The healthcare, financial services, and manufacturing industries work with sensitive data, so the federal government requires them to comply with IT protocol standards. Some industries are more strictly regulated than others.

NIST, CIS, and HHS are three regulatory bodies that develop and publish IT standards. These standards include NIST 800-171, CIS Benchmarks, and HIPAA. NIST is a broad-based standard and technology agency, whereas CIS develops standards for internet security. HIPAA is specific to the healthcare sector. NIST regulations overlap many of those found in CIS and HIPAA, easing the path to compliance with multiple standards. Here is a look at each agency.

NIST — National Institute of Standards and Technology

NIST develops cybersecurity standards and guidelines for the federal government and any organization handling government data.

NIST 800-171 — Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations — is a standard that governs non-federal organizations that generate, store, or transmit sensitive unclassified federal information via their information systems and environments. Also, it clarifies each organization's role in data breach incidents. NIST compliance is mandatory for any company working in the federal supply chain, including contractors, subcontractors, and sub-subcontractors. Other companies outside the federal supply chain comply with NIST standards because they provide the best security practices for protecting business data.

CIS — Center for Internet Security

The Center for Internet Security comes with two elements: controls and benchmarks.

Critical security controls are split into three groups:

1. Basic CIS controls:
● Inventory and control of software access
● Controlled administrative privileges
● Maintenance, monitoring, and analysis of audit logs

2. Foundational CIS controls:
● Email and web browser protection
● Malware defense
● Limitation and control of network ports, protocols, and services

3. Organizational CIS controls:
● Applications software security
● Incident response and management
● Penetration testing and red team exercises

CIS benchmarks are sets of configuration standards and best practices designed to help fortify digital asset security. Many out-of-the-box operating systems and applications often leave your system open to threats. Apply the CIS benchmark guidelines and you significantly mitigate risk.

CIS has two levels of benchmarks.

Level 1 benchmarks are designed to quickly minimize your risk profile without hindering business functionality or usability. These benchmarks provide the lowest required level of security.

Level 2 benchmarks are more stringent and maximize your security posture. Level 2 is intended for environments with critical essential security needs.

Government, business, industry, and academia develop CIS standards by consensus, and they are typically used in heavily regulated industries such as healthcare, government, and financial services.

HIPAA — Health Insurance Portability and Accountability Act

HIPAA regulates two types of organizations.
● Covered Entities: any organization collecting, creating, or transmitting ePHI (electronic Protected Health Information), including healthcare providers, healthcare clearinghouses, and health insurance providers.
● Business Associates: any organization that encounters PHI in any way while performing services on behalf of a covered entity, including billing agencies, practice management firms, EHR platforms, and email hosting services.

Only covered entities must comply with the HIPAA Privacy Rule, which sets the standard for patients’ rights to access PHI, healthcare providers’ rights to deny access to PHI, and the contents of the Use and Disclosure HIPAA release forms and Notices of Privacy Practices.

Both covered entities and business associates must comply with the HIPAA Security Rule, HIPAA Breach Notification Rule, and Omnibus Rule.

● The Security Rule is the standard for secure maintenance, transmission, and handling of ePHI.
● The Breach Notification Rule requires organizations to report all breaches, minor or meaningful, to the HHS OCR.
● The Omnibus Rule is an addendum enacted to apply HIPAA to business associates, mandating compliance and outlining the rules around Business Associate Agreements.

HIPAA compliance requires self-audits to identify gaps in HIPAA privacy and security standards. It also requires a remediation plan, written IT protocols such as policies and procedures, and annual, documented employee training for those policies and procedures. Covered entities and business associates must document all vendors with whom they share PHI. If there is a data breach, these organizations must have a process to document it and notify patients of compromised ePHI.


 BKS Cyber Security and Compliance Services

Regulatory compliance in sensitive industry sectors is ongoing and labor-intensive. You can save money and time by using a security and compliance service such as BKS.

BKS Managed IT Consultant combines a team of IT security veterans with purpose-built threat-monitoring platforms identifying malicious and suspicious activity. Government regulations require healthcare, financial, and manufacturing to develop IT protocols for everything from email to disaster recovery. BKS relies on over 20 years of compliance experience to help clients maintain up-to-date protocols. Trust your compliance needs to BKS.