My Comment on the NIST Privacy Framework
I am glad to see the National Institute of Standards and Technology developed a privacy 1.0 framework that aligns with the NIST cybersecurity framework. Security is top of mind for health care providers, and now we have to be vigilant about protecting patient privacy. I am encouraging health care organizations to follow NIST's cybersecurity framework, and they should also take steps to include the privacy portion. CIOs and CISOs have to influence the organization to change its security behaviors by placing a strong emphasis on information security and privacy training.
NIST's privacy framework will continue to evolve as the requirements and expectations change. The current HIPAA rule is overdue for an update -- hopefully with a guide that can help organizations develop a playbook. I believe the NIST framework should be the playbook of choice for CIO and CISOs.
A CISO at an academic medical center I spoke with said the center's department "is heavily involved in ensuring that we build security into all strategic initiatives at the onset. We need to make sure that we deliver security and privacy to our patients."