The National Institute of Standards and Technology privacy framework

The National Institute of Standards and Technology (NIST) has released a request for information for the NIST Privacy Framework: An Enterprise Risk Management Tool ("Privacy Framework").1 The purpose of the privacy framework is to improve management of privacy risk, which is a major gap across healthcare organizations today. A good privacy risk framework should “factor the extent to which the system and processes are vulnerable to problematic data actions as well as the likelihood of a problematic data action,” and2  adverse events. Moreover, the framework should take into account that organizations work with limited resources. Due to the resource limitation, “an important function of a risk assessment is to prioritize risk to enable determination about the appropriate response. Risk can be managed, but it cannot be eliminated.”3 The NIST recognizes that a good cybersecurity program can help protect ePHI and manage some privacy risks; however, privacy risk also emerges from the ways an organization collects, stores, shares, and uses ePHI.4 The NIST Privacy Framework is intended to “provide a prioritized, flexible, risk-based, outcome-based, and cost-effective approach that can be compatible with existing legal and regulatory regimes in order to be the most useful to organizations and enable widespread adoption.”5 The National Institute of Standards and Technology lists the following as the minimum attributes required for the NIST Privacy Framework to be effective:

  1. Consensus-driven and developed and updated through an open, transparent process.
  2. Common and accessible language.
  3. Adaptable to many different organizations, technologies, lifecycle phases, sectors, and uses.
  4. Risk-based, outcome-based, voluntary, and non-prescriptive.
  5. Readily usable as part of any enterprise’s broader risk management strategy and process.
  6. Compatible with or may be paired with other privacy approaches.
  7. A living document.6

The request for information contains 26 specific requests grouped into the following 3 categories:

  1. Organizational Considerations: What are the greatest challenges in improving the organization’s privacy protections, how the organization assesses privacy risks, what an outcome-based approach would look like, and should the NIST Privacy Framework mandate the use of specific standards, methodologies, tools, guidelines, or principles.7
  2. Structuring the NIST Privacy Framework: Whether aspects of the NIST Cybersecurity Framework could be a model for the Privacy Framework and what organizational structure is preferred for the Framework such as lifecycle, FIPPs (fair information practice principles), or the NIST privacy engineering objectives.8
  3. Specific Privacy Practices: De-identification; enabling users to have a reliable understanding of how information is being collected, stored, used, and shared; enabling user preferences; setting default privacy configurations; use of cryptographic technology to achieve privacy outcomes; data management, including: tracking permissions, metadata, machine readability, data correction and deletion; and usable design or requirements.9

At Imprivata, we believe these types of frameworks are extremely important. The request for information regarding the NIST Privacy Framework strongly suggests the National Institute of Standards and Technology intends to develop a framework focusing on a risk-based approach that can be widely adopted by organizations regardless of their business objectives or industry. Sources: 1 U.S. Dept. of Commerce, Nat. Inst. of Std. & Tech., Developing a Privacy Framework, 83 F.R. 56824, (Nov. 14, 2018), 2 U.S. Dept. of Commerce, Nat. Inst. of Std. & Tech., NISTR 8062: An Introduction to Privacy Engineering and Risk Management in Federal Systems 21-22 (Jan. 2017), 3 NIST, NISTR 8062 at 22. 4 NIST, Privacy Framework at 56824 5 NIST, Privacy Framework at 56824 6 NIST, Privacy Framework at 56825 7 NIST, Privacy Framework at 56826 8 NIST, Privacy Framework at 56826 9 NIST, Privacy Framework at 56826