June 22, 2021//Dan FabbriLast Updated: August 13, 2021
The National Institute of Standards and Technology (NIST) has released a request for information for the NIST Privacy Framework: An Enterprise Risk Management Tool (“Privacy Framework”).1 The purpose of the privacy framework is to improve management of privacy risk, which is a major gap across healthcare organizations today.
A good privacy risk framework should “factor the extent to which the system and processes are vulnerable to problematic data actions as well as the likelihood of a problematic data action,” and2 adverse events. Moreover, the framework should take into account that organizations work with limited resources. Due to the resource limitation, “an important function of a risk assessment is to prioritize risk to enable determination about the appropriate response. Risk can be managed, but it cannot be eliminated.”3
The NIST recognizes that a good cybersecurity program can help protect ePHI and manage some privacy risks; however, privacy risk also emerges from the ways an organization collects, stores, shares, and uses ePHI.4 The NIST Privacy Framework is intended to “provide a prioritized, flexible, risk-based, outcome-based, and cost-effective approach that can be compatible with existing legal and regulatory regimes in order to be the most useful to organizations and enable widespread adoption.”5
The National Institute of Standards and Technology lists the following as the minimum attributes required for the NIST Privacy Framework to be effective:
The request for information contains 26 specific requests grouped into the following 3 categories:
At SecureLink, we believe these types of frameworks are extremely important. The request for information regarding the NIST Privacy Framework strongly suggests the National Institute of Standards and Technology intends to develop a framework focusing on a risk-based approach that can be widely adopted by organizations regardless of their business objectives or industry.
1 U.S. Dept. of Commerce, Nat. Inst. of Std. & Tech., Developing a Privacy Framework, 83 F.R. 56824, (Nov. 14, 2018), https://www.federalregister.gov/documents/2018/11/14/2018-24714/developing-a-privacy-framework.
2 U.S. Dept. of Commerce, Nat. Inst. of Std. & Tech., NISTR 8062: An Introduction to Privacy Engineering and Risk Management in Federal Systems 21-22 (Jan. 2017), https://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf
3 NIST, NISTR 8062 at 22.
4 NIST, Privacy Framework at 56824
5 NIST, Privacy Framework at 56824
6 NIST, Privacy Framework at 56825
7 NIST, Privacy Framework at 56826
8 NIST, Privacy Framework at 56826
9 NIST, Privacy Framework at 56826