In February 2016, DHHS/OCR released a “cross-walk” which maps the HIPAA Security Rule to the NIST CSF.  This is a first for OCR wherein more prescriptive security controls are identified through alignment with the NIST CSF. According to OCR:

“Congress, in both the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) as well as the Cybersecurity Information Sharing Act of 2015 (CISA), called for guidance on implementation of NIST frameworks. In response, this crosswalk provides a helpful roadmap for HIPAA covered entities and their business associates to understand the overlap between the NIST Cybersecurity Framework, the HIPAA Security Rule, and other security frameworks that can help entities safeguard health data in a time of increasing risks. The crosswalk also supports the President’s Cybersecurity National Action Plan (CNAP) by encouraging HIPAA covered entities and their business associates to enhance their security programs, increase cybersecurity awareness, and implement appropriate security measures to protect ePHI.”


The Federal Government is moving quickly to ensure the appropriate agencies (i.e. Department of Health and Human Services, Department of Energy, etc.) are adopting or aligning with the NIST CSF for internal use and recommending it to their regulatory constituents.  To that end, covered entities and business associates now have a DHHS/OCR-sanctioned approach for evaluating the appropriateness and reasonableness of security controls using the NIST CSF coupled with other risk management frameworks (i.e. NIST SP800-37.)  This translates to a better understanding of potential security gaps and assists in identifying the appropriate risk response to tighten things up.

A short primer on the framework implementation:

  1. The NIST CSF uses a seven step implementation process for capturing information related to the cybersecurity program adoption and information risk management. It leverages techniques from Enterprise Architecture to describe the as-is or “current” state of the program.
  2. Once the “Current Profile” is established, the organization must determine how much cybersecurity is enough predicated on organization size, complexity and budget. The CSF has a category called Implementation Tiers that establish several levels of cybersecurity capability. One of these tiers will be selected to establish a to-be or “Target Profile.”
  3. This will, in turn, require a gap analysis to establish the necessary policies, procedures and controls to achieve the target. Ideally, this would be put in an action plan, strategic plan or roadmap.

Unlike many proprietary cybersecurity frameworks or, indeed, “controls checklist approaches”, the NIST CSF has been developed for application across all vertical industries and provides a means of establishing a new cybersecurity program or improving on an existing one.  It is relatively simple in construct without being overly complex, it is cost-effective, and is gaining momentum. This is just the beginning.

At Clearwater Compliance, our NIST-based IRM|Pro™ software suite is the most powerful, proven methodology on the market today for helping organizations successfully respond to HIPAA-HITECH requirements. Come see why IRM|Pro™ has been trusted by hundreds of organizations to help them meet their HIPAA compliance requirements and beyond.

Rich Curtiss

Rich Curtiss

Principal Consultant at Clearwater Compliance
Mr. Curtiss has over 35 years of diverse, executive IT experience across several verticals including Healthcare, Finance, Department of Defense, Intelligence Community and Consulting Services.Rich has served in executive information technology and cybersecurity positions as a CIO, CISO, Director and Program Manager. He's a member of the Clearwater consulting team.
Rich Curtiss