Hmmm. The stuff for HIPAA isn’t great. If this is meant to actually be of value to covered entities and business associates then NIST CSF (and related) is the benchmark to use.
There are known gaps in HIPAA per OCR. The actual expectation is that entities identify these gaps under the annual risk management mandate thus the more frequently updated NIST is what’s preferred (or even HITRUST…yuck)
There are known gaps in HIPAA per OCR. The actual expectation is that entities identify these gaps under the annual risk management mandate thus the more frequently updated NIST is what’s preferred (or even HITRUST…yuck)
https://www.hhs.gov/hipaa/for-professionals/security/nist-se...
Feel free to check out OCRs resolution agreements as well for details. They are all online.