HIPAA controls which map with NIST controls and CyberSecurity requirements.




The HIPPA crosswalk document identifies many such “mappings” between the CyberSecurity Framework and the HIPAA Security Rule. This mapping document also allows organizations to communicate activities and outcomes, internally and externally, regarding their CyberSecurity program by utilizing the CyberSecurity Framework as a common language. In today’s organizations although these requirements can be fulfilled manually, there are too many departments sending too many communications in different formats. As a result, an appropriate risk management process is buried in documents, spreadsheets & emails with a lot of challenges, that include:



An IT GRC solution enables you to operationalize the mappings provided by HHS and NIST. It can also give you mappings to the NIST SP800-53 security and privacy controls. The result is a complete controls catalog and a unified testing framework that allows you to simultaneously test against HIPAA requirements and the NIST CyberSecurity Framework (CSF) without wasting efforts in duplicate work. With all controls and control mappings available, you can focus on improving the Cyber Risk posture of your organization instead of spending time on tracking emails and spreadsheets.

With the solution's risk scoring algorithms, organizations can easily find out the business impacts and likelihoods of different risks. Hospitals can integrate their information into one central library and achieve a single source of truth. Risk assessments can be performed on a regular basis utilizing automation, eliminating human effort and error.

With role-based access organizations can achieve an enterprise-wide visibility into the Self-Assessments program, get alerts from various channels, achieve real-time intelligence on compliance issues and gain support with identification and prioritization of potential opportunities for improvements. With Advance Reporting, organizations can obtain collective information, which was previously in silos, to create insightful reports, achieve a holistic near real-time view of the organization and proactively plan their CyberSecurity efforts

Cyberattacks come quietly, cause immense damage, and leave by the time you are aware. Organizations can stay prepared through the adoption of automation tools that can predict when a cyber-attack is likely to occur by identifying gaps in the system. In today’s competitive environment, using manual processes is time- and resourceconsuming and inefficient. Also, in terms of compliance fulfillment, organizations who lack enterprise-wide visibility, waste a lot of time and effort in implementing duplicate controls caused by an overlap between NIST CyberSecurity Framework, the HIPAA Security Rule, and other security frameworks that help them safeguard health data in uncertain times.

MetricStream has developed a pre-packaged IT GRC solution focused towards the need and challenges of mid- and small-sized enterprises which help in:

• Establishing a consistent CyberSecurity Framework that supports “Test once, comply with many”

• Getting senior executives to buy-in by giving a common view of the Cyber Risk posture

• Operating on a future-proof platform that will address ever-increasing Cyber-Risk

GRC tools can help with common taxonomy and control harmonization to save a lot of time and remove human error. Organizations can gain the ability to implement control mapping in a single day. In short, GRC technology makes compliance easy and saves you from regulatory penalties and future breaches.


Ready to get started?

Speak to our experts Let’s talk