NIST seeks comments on better protecting health information
The National Institute of Standards and Technology is requesting comments to help providers and other healthcare organizations protect individual privacy.
The agency also has issued a preliminary draft on tools to improve privacy through enterprise risk management processes, following a year of public conversations with stakeholders.
“The document aims to help organizations with a tricky task: maximizing beneficial uses of data while minimizing privacy problems for individuals,” NIST notes. “While data can enhance airport security, develop social connections or serve myriad other positive purposes, inadequate data management can result in a range of problems for individuals. In turn, these problems can affect an organization’s reputation and bottom line.”
NIST is hoping that guidance can help providers develop strategies to lower privacy risks while still accomplishing their missions, which include a way for organizations to have productive dialogues about risks arising from products or services.
“We see privacy as something that safeguards human values like dignity and autonomy,” says Naomi Lefkovitz, senior policy advisor at NIST. “It’s a challenging topic because we have so many individual and societal conceptions of what privacy means.”
However, when it comes to digital information, protecting it can mean controlling personal information or hiding it from view. Lefkovitz suggests a health organization could use cryptography or de-identification techniques to limit the inferences that can be made about people from their online behavior or digital transactions.
With multiple ways of achieving privacy, the NIST Privacy Framework guidance gives providers the option of choosing different types of protection outcomes that enable business environments to meet the privacy needs of individuals using health services.
Privacy is a concept distinct from security, but the two are intimately connected in the digital world, NIST notes in the guidance. For example, a security breach that cracks a company’s database may reveal private information about thousands of people.
Because of that fear, stakeholders working on the guidance with NIST requested the agency align the Privacy Framework with the Cybersecurity Framework as they are designed to be used together.
Lefkovitz emphasizes the framework is not a one-size-fits-all checklist of action items, but a process unique to each organization. “A checklist-based approach might make you overinvest in less effective privacy solutions for your situation, or underinvest in the ones that would give you the most privacy benefit, she explains. “The framework is designed to help your organization recognize and then address its own potentially unique situations.”
For now, the document is a starting point toward the goal of better protecting privacy, and NIST will work with stakholders to develop more guidance. A first version of expanded guidance is expected by the end of 2019.
The preliminary draft is available here.