Measurable Outcomes-based Approach for the NIST Privacy Framework
The HIPAA Security Rule focuses on the objectives of Confidentiality, Integrity and Availability (CIA). The Department of Health and Human Services (DHHS) endorses the newly designed NIST Cybersecurity Framework (CSF), along with the HIPAA Crosswalk. Healthcare organizations utilize the CSF for risk impact assessments about the implementation of business objectives, designing system requirements for cybersecurity of ePHI and testing the effectiveness of an organization’s controls for achieving these objectives.
Ideally, systems that maintain CIA should be able to mitigate security harms; and likewise, systems that focus on the HIPAA Privacy Rule should be able to mitigate privacy harms to individuals in much the same way. To date, the privacy field has lagged behind in the development of a common risk-based privacy framework.
NIST has developed a voluntary privacy framework to help organizations improve identification, assessment, management, and communication of privacy risks. This fosters the development of innovative approaches to protecting individuals’ privacy, measures outcomes and adjust controls based risk and provides a tool that assists with enterprise privacy risk management.
Presenters at this session will cover how the privacy framework incorporates standards, frameworks, models, methodologies, tools, guidelines, and principles organizations are using to identify, assess, manage, and communicate privacy risk at the management, operational, and technical levels. They will also discuss how the NIST Privacy Framework addresses the current regulatory or regulatory reporting requirements (e.g., local, state, national, international).
Attend to learn how NIST's Privacy Framework will address common information privacy challenges in the design, operation, and use of products and services in your organization. Presenters will reveal the most impactful and challenging attributes of privacy risk-based programs and how the NIST Privacy Framework addresses them. Attendees will learn how to incorporate privacy risk management standards, guidelines, and best practices into their healthcare organizations’ policies and practices.
In this session, presenters will discuss:
• What is privacy risk?
• How does the NIST privacy framework support the HIPAA privacy rule?
• How can healthcare organizations of all sizes leverage this new tool?
• What is the model & how are methodologies used?
• What does risk mitigation look like?
Karen Greenhalgh, CHC, CHPC, HCISPP
Cyber Tygr Virginia Beach, VA