Skip to main content
U.S. flag
An official website of the United States government

The NIST Privacy Framework

By Karen Greenhalgh, HCISPP, CHPC, CHC, 405(d) Task Group Member
July 1, 2020

Since the Cybersecurity Act of 2015 (CSA), cybersecurity is often considered to be the solution for protecting privacy. The healthcare industry, contending with HIPAA and increasing privacy regulation, is recognizing that cybersecurity and compliance programs are not structured to meet privacy needs. While good information security practices help manage privacy risk, those measures alone are not sufficient to address the full scope of privacy risks. The NIST Privacy Framework is designed to bridge the gap between information security and individual privacy, illustrated in Figure 1.

image1Recognizing the boundaries and overlap between privacy and security is key to determining when existing security- focused guidance may be applied to privacy concerns and illuminating gaps that need to be filled to achieve data security. For example, existing information security guidance does not address the consequences of an inadequate consent mechanism for use of PII/PHI, what PII/PHI is being collected, or which changes in use of PII/PHI are permitted by authorized personnel. Entities cannot effectively manage privacy solely based on managing security. Reducing cybersecurity risks by preventing unauthorized access will protect privacy but cannot protect against privacy risks which arise from authorized activity.

Cybersecurity risks arise from unauthorized activity

Through social engineering, a bad actor could trick an employee into revealing login and password for the billing department, allowing the bad actor to divert patient payments. This cyberattack is a potential privacy breach due to unauthorized access which could expose patient information.

Unprotected medical devices may allow access into an entire network, placing data at risk of being compromised. Privacy risks which occur because of unauthorized activity may be mitigated by cybersecurity practices.

Privacy risks arise from authorized activity

Use and disclosure of PHI is strictly regulated; the Privacy Framework helps organizations manage the privacy risk of an impermissible use or disclosure. For example, suppose hospital staff, with permission to access the data, share private information with the news media about a patient who happens to be famous?

Another example is a recent case investigated by OCR. One patient filed a complaint after receiving a hospital bill containing another patient’s PII. OCR’s investigation determined over 500 patients had their billing information merged with that of other patients. Though the bills only contained names, account numbers, and dates of service, OCR determined this was a privacy breach.

Privacy risks which occur because of authorized activity may not be prevented by cybersecurity practices.

Security Risk and Privacy Risk Management

The NIST Privacy Framework functions as a stand-alone tool but is specifically designed to work with the NIST Cybersecurity Framework (CSF). The CSF is so widely embraced by the healthcare industry that OCR released a crosswalk relating the HIPAA Security Rule with the CSF. A similar crosswalk aligning the Privacy and Breach Notification Rules with the NIST Privacy Framework is under consideration.

NIST has developed guidelines for risk-based privacy management by applying their widely accepted standards for identifying and managing security risks. NIST’s security and privacy risk models define the risk factors to be assessed, and the relationships among those factors.

NIST Security Risk Model

The Security Risk Model is focused on unauthorized activity creating a security risk, resulting in loss of confidentiality, integrity, or availability of information or systems, the familiar CIA Security Triad.

The Security Triad

  • Confidentiality: preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
  • Integrity: guarding against improper information modification or destruction, includes ensuring information non-repudiation and authenticity
  • Availability: ensuring timely and reliable access to and use of information

Security Risk Factors

  • Threat
  • Vulnerability
  • Likelihood
  • Impact

NIST Privacy Risk Model

The Privacy Risk Model is focused on authorized processing of PII/PHI (planned and permissible) creating a privacy risk, resulting in loss of predictability, manageability, or disassociability, NIST’s PMD Privacy Triad.

The Privacy Triad

  • Predictability: enabling reliable assumptions by individuals, owners, and operators about PII/PHI and its processing by an information system
  • Manageability: providing the capability for granular administration of PII including alteration, deletion, and selective disclosure
  • Disassociability: enabling the processing of PII or events without association to individuals or devices beyond the operations requirements of the system

Privacy Risk Factors:

  • Likelihood
  • Problematic data action
  • Impact

image1 Application of NIST’s extensive work concerning security and privacy risk management into an operational privacy framework has created a powerful tool, as illustrated in Figure 2. Privacy experts understand data security and data privacy are not the same but share many objectives. Both are required for comprehensive data security. The NIST Privacy Framework methodology of assessing privacy with a risk-based and outcome-based approach, in alignment with the NIST CSF, allows healthcare entities to incorporate privacy and security into their enterprise risk management program. Designed with collaboration between NIST and healthcare industry leaders, the NIST Privacy Framework is a tool that may bridge the gap between security and privacy.

If you would like to learn how HICP maps to other frameworks like the NIST Cybersecurity framework click below to check out our new Threat Mitigation Matrix!