Confronting Digital Health Privacy Risks via the New NIST Framework
Published On February 10, 2020
Blog Post by Brian Selfridge, ITRM Partner at Meditology Services
The move to digital healthcare is advancing innovative uses for health information that also introduce unforeseen risks to patient privacy. Federal and state regulations and standards bodies are playing catchup to stem the tide of privacy breaches and harm to patients as information disseminates across disparate healthcare systems and platforms.
In January 2020, the National Institute of Standards and Technology (NIST) released a new framework designed to help healthcare entities assess and manage a wide range of emerging privacy risks. This blog post provides an overview and Meditology’s recommendations for implementation of the NIST Privacy Framework: a Tool for Improving Privacy Through Enterprise Risk Management.
Emerging Business Drivers for Privacy Risk Management
New federal interoperability rules from CMS [i] are promoting the “unleashing of data” for care, treatment, and research purposes. These rules are perpetuation of digital health trends that have increasingly resulted in the proliferation of patient health information for a broad array of care, treatment, and administrative purposes.
Hundreds of third-party companies have cropped up in recent years to help drive innovations in Digital Health. Some of those organizations including behemoths like Amazon and Google have begun amassing unprecedented volumes of sensitive patient information. This large-scale sharing of patient data has privacy advocates raising the alarm for the need for improvements to regulations and standards to protect patient privacy.
Healthcare entities are beginning to view privacy risks as a critical component to enterprise risk management alongside emerging cybersecurity threats. On the heels of ground-breaking Global Data Protection Regulation (GDPR) mandates out the EU, U.S. state and federal regulators are also paying, attending, and starting to incorporate privacy controls including new and proposed legislation from over 20 states including California, Utah, Nevada, and Maine.
The NIST Privacy Risk Framework Explained
The NIST Privacy Framework [ii] resembles the NIST Cybersecurity Framework (CsF) in several respects including categorization of privacy functions into five groupings: Identify, Govern, Control, Communicate, and Protect. Like its cybersecurity counterpart, the privacy framework positions risks in easily-digestible and common sense terminology that helps support effective communication to technical and non-technical stakeholders including executive bodies.
NIST Privacy Framework Functions and Categories [iii]
The framework is further broken out into three components called the Core, which has key privacy activities for the enterprise broken out into specific categories and subcategories, Profiles that outline an organization's current privacy functions and capabilities, and Implementation Tiers that reflect the organization’s control maturity levels (similar to HITRUST’s Common Security Framework Implementation Requirement Levels [iv])
NIST Privacy Framework Core and Profiles
Leveraging the New Framework for Enterprise Risk Management
Privacy risks do not exist in a vacuum; there are a myriad of business risks that healthcare entities must consider and mitigate including financial, regulatory, clinical, third party, cybersecurity, and more. The NIST Privacy framework help to capture and quantify privacy risks in such a way that they can be included in the conversation and prioritization models for enterprise risk and given appropriate attention from organizational leadership.
The profile of cybersecurity risk management has risen steadily over the last several years and privacy is likely to follow a similar path as data continues to be used and shared in ways that were not envisioned when regulations like the HIPAA Privacy Rule were created.
Privacy risks are becoming more prominent as healthcare entities continue to place more reliance on third parties to deliver core services that require access to high volumes of patient information. As such, third party risk management programs are likely to begin incorporating vendor privacy assessments as part of their cybersecurity due diligence processes.
Enterprise risk assessment processes have traditionally focused predominantly on information security. Healthcare entities have started to conduct HIPAA privacy risk assessments as well in recent years. The new NIST framework provides a more organized and thorough vehicle for looking at privacy through a business risk lens in addition to the HIPAA-driven regulatory perspective.
The acceleration of state and federal attention to privacy risks has hit full stride in 2020. GDPR and the California Consumer Privacy Act (CCPA) have led the way with the most robust regulatory models to date.
The release of the NIST framework signals a move from the federal government towards further attention to privacy matters. It is likely at some point that we will see enhancements to federal regulations that cite the NIST Privacy Framework as a recommended or required model. It would behoove healthcare entities to begin getting familiar with the new framework and conducting assessments to better understand their own privacy risks and capabilities sooner than later.