search menu icon-carat-right cmu-wordmark

SEI CERT Division Maps HIPAA Security Rule to Cyber Resilience Review

SEI CERT Division Maps HIPAA Security Rule to Cyber Resilience Review

April 02, 2018—Since 2005, organizations that create, receive, transmit, and store electronic protected health information (ePHI) have been charged with safeguarding that information. This requirement was mandated by the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. But in an environment of new and evolving threats, is compliance with the HIPAA Security Rule alone still good enough?

“Compliance with any legislation is a problem when it comes to fast- moving areas such as cybersecurity,” said Matthew Trevors, a member of the Cybersecurity Assurance team in the SEI’s CERT Division. “How can a static piece of legislation, like HIPAA, prepare organizations for future threats?”

To help organizations not only meet HIPAA requirements but also assess larger issues of cybersecurity preparedness and resilience, Trevors, his SEI colleague Robert Vrtis (also a member of the CERT Cybersecurity Assurance team), and Greg Porter of the Carnegie Mellon University Heinz College, recently collaborated on a mapping of the HIPAA Security Rule to the SEI Cyber Resilience Review (CRR), a no-cost, non-technical, voluntary assessment tool created by the SEI for the Department of Homeland Security (DHS). The CRR is designed to evaluate an organization’s operational resilience and cybersecurity practices. The team’s mapping of the HIPAA Security Rule to the CRR has just been published as an SEI Technical Note.

“We wanted to provide small and mid-sized organizations the ability to use a one-day, lightweight assessment tool to help them develop a plan for HIPAA Security Rule compliance and also to improve their cyber resilience,” said Vrtis. “These organizations often lack the resources to initiate comprehensive assessment programs.”

According to Vrtis, the CRR can be a useful tool for organizations preparing for a regulatory evaluation, and it is particularly useful for identifying potential gaps in their programs. “We felt it was important to emphasize that regulatory compliance alone is not sufficient to implement a robust cybersecurity management program,” he said.

By understanding these gaps, organizations can begin creating processes to improve their security and resilience. “Just as good health emerges from healthy activities, exercise, good diet, rest, and avoiding risky behaviors, so too does cyber resilience and security result from good practices, such as asset management, incident management, training, and awareness,” said Vrtis.

Though the SEI designed the CRR as a facilitated assessment, the SEI has produced a self-assessment at the request of DHS. “We would recommend a facilitated assessment with DHS,” said Vrtis, “and then use the self-assessment to monitor progress toward identified goals.” Interested organizations should visit the website for the DHS Critical Infrastructure Cyber Community Voluntary Program for information on how to request a CRR as well as where to find the CRR self-assessment.

Vrtis stressed that the Security Rule-CRR mapping is not intended as an alternative interpretation of the HIPAA Security Rule. “Our intent,” he said, “was to simplify an organization’s efforts to not only assess their compliance with the security rule but to build a comprehensive cyber resilience program.”

To download a copy of the HIPAA Security Rule-CRR mapping, visit