October 3, 2020. On September 23, 2020, the National Institute of Standards and Technology (NIST) published the final version of the draft of the fifth revision of Security and Privacy Controls for Information Systems and Organizations, also known as NIST SP 800-53-5, where SP means: Special Publication and 800 denotes series. The initial draft of the fifth revision was published over 4-1/2 years ago on February 23, 2016, and went through several draft revisions before the final version was published. The abstract of the NIST SP 800-53-5 as published by NIST is:
“This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk. The controls address diverse requirements derived from mission and business needs, laws, executive orders, directives, regulations, policies, standards, and guidelines. Finally, the consolidated control catalog addresses security and privacy from a functionality perspective (i.e., the strength of functions and mechanisms provided by the controls) and from an assurance perspective (i.e., the measure of confidence in the security or privacy capability provided by the controls). Addressing functionality and assurance helps to ensure that information technology products and the systems that rely on those products are sufficiently trustworthy.”
This 483 page document is an important and rich source of information for addressing HIPAA Administrative, Physical, and Technical Safeguards. CAIPHI has created a crosswalk that links NIST Cybersecurity Framework and NIST 800-53-5 guidance for security controls to each HIPAA Safeguard Standard and Implementation Specification in its mobile, cloud-based platform: CyPHIcomply®. CyPHIcomply® is a data and documentation management tool for demonstrating compliance with the HIPAA Privacy, Security, and Breach Notification Rules. CAIPHI is updating the CyPHIcomply® crosswalk to reflect the September 20, 2020, release of the final version of NIST SP 800-53-5. Attached to this post is an example of the update for the Technical Safeguard Access Control Standard Implementation Specification:
Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency.
Also, see a short 3-minute demonstration of the functionality of CyPHIcomply®at: WATCH.
1) This document is accessible online at: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final.
| HIPAA Technical Safeguards | NIST SP 800-53-Rev.5 | NIST Cybersecurity Framework |
|---|---|---|
| SR TS 1.2 45 CFR 164.312(a)(2)(ii) Emergency Access Procedure (R) | ||
| ID. BE-4 Dependencies and critical functions for delivery of critical services are established |
||
| CP-8 Telecommunication Services | ||
| PE-9 Power Equipment and Cabling | ||
| PE-11 Emergency Power | ||
| PM-8 Critical Infrastructure Plan | ||
| SA-14 Criticality Analysis | ||
| ID.BE-5 Resilience requirements to support delivery of critical services are established for all operating states (e.g., under duress/attack, during recovery, normal operations) |
||
| CP-2 Contingency Plan | ||
| CP-11 Alternate Communications Protocols | ||
| SA-13 Trustworthiness | ||
| SA-14 Criticality Analysis | ||
| PR.AC-1 Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users, and processes. |
||
| AC-1 Policies and Procedures | ||
| AC-2 Account Management | ||
| IA-1 Policy and Procedures | ||
| IA-2 Identification and Authentication (Organizational Users) | ||
| IA-3 Device Identification and Authentication | ||
| IA-4 Identifier Management | ||
| IA-5 Authenticator Management | ||
| IA-6 Authentication Feedback | ||
| IA-7 Cryptographic Module Authentication | ||
| IA-8 Identification and Authentication (Non-Organizational Users) | ||
| IA-9 Service Identification and Authentication | ||
| IA10 Adaptive Authentication | ||
| IA-11 Re-Authentication | ||
| PR.AC-4 Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties |
||
| AC-1 Policies and Procedures | ||
| AC-2 Account Management | ||
| AC-3 Access Enforcement | ||
| AC-5 Separation of Duties | ||
| AC-6 Least Privilege | ||
| AC-14 Permitted Actions without Identification or Authentication | ||
| AC-16 Security and Privacy Attributes | ||
| AC-24 Access Control Decisions | ||
| PR.DS-4 Adequate capacity to ensure availability is maintained |
||
| AU-4 Audit Log Storage Capacity | ||
| CP-2 Contingency Plan | ||
| SC-5 Denial-of-Service Protection | ||
| PR.DS-5 Protections against data leaks are implemented |
||
| AC-4 Information Flow Enforcement | ||
| AC-5 Separation of Duties | ||
| AC-6 Least Privilege | ||
| PE-19 Information Leakage | ||
| PS-3 Personnel Screening | ||
| PS-6 Access Agreements | ||
| SC-7 Boundary Protection | ||
| SC-8 Transmission Confidentiality and Integrity | ||
| SC-13 Cryptographic Protection | ||
| SC-31 Covert Channel Analysis | ||
| SI-4 System Monitoring | ||
| PR.IP-9 Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed |
||
| CP-2 Contingency Plan | ||
| CP-7 Alternate Processing Site | ||
| CP-12 Safe Mode | ||
| CP-13 Alternative Security Mechanisms | ||
| IR-7 Incident Response Assistance | ||
| IR-8 Incident Response Plan | ||
| IR-9 Information Spillage Response | ||
| PE-17 Alternate Work Site | ||
| PR.MA-2 Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access |
||
| MA-4 Nonlocal Maintenance | ||
| PR.PT-3 The principle of least functionality is incorporated by configuring systems to provide only essential capabilities |
||
| AC-3 Access Enforcement | ||
| CM-7 Least Functionality | ||
| DE.DP-1 Roles and responsibilities for detection are well-defined to ensure accountability |
||
| CA-2 Control Assessments | ||
| CA-7 Continuous Monitoring | ||
| PM-14 Testing, Training, and Monitoring | ||
| RS.RP-1 Response plan is executed during or after an incident |
||
| CP-2 Contingency Plan | ||
| CP-10 System Recovery and Reconstitution | ||
| IR-4 Incident Handling | ||
| IR-8 Incident Response Plan | ||
| RS.CO-1 Personnel know their roles and order of operations when a response is needed |
||
| CP-2 Contingency Plan | ||
| CP-3 Contingency Training | ||
| IR-3 Incident Response Testing | ||
| IR-8 Incident Response Plan | ||
| RS.CO-4 Coordination with stakeholders occurs consistent with response plans |
||
| CP-2 Contingency Plan | ||
| IR-4 Incident Handling | ||
| IR-8 Incident Response Plan |