Software Engineering Institute

This technical note provides a description of the methodology used and observations made while mapping the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to the practice questions found in the CERT® Cyber Resilience Review (CRR). The mapping that emerged allows health care and public health organizations to use CRR results not only to gauge their cyber resilience, but to examine their current baseline with respect to the HIPAA Security Rule and the NIST Cybersecurity Framework (CSF). Both the CRR and HIPAA Security Rule have been mapped to the NIST CSF. The authors used these mappings and their extensive experience with CRRs to propose the mapping found in this technical note. The mappings between the CRR practices and the HIPAA Security Rule are intended to be informative and do not imply or guarantee compliance with any laws or regulations. The proposed mapping shows that the CRR provides complete coverage of the HIPAA Security Rule. As a result, organizations that must adhere to the HIPAA Security Rule can use the CRR to indicate their compliance with the Security Rule.