Healthcare security and privacy breaches are occurring in the United States (US), and increased substantially during the pandemic. This paper reviews the National Institute of Standards and Technology (NIST) publication base as an effective solution. The NIST Special Publication 800-66 Revision 1 was an essential standard in US healthcare, which was withdrawn in February 2024 and superseded by SP 800-66 Revision 2. This review investigates the academic papers concerning the application of the NIST SP 800-66 Revision 1 standard in the US healthcare literature. A systematic review method was used in this study to determine current knowledge gaps of the SP 800-66 Revision 1. Some limitations were employed in the search to enforce validity. A total of eleven articles were found eligible for the study. Consequently, this study suggests the necessity for additional academic papers pertaining to SP 800-66 Revision 2 in the US healthcare literature. In turn, it will enhance awareness of safeguarding electronic protected health information (ePHI), help to mitigate potential future risks, and eventually reduce breaches.
References
[1]
Ignatovski, M. (2022) Healthcare Breaches during COVID-19: The Effect of the Healthcare Entity Type on the Number of Impacted Individuals. Perspectives in Health Information Management, 19, 1c.
[2]
Neprash, H.T., McGlave, C.C., Cross, D.A., Virnig, B.A., Puskarich, M.A., Huling, J.D., Rozenshtein, A.Z. and Nikpay, S.S. (2022) Trends in Ransomware Attacks on US Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016-2021. JAMA Health Forum, 3, e224873. https://doi.org/10.1001/jamahealthforum.2022.4873
[3]
Dolezel, D. and McLeod, A. (2019) Cyber-Analytics: Identifying Discriminants of Data Breaches. Perspectives in Health Information Management, 16, 1a.
[4]
Scholl, M., Stine, K., Hash, J., Bowen, P., Johnson, L., Dancy, C. and Steinberg, D. (2008) An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, Special Publication (NIST SP). National Institute of Standards and Technology, Gaithersburg. https://Tsapps.Nist.Gov/Publication/Get_Pdf.Cfm?Pub_Id=890098
[5]
Department of Health and Human Services (2017) Covered Entities and Business Associates. Department of Health and Human Services, Content Created by Office for Civil Rights (OCR).
[6]
Marron, J. (2024) Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide. https://doi.org/10.6028/NIST.SP.800-66r2
[7]
Han, L., et al. (2020) Factors Influencing the Adoption of Health Information Standards in Health Care Organizations: A Systematic Review Based on Best Fit Framework Synthesis. JMIR Medical Informatics, 8, e17334. https://doi.org/10.2196/17334
[8]
Rogers, E.M. (1995) Diffusion of Innovations: Modifications of a Model for Telecommunications. In: Stoetzer, M.W. and Mahler, A., Eds., Die Diffusion von Innovationen in der Telekommunikation, Springer, Berlin, 25-38. https://doi.org/10.1007/978-3-642-79868-9_2
[9]
Hasani, T., O’Reilly, N., Dehghantanha, A., Rezania, D. and Levallet, N. (2023) Evaluating the Adoption of Cybersecurity and Its Influence on Organizational Performance. SN Business & Economics, 3, Article No. 97. https://doi.org/10.1007/s43546-023-00477-6
[10]
Jalonen, H. (2012) The Uncertainty of Innovation: A Systematic Review of the Literature. Journal of Management Research, 4, E12. https://doi.org/10.5296/jmr.v4i1.1039
[11]
Turney, S. (2024) Systematic Review: Definition, Example, & Guide. Scribbr. https://www.scribbr.com/methodology/systematic-review/
[12]
Ludwick, D.A. and Doucette, J. (2009) Adopting Electronic Medical Records in Primary Care: Lessons Learned from Health Information Systems Implementation Experience in Seven Countries. International Journal of Medical Informatics, 78, 22-31. https://doi.org/10.1016/j.ijmedinf.2008.06.005
[13]
Lafky, D.B., Tulu, B. and Horan, T.A. (2006) Information Systems and Health Care X: A User-Driven Approach to Personal Health Records. Communications of the Association for Information Systems, 17, Article 46. https://doi.org/10.17705/1CAIS.01746
[14]
Jardim, S.V. (2013) The Electronic Health Record and Its Contribution to Healthcare Information Systems Interoperability. Procedia Technology, 9, 940-948. https://doi.org/10.1016/j.protcy.2013.12.105
[15]
Schlögl, C. and Stock, W.G. (2008) Practitioners and Academics as Authors and Readers: The Case of LIS Journals. Journal of Documentation, 64, 643-666. https://doi.org/10.1108/00220410810899691
[16]
O’Connor, C. and Joffe, H. (2020) Intercoder Reliability in Qualitative Research: Debates and Practical Guidelines. International Journal of Qualitative Methods, 19, 2. https://doi.org/10.1177/1609406919899220
[17]
Gikas, C. (2010) A General Comparison of FISMA, HIPAA, ISO 27000 and PCIDSS Standards. Information Security Journal: A Global Perspective, 19, 132-141. https://doi.org/10.1080/19393551003657019
[18]
Pagano, M.W. and Peterson, Z.N. (2010) Design and Implementation of Views: Isolated Perspectives of a File System. https://jscholarship.library.jhu.edu/server/api/core/bitstreams/e3d79a3e-b346-4d6c-8b4a-a5e401db2776/content
[19]
Ghafarian, A. and Smith, T. (2011) Information Security Risk Assessment Analysis. SAM 2011: Proceedings of the 2011 International Conference on Security & Management, Las Vegas NV, 18-21 July 2011, 1.
[20]
Avancha, S., Baxi, A. and Kotz, D. (2012) Privacy in Mobile Technology for Personal Healthcare. ACM Computing Surveys, 45, 1-54. https://doi.org/10.1145/2379776.2379779
[21]
Rahman, M. and Kreider, C. (2012) Information Security Principles for Electronic Medical Record (EMR) Systems. https://aisel.aisnet.org/amcis2012/proceedings/ISHealthcare/9/
[22]
Alaqili, M.Z. (2013) Road Map to HIPAA Security Rules Compliance: Risk Analysis at Orbit Clinics.
[23]
Meyer, A., Green, L., Faulk, C., Galla, S. and Meyer, A.M. (2016) Framework for Deploying a Virtualized Computing Environment for Collaborative and Secure Data Analytics. eGEMs (Generating Evidence & Methods to Improve Patient Outcomes), 4, Article 4. https://doi.org/10.13063/2327-9214.1224
[24]
Aranha, H., Masi, M., Pavleska, T. and Sellitto, G.P. (2019) Securing Mobile E-Health Environments by Design: A Holistic Architectural Approach. 2019 International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), Barcelona, 21-23 October 2019, 1-6. https://doi.org/10.1109/WiMOB.2019.8923479
[25]
Valluripally, S., Raju, M., Calyam, P., Chisholm, M., Sivarathri, S.S., Mosa, A. and Joshi, T. (2019) Community Cloud Architecture to Improve Use Accessibility with Security Compliance in Health Big Data Applications. Proceedings of the 20th International Conference on Distributed Computing and Networking, Bangalore, 4-7 January 2019, 377-380. https://doi.org/10.1145/3288599.3295594
[26]
Jabangwe, R. and Nguyen-Duc, A. (2020) SIoT Framework: Towards an Approach for Early Identification of Security Requirements for Internet-of-Things Applications. e-Informatica Software Engineering Journal, 14, 77-95. https://doi.org/10.37190/e-Inf200103
[27]
Wilkinson, K., Seo, K., Pierce, R., Tonellato, P., Kim, J.H. and Myers, D. (2021) Electronic Medical Record Specialty Group Comparison by Multinomial Logistic Regression. 2021 IEEE 9th International Conference on Healthcare Informatics (ICHI), Victoria, 9-12 August 2021, 415-421. https://doi.org/10.1109/ICHI52183.2021.00067
[28]
Liu, V., Caelli, W., Yang, Y. and May, L. (2011) A Test Vehicle for Compliance with Resilience Requirements in Index-Based E-Health Systems. Pacific Asia Conference on Information Systems, PACIS 2011: Quality Research in Pacific Asia, Brisbane, 7-11 July 2011, 13.
[29]
Patel, A. (2011) Baseline Security Controls for HIA-Compliant EMR Systems Using a Tailored NIST RMF Approach. https://doi.org/10.7939/r3-zas1-ej88
[30]
Carello, M.P., Spaccamela, A.M., Querzoni, L. and Angelini, M. (2023) A Systematization of Cybersecurity Regulations, Standards and Guidelines for the Healthcare Sector. arXiv: 2304.14955.
[31]
Choi, A., Chung, K., Chung, S.P., Lee, K., Hyun, H. and Kim, J.H. (2022) Advantage of Vital Sign Monitoring Using a Wireless Wearable Device for Predicting Septic Shock in Febrile Patients in the Emergency Department: A Machine Learning-Based Analysis. Sensors, 22, Article 7054. https://doi.org/10.3390/s22187054
[32]
Kim, J. and Chang, H. (2020) A Study on Security Evaluation Model of Small and Medium-Size Healthcare Institutions. ICIC Express Letters, Part B: Applications, 11, 705-712.
[33]
Khan, S., Gani, A., Wahab, A.W.A., Bagiwa, M.A., Shiraz, M., Khan, S.U., Buyya, R. and Zomaya, A.Y. (2016) Cloud Log Forensics: Foundations, State of the Art, and Future Directions. ACM Computing Surveys, 49, 1-42. https://doi.org/10.1145/2906149
[34]
Gardazi, S.U. and Shahid, A.A. (2017) Compliance-Driven Architecture for Healthcare Industry. International Journal of Advanced Computer Science and Applications, 8, 568-577. https://doi.org/10.14569/IJACSA.2017.080571
[35]
Ngamboé, M., Berthier, P., Ammari, N., Dyrda, K. and Fernandez, J.M. (2021) Risk Assessment of Cyber-Attacks on Telemetry-Enabled Cardiac Implantable Electronic Devices (CIED). International Journal of Information Security, 20, 621-645. https://doi.org/10.1007/s10207-020-00522-7
[36]
Spears, J.L. (2018) Gaining Real-World Experience in Information Security: A Roadmap for a Service-Learning Course. Journal of Information Systems Education, 29, 183-202.
[37]
Lebek, B., Uffen, J., Breitner, M.H., Neumann, M. and Hohler, B. (2013) Employees’ Information Security Awareness and Behavior: A Literature Review. 2013 46th Hawaii International Conference on System Sciences, Wailea, 7-10 January 2013, 2978-2987. https://doi.org/10.1109/HICSS.2013.192
