CynergisTek Q&A Podcast with Information Security Media Group
CEO Mac McMillan recently explains how important and helpful the National Institute of Standards and Technology (NIST) guidelines are for healthcare security programs. First, McMillan points out that NIST standards are relevant because the Office for Civil Rights (OCR) reference NIST in their guidance for complying with HIPAA. He adds, “The government has always opted to reference guidance that is developed by a credible government source. In this case, NIST actually produces guidelines for the industry to follow with respect to security and IT systems.” McMillan reiterates that NIST is a very up-to-date and credible approach and is why healthcare organizations should consider using it for their IT security programs. He says that there are several other credible frameworks for the industry, such as the ISO standards, but that many are based and developed on NIST guidance.
McMillan also explains how NIST guidelines can be useful when conducting risk analysis, as required by the HIPAA Security Rule. McMillan says, “It lays out a logical process for an organization to follow.” He adds that healthcare organizations can use it as a step-by-step approach when conducting and documenting their risk assessment.
Later in the interview McMillan provides tips for applying the NIST framework into a healthcare security program. He says that NIST, “provides everything that a security practitioner would need in terms of what’s the requirement, how should I go about it and what should I consider.” He also provides insight on how to avoid mistakes when incorporating the NIST guidelines. McMillan says that it should not be thought of as the requirements because it is only meant to provide guidance when implementing it into a security program. He uses password standards as an example of how it should be used. NIST provides guidance on password management rather than dictating how often the password should be changed or how complex the password should be, leaving it to the user to decide how they should apply that into their security program.