Cybersecurity Gap Management for Healthcare: OCR Crosswalk between HIPAA Security Rule and NIST Cybe Cybersecurity Gap Management for Healthcare: OCR Crosswalk between HIPAA Security Rule and NIST Cybe

Cybersecurity Gap Management for Healthcare: OCR Crosswalk between HIPAA Security Rule and NIST Cybersecurity Framework

The U.S. Department of Health and Human Services, Office for Civil Rights ("OCR"), has released its HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework (Crosswalk), a tool to help covered entities and business associates bolster their HIPAA Security Rule posture.  The Crosswalk maps Security Rule standards and implementation specifications to a relevant portion of the NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework).  While using the Crosswalk and aligning to the NIST Framework are voluntary and do not guarantee HIPAA Security Rule compliance, the Crosswalk maps the Security Rule to the NIST Framework, and can help regulated entities identify cybersecurity gaps.

Crosswalk Background

The numbers are alarming: OCR reports that 91% of healthcare organizations (covered entities and business associates) have reported a data breach over the past two years, and the healthcare industry has accounted for more than 40% of data breaches over the past three years.  Electronic healthcare data,  including electronic protected health information (‘‘ePHI’’), are more available – and more valuable – than ever. Not only does a health record contain traditional data elements that thieves can easily monetize (such as Social Security numbers, financial information, and demographic data), but it also includes information that allows third parties to obtain and bill for healthcare in someone else’s name.  The potential for financial and reputational damage alone is troubling.  But when added to the risk of medical identity theft, and the attendant dangers to patients' health and life resulting from a mixed medical record, it is more important than ever for healthcare organizations to implement reasonable and appropriate technical, physical, and administrative safeguards for ePHI.

While many healthcare organizations are working hard on Security Rule compliance, there is not always a straight path forward.  For example, the Security Rule mandates a risk analysis as an administrative safeguard for ePHI:  it is a required implementation specification for a regulated entity's security management process.  (45 CFR 164.308(a)(1)(ii)(A)).  While the Security Rule tells us what a risk analysis is – an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of ePHI – it does not tell us how to perform the task, and in fact is utterly silent on the specifics beyond stating that a healthcare organization may use "any security measures" that allow it to "reasonably and appropriately" implement Security Rule requirements. (45 CFR 164.306(b)). 
Therefore, while a regulated entity knows it must perform a risk analysis, and understands the approach can be flexible according to the entity's size, complexity, and capabilities and the nature and extent of the ePHI at issue, it is otherwise left to its own devices to discern how to put the rule into practice.  This is the case for other Security Rule implementation specifications, as well.

While the Security Rule itself does not provide detailed implementation guidance, healthcare organizations are not without critical resources.  One important source of compliance help is the National Institute of Standards and Technology (NIST).  NIST is a non-regulatory federal agency within the U.S. Department of Commerce that works, among other things, to advance state-of-the-art IT in areas such as cybersecurity.  In February 2013, President Obama charged NIST to collaborate with the private sector and develop a framework for reducing cyber-risks to critical infrastructure across industries.[1]   After a year-long, open process involving public and private organizations, NIST released the NIST Framework in February 2014.

The NIST Framework is a set of voluntary, risk-based standards and best practices to help organizations across industries – and of all sizes, risk and vulnerability profiles, and degrees of technical sophistication – address cybersecurity within their overall risk management process.  Business drivers guide cybersecurity activities.   The NIST Framework consists of three parts:  Core, Profile, and Tiers.  Most important for purposes of the Crosswalk is the NIST Framework Core, a set of cybersecurity activities, outcomes, and references common across industries.[2]  The Core consists of, among other things:

  • Five concurrent and continuous “Functions:” Identify, Protect, Detect, Respond, and Recover.  Functions organize basic cybersecurity activities from the top down.[3]  Considered together, the Functions provide a “high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.”[4]
  • “Categories,” which subdivide Functions into “groups of cybersecurity outcomes closely tied to programmatic needs and particular activities.”[5]
  • “Subcategories,” which divide Categories into “specific outcomes of technical or management activities.”[6]
While the NIST Framework organizes and structures multiple approaches to cybersecurity, NIST cautions:
The Framework is not a one-size-fits-all approach to managing cybersecurity risk for critical infrastructure. Organizations will continue to have unique risks – different threats, different vulnerabilities, different risk tolerances – and how they implement the practices in the Framework will vary. Organizations can determine activities that are important to critical service delivery and can prioritize investments to maximize the impact of each dollar spent. Ultimately, the Framework is aimed at reducing and better managing cybersecurity risks.

Another important source of support for Security Rule compliance is the Office of the National Coordinator for Health Information Technology (ONC).  ONC collaborates with the public and private sectors to develop and implement strategies to advance health IT and information use.  Through its portal, ONC works to enhance the nation’s health IT infrastructure.

The Crosswalk

OCR worked with NIST and ONC to create the Crosswalk, which maps each Security Rule administrative, technical, and physical safeguard standard and implementation specification to a relevant NIST Framework Subcategory, as well as to other commonly-used security frameworks.  For example, the Crosswalk maps NIST Framework “risk assessment” to Security Rule “risk analysis”[7] as follows:


Risk Assessment (ID.RA): The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals.

ID.RA-1: Asset vulnerabilities are identified and documented
• CCS CSC 4 • COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 • ISA 62443-2-1:2009 4.2.3,,, • ISO/IEC 27001:2013 A.12.6.1, A.18.2.3 • NIST SP 800-53 Rev. 4 CA-2, CA-7, CA-8, RA-3, RA-5, SA-5, SA-11, SI-2, SI-4, SI-5 • HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(1)(ii)(A), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.310(a)(1), 164.312(a)(1), 164.316(b)(2)(iii)
  ID.RA-2: Threat and vulnerability information is received from information sharing forums and sources • ISA 62443-2-1:2009 4.2.3,, • ISO/IEC 27001:2013 A.6.1.4 • NIST SP 800-53 Rev. 4 PM-15, PM-16, SI-5
No direct analog to HIPAA Security Rule[9]
  ID.RA-3: Threats, both internal and external, are identified and documented • COBIT 5 APO12.01, APO12.02, APO12.03, APO12.04 • ISA 62443-2-1:2009 4.2.3,, • NIST SP 800-53 Rev. 4 RA-3, SI-5, PM-12, PM-16 • HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(D), 164.308(a)(3), 164.308(a)(4), 164.308(a)(5)(ii)(A), 164.310(a)(1), 164.310(a)(2)(iii), 164.312(a)(1), 164.312(c), 164.312(e), 164.314, 164.316
  ID.RA-4: Potential business impacts and likelihoods are identified • COBIT 5 DSS04.02 • ISA 62443-2-1:2009 4.2.3,, • NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-9, PM-11, SA-14 • HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(1)(i), 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(6), 164.308(a)(7)(ii)(E), 164.308(a)(8), 164.316(a)
  ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk • COBIT 5 APO12.02 • ISO/IEC 27001:2013 A.12.6.1 • NIST SP 800-53 Rev. 4 RA-2, RA-3, PM-16 • HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(1)(ii)(A), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(7)(ii)(D), 164.308(a)(7)(ii)(E), 164.316(a)
  ID.RA-6: Risk responses are identified and prioritized • COBIT 5 APO12.05, APO13.02 • NIST SP 800-53 Rev. 4 PM-4, PM-9 • HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(1)(ii)(B), 164.314(a)(2)(i)(C), 164.314(b)(2)(iv)
(Source: Crosswalk, pp. 7-9).

The Crosswalk is a useful tool to help covered entities and business associates understand overlap between the Security Rule and the NIST Framework, identify gaps in their Security Rule compliance, and manage risks more comprehensively.  While OCR intends the Crosswalk to serve as an “informative reference,” it cautions CEs and BAs that neither the mappings in the Crosswalk, nor the NIST Framework, guarantees Security Rule compliance.  Rather, healthcare organizations should perform their own risk analysis to identify and mitigate threats to ePHI.

Ice Miller’s Data Security and Privacy Practice helps clients evaluate the threat environment and assess risk. We work with clients to help them implement a strong data security and privacy program. Kim Metzger is a partner in Ice Miller's Litigation and Intellectual Property Group. She focuses her practice on Data Security & Privacy, and Drug & Device Litigation. She is a Certified Information Privacy Professional (CIPP/US) and Certified Information Privacy Manager (CIPM) through the IAPP.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances. 

[1] Executive Order 13636, Improving Critical Infrastructure Cybersecurity, DCPD-210300091, February 12, 2013.
[2] The Core provides detailed guidance for developing individual organizational Profiles, which help organizations align cybersecurity activities to business requirements, resources, and risk tolerance.  Finally, Tiers allow organizations to view and understand their approach to managing cybersecurity risk.
[3] NIST Framework, p. 7. 
[4] Id., p. 4.
[5] Id., p. 7. 
[6] Id., p. 8.
[7] Risk Assessment is part of the NIST Framework’s “Identify” (ID) Function.  “ID.RA” stands for the “Identify [Function].Risk Assessment [Category].”
[8] Mappings to other standards come from the NIST Framework, Appendix A, and are provided for reference.
[9] Even though there is no direct analog, while performing their HIPAA Security Rule required risk analysis, organizations should consider whether participating in cyber-threat sharing programs is reasonable and appropriate to reduce their security risk.  

View Full Site View Mobile Optimized