Unveiling the Updates: Navigating NIST SP 800-66 Rev 2 

 By Angela Fitzpatrick 

With the release of NIST SP 800-66 rev 2 titled "Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide," significant advancements have been made to adapt to an ever-evolving threat landscape and technological advancements. Revision 2 dives deeper into risk management frameworks, advocating for a robust, nuanced approach to securing electronic protected health information (ePHI).  

In this blog, we will provide a comprehensive comparison between Revision 1 and Revision 2, highlighting the key differences, improvements, and impacts on organizations. 

Key Differences 

NIST 800-66 Revision 1 provided a foundational resource guide for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, focusing on security safeguards. Version 1 was commonly used by organizations seeking clarity on the Rule and its implementation. 

In contrast, Revision 2 broadens the scope, offers practical advice, and provides resources that organizations can use to better understand the HIPAA Security Rule and make it easier to implement. Version 2 emphasizes safeguarding ePHI held or maintained by regulated entities. 

Overall, these changes enhance the document's clarity, utility, and convenience for organizations implementing the HIPAA Security Rule. 

Three key changes stand out:  
  • Electronic Personal Health Information (ePHI) has been explicitly identified as data that must be protected.  
  • Risk tolerance and risk appetite should be clearly defined and weighted. Risk mitigation and management efforts must be tailored appropriately.  
  • A regulated entity does not remove risk to ePHI by outsourcing and partnering with a business associate or contracted workforce. The regulated entity is still responsible for the protection of ePHI. It is their responsibility to ensure workforce members, Business Associates, and other stakeholders adhere to and support compliance efforts.   
Here are some of the notable changes between the revisions: 
  • The Executive Summary and Introduction sections have been substantively revised to highlight specific details, including an increased emphasis on protecting ePHI. 
  • The table of Security Rule standards and implementation specifications is introduced in the second revision, enhancing Section 2 of the document. Additionally, Section 2 highlights the importance of Business Associate Agreements including clearly defined, robust cybersecurity requirements that are acknowledged by both the covered entity and the business associate. 
  • Risk Assessment, initially part of Appendix E in rev 1, is now distinctly outlined as Section 3 in rev 2. The content aligns with SP 800-30 and the NIST IR 8286 series of documents. 
  • The Risk Management section has transitioned to Section 4 in rev 2, and stresses the importance of managing risk to ePHI based on an organization’s risk appetite and risk tolerance statements. 
  • Section 5, Considerations When Applying the HIPAA Security Rule has been updated with additional descriptions and sample questions. This section contains the most relevant changes and clarifications for healthcare organizations to consider.  
  • Revision 2 introduces a new Appendix C for risk assessment tables, and an Appendix E to explain the NIST Online Informative Reference (OLIR) Program. 
  • Appendix F has been added to list HIPAA Security Rule resources by topic. This information has also been made available online for easy reference. 
  • The Contingency Planning Guidelines, resources for secure remote use and access, have undergone significant changes, reflecting the evolving security landscape and the need for more robust cybersecurity measures.  
  • Telework security considerations, previously in Appendices G, H, and I respectively, have been removed in Revision 2. 

Several improvements were made in Revision 2, including updates to control requirements, system categorization, and security assessment methodology. These changes are designed to strengthen the security posture of organizations and address current security concerns. The updates in Revision 2 require organizations to reassess their security measures and make the necessary adjustments to ensure compliance with the updated guidelines.  

In conclusion, the transition to NIST 800-66 Revision 2 signifies a step forward in advancing cybersecurity measures within organizations. The updated guidelines offer practical solutions to address current security challenges and serve as a valuable resource for securing critical systems and infrastructure. 

How Meditology Can Help  

As an organization operating within the healthcare sector—be it a provider, payer, or business associate—you are obligated to adhere to the Security Rule requirement under HIPAA, necessitating the regular conduct of a risk analysis. To assist you in this critical task, we offer risk assessment options designed to ensure your ongoing HIPAA compliance. Our risk assessments help you identify and mitigate potential threats. They also help you identify and preemptively address risks to patient data before they evolve into costly incidents. Take the first step towards strong cybersecurity with us and experience the peace of mind that comes with comprehensive risk management.  

Our risk assessment solutions include: 

  • Security Risk Assessments (SRA) using industry standards (e.g., NIST CSF, NIST 800-53, etc.) 
  • SRA combined with HITRUST or SOC 2 
  • Due Diligence and Mergers and Acquisitions Assessments 
  • Privacy Risk Assessments 
  • Risk management program and strategy development (e.g., ongoing monitoring of risk, risk metrics, etc.) 

Meditology Services is a leading provider of risk management, cybersecurity, and regulatory compliance consulting services that is exclusively focused on serving the healthcare community. More than a provider of services, Meditology is a strategic partner committed to providing our clients actionable solutions to achieve their most pressing objectives. With experience serving healthcare organizations ranging in size, structure, and operational complexity, we uniquely understand the challenges our clients face every day and dedicate ourselves to helping solve them. 

Together with our sister company, CORL Technologies, we serve hundreds of leading healthcare payers, providers, and business associates across the United States. 




Angela is an experienced Vice President of Delivery Operations who leads the firm’s IT Risk Management services practice. For more than a decade, Angela has managed critical technology, security, and privacy initiatives in a variety of healthcare settings. Angela’s strong track record includes experience developing complete security programs, leading security breach response efforts, and building audit functions. In addition to her security expertise, Angela has on-premises experience as a healthcare clinician and biomedical program manager, providing valuable insight into the operational workings of the healthcare industry.  


Most Recent Posts
Global IT Outage Impacts Healthcare: What Happened? Read More
Why Cybersecurity Checks are a Must Before Acquiring or Merging with Another Hospital Read More
URGENT SECURITY ALERT: MOVEit Vulnerability Identified Read More