Using NIST Special Publications (SP) 800-171r2 and 800-172/800-172A to assess and evaluate the Cybersecurity posture of Information Systems in the Healthcare sector

Abstract

This paper describes how NIST Special Publications (SP) 800-171r2 (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations), SP.800-172 (Enhanced Security Requirements for Protecting Controlled Unclassified Information) and SP.800-172A (Assessing Enhanced Security Requirements for Controlled Unclassified Information) can be used to evaluate the cybersecurity posture of information systems and supporting frameworks relative to HIPAA and HITECH . It will demonstrate that provisions and baseline security requirements outlined in SP.800-171r2 and SP.800-172/172A for the protection of Controlled Unclassified Information (CUI) can be applied to Electronic Protected Health Information (ePHI). An explanation of how these publications align with HIPAA and how this alignment suffices for evaluating IT environment security will be given along with the process and procedure for performing such evaluation. Finally, the benefits of using this approach to support formal risk assessment will be presented.