Resources: Guidance from NIST
(The National Institute of Standards and Technologies)

HIPAA Guidance and Tools

Information Security Guidance

Document Retention Guidelines

Regulations, Standards, and Laws

Return to the main Resources page

NIST Guidance and Tools for HIPAA

• NIST provides a good overall reference and lists key compliance activities for HIPAA Security Rule compliance  in SP 800 - 66 Revision 1 (October 2008): Introductory Resource Guide for Implementing the HIPAA Security Rule, at:  

• NIST has released a useful HIPAA Security Rule Toolkit, which is a Java-based application that uses a tree of questions based on the regulations and NIST SP 800-series guidance to help organizations understand their HIPAA Security compliance position.  The user guide, install guide, and applications are all freely available at  

NIST Security Guidance

• The National Institute of Standards and Technology (NIST) has a wide variety of very useful information security guidance available in their Special Publications 800-series documents.  Several SP 800 documents are listed below; see the list of available documents at 

• A good place to start is NIST Draft Special Publications (SP) 800-12 Revision 1, Introduction to Information Security which was made available available for public comment on January 26, 2017.  See  

• NIST releases ITL Security Bulletins approximately every two months, covering a variety of relevant information security topics, some more technical than others, but always worth perusing when looking for guidance.  These bulletins work in concert with the SP 800 series documents to provide more background, context, and specific recommendations.  The ITL Security Bulletins are available at:

• NIST released in June, 2013 a quite useful NIST Interagency Report (IR) 7298, Revision 2, Glossary of Key Information Security Terms, derived from a variety of the most recent (as of June, 2013) NIST resources, available at  Revision 3 is in draft, available at  and an online glossary is available at  Just for “fun,” consider the definition of a HIPAA Breach and look up “compromise” at  

• The NIST Interagency Report 7621 Revision 1 (NISTIR 7621r1), Small Business Information Security: The Fundamentals provides guidance on how small businesses can provide basic security for their information, systems, and networks, presenting the fundamentals of a small business information security program in nontechnical language.  NISTIR 7621r1 is available at:   Also see the related NIST Information Technologies Laboratory Bulletin for March 2017, Fundamentals of Small Business Information Security, available at:  

Security and Risk Assessments and Testing

• NIST pprovides a useful, simple Risk Assessment Procedure in the original version of SP 800-30, Risk Management Guide for Information Technology Systems: .  Revision 1 of Special Publication SP 800-30, Guide for Conducting Risk Assessments is much larger, contains a great deal of background information, and is much harder for the average compliance officer to approach.  It is thick with theory and explanations that only serve to obfuscate the meaning and goals.  The process described is much more complicated than the one in the original version, and is not necessarily appropriate for many health care organizations.  So warned, the new version is available at:, but the original version (recommended) is still available.  The October 2012 NIST ITL Security Bulletin, available at:   provides additional guidance on using the new revision SP 800-30 Revision 1.  

• NIST released on October 1, 2008,  SP 800-115, Technical Guide to Information Security Testing and Assessment, designed to assist organizations in planning and conducting technical information security testing and assessments, analyzing findings, and developing mitigation strategies, including recommendations for designing, implementing, and maintaining technical information security assessment processes and procedures.  SP 800-115 is available at:

• If you want to drive your IT staff nuts, have them give you answers for the DRAFT Baldrige Cybersecurity Excellence Builder: Key questions for improving your organization's cybersecurity performance.  (September 15, 2016)  While it does ask a lot of good questions, it can be a bit daunting to approach all at once.  It’s a good place to get to, but it will take time to get through.  See:  

• The NIST FEBRUARY 2019 ITL Security Bulletin topic is: The Next Generation Risk Management Framework (RMF 2.0): A Holistic Methodology to Manage Information Security, Privacy and Supply Chain Risk.  This bulletin summarizes the information found in NIST SP 800-37, Revision 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy which provides guidelines for applying the RMF to information systems and organizations.  Available at: and  

NIST Recommended Controls

• NIST SP 800-53 Revision 4, updated May, 2012, is a comprehensive update of the Recommended Security Controls guide, providing a comprehensive set of safeguards and countermeasures for information systems.  The updated SP 800-53 Rev. 4 is available at: and the guide for assessing security controls, SP 800-53A Revision 1 (draft) is available at:    Also available is the May 2013 NIST ITL Bulletin, featuring the Topic of the Month: ITL Publishes Security And Privacy Controls For Federal Agencies.  The bulletin is available at and to see past ITL Bulletins, visit:

• NIST Special Publication 800-179, released December 12, 2016, Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist.  SP 800-179 is available at  and assists IT professionals in securing Apple OS X 10.10 desktop and laptop systems within various environments, providing detailed information about the security features of OS X 10.10 and security configuration guidelines. 

Revision 1 is in Draft form, released November 16, 2018, and updates the guidance to cover macOS 10.12, as Guide to Securing Apple macOS 10.12 Systems for IT Professionals: A NIST Security Configuration Checklist, available at  

SP 800-179 recommends and explains tested, secure settings with the objective of simplifying the administrative burden of improving the security of OS X 10 systems in three types of environments: Standalone, Managed, and Specialized Security-Limited Functionality.

Additional project resources are available at:  

NISTIR 8228 explores Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, published in June 2019, available at:  From the Abstract: “The Internet of Things (IoT) is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology (IT) devices do.”  

Guidance on Protecting Confidential Information

• NIST Draft SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, first draft released November 20, 2014, provides an excellent summary of security actions to take to protect information systems, and provides a great checklist of security considerations.  The SP has been finalized and is now (August 16, 2016) in draft for Revision 1.  See: 

 • NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), released April 6, 2010, provides practical, context-based guidelines for identifying PII and appropriate levels of protection, including safeguards and incident response plans.  The guide is available at:   The April 2010 NIST ITL Security Bulletin discussing the SP 800-122 guide is available at:

• NIST provides a video for the small business community titled "Information Technology Security for Small Business. It's not just good business. It's essential business" giving small business owners a glimpse into the resources from NIST, SBA, and the FBI that protect them from cyber crime. The video describes hacking, denial-of-service, laptop theft, insider abuse, computer viruses, and computers made into bots, and encourages small business owners to define their security needs, establish security practices, and stay current.  To see the video and other resources, go to:   Also see NISTIR 7621, Revision 1 (announced November 15, 2016), Small Business Information Security: The Fundamentals, to help small businesses and organizations implement the fundamental concepts of an effective information security program.  See: 

• On June 22, 2017, NIST released Special Publication 800-63-3, Digital Identity Guidelines, including the password recommendations: see Appendix A to Draft SP 800-63-3 B for the details.  They suggest that periodic password changes are no longer necessary. The report also recommends changes to several other password policies that have become antiquated in the modern computing environment:

  • Allow at least 64 characters in length to support the use of passphrases.
  • Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
  • Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.

NIST is also recommending checking new passwords against several lists, such as:

  • Context specific words, such as the name of the service, the username, and derivatives thereof.
  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
  • Passwords obtained from previous breach corpuses.

Link to Special Publication 800-63-3 are provided below, on the CSRC Special Publications page: 
Main document:
SP 800-63-3 A:
SP 800-63-3 B:
SP 800-63-3 C:

Guidance on Securing E-mail

• On February 27, 2019, NIST released Special Publication (SP) 800-177 Rev. 1, Trustworthy Email, which describes guidelines for enhancing trust in email and recommendations for the support of core SMTP and Domain Name Systems (DNS) through the use of authentication mechanisms. The document includes newly specified email protocol additions, such as Mail Transfer Agent Strict Transport Security (MTA-STS) and Transport Layer Security (TLS) Reporting, as well as an email system FISMA overly developed to aid systems administrators in deploying email services that address relevant FISMA controls. It is intended to be a guide for enterprise email administrators, information security specialists, and network managers.  See:  

• Also see the October 2016 NIST ITL Bulletin: Making Email Trustworthy, at  and the Draft of NIST SP 1800-6, DRAFT Domain Name Systems-Based Electronic Mail Security (November 2, 2016), at:  

Mobile Device and Remote Access Guidance

• On July 27, 2018, the NIST National Cybersecurity Center of Excellence (NCCoE) released the final version 1 of Special Publication 1800-1, Securing Electronic Health Records on Mobile Devices, which includes valuable information on establishing strong authentication and secure practices when accessing EHR systems remotely from mobile devices.  While much of the report is technical in nature, such that it can be used to guide development of secure implementations, the overall goals of security AND ease of use are well-explained, and a questionnaire for EHR providers is included to help assess the security posture of an EHR vendor.  The NIST page with the Abstract of SP 1800-1 is available at:  and the publication, including all the subsections, is available at:  

• NIST Special Publication (SP) 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise, released June 24, 2013 helps organizations centrally manage and secure mobile devices against a variety of threats, providing recommendations for selecting, implementing, and using centralized management technologies, and explaining the security concerns inherent in mobile device use. The scope of SP 800-124 Revision 1 includes securing both organization-provided and personally-owned (bring your own device) mobile devices.  The guidelines are available at

• NIST offers a guide to encryption of laptops and portable devices in SP 800-111 Guide to Storage Encryption Technologies for End User Devices, available at:

• Also see Draft NISTIR 8144: Assessing Threats to Mobile Devices & Infrastructure — The Mobile Threat Catalogue, September 2016 Draft, which describes, identifies, and structures the threats posed to mobile information systems, at:

• NIST provides some excellent guidance for telework and remote access to an organization's nonpublic computing resources and is recommended for security implementers, policy developers, trainers, and end users.  See SP 800-114 Rev 1 (July 2016) User's Guide to Telework and Bring Your Own Device Security:  

• NIST also provides a excellent companion guide: Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security.  See SP 800-46 Rev 2 (July 2016):  

• When it comes to mobile device Apps, how do you know what you’re using is secure?  Look into NIST SP 800-163 (January 2015) Vetting the Security of Mobile Applications, available at:  

Guidance from NIST on Wireless Infusion Pumps

On August 21, 2018, the NIST National Cybersecurity Center of Excellence (NCCoE) published Special Publication (SP) 1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations.  The title says it all.  If you use wireless infusion pumps or are thinking about using them, best to consult this.  See  

The December 2018 ITL Security Bulletin on the Topic of the Month, Securing Wireless Infusion Pumps, summarizes the information found in NIST SP 1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations which discusses the cybersecurity risks associated with medical devices, such as infusion pumps, which can connect to a variety of healthcare systems, networks, and other tools within a healthcare delivery organization.

See: and the PDF version at

For a complete list of ITL Bulletins:

Cloud Computing Guidance

• If you're considering moving information to "the cloud", you'd best consider the security implications.  December 9, 2011 saw the release of NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing, available at:  

• On May 29, 2012, NIST released the final version of NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations which is a is NIST’s general guide to cloud computing.  It explains cloud systems in plain language, provides recommendations for information technology decision makers, and presents information on how clouds are deployed, what kind of services are available, economic considerations, technical characteristics such as performance and reliability, typical terms of service, and security issues. It also offers recommendations on how and when cloud computing is an appropriate tool, and surveys open issues for cloud computing.  The guide is available at:  

• On June 29, 2012, NIST published its June 2012 NIST ITL Security Bulletin, on the topic of Cloud Computing: A Review Of Features, Benefits, And Risks, And Recommendations For Secure, Efficient Implementations.  The bulletin is at:  

• NIST provides a list of cryptographic modules meeting the FIPS 140-2 standard, used in products meeting the HIPAA Breach notification exemption, at 

Incident Handling Guidance

• NIST SP 800-184, released December 2016, is an excellent overall Guide for Cybersecurity Event Recovery that now incorporates incident handling and contingency planning.  The press release (at ) provides a good overview, and the Guide is available at:   In addition, NIST’s February 2017 ITL Bulletin focuses on the guide, with additional information and insights, available at:  

• NIST released in August 2012 an update to their Computer Security Incident Handling Guide in SP 800-61 Revision 2, a practical guide to responding to incidents and establishing a computer security incident policy and process as required under HIPAA, PCI, and many other information security regulations and standards. See:   In addition, the September 2012 NIST ITL Bulletin focuses on the revised SP 800-61, providing additional insights and guidance, available at:  

• NIST’s September 2013 ITL Security Bulletin presents Guidance on Preventing and Handling Malware Incidents, available on the CSRC website at:  

Guidance on De-Identification of Information

• NIST IR 8053, released December 17, 2015, is a report on De-Identification of Personal Information.  The report document summarizes two decades of de-identification research, discusses current practices, and presents opportunities for future research, including discussion of HIPAA methods for de-identification, and the effectiveness of the HIPAA Safe Harbor method.  The report is available at  If you are dealing with any issues of de-identifying PHI, READ THIS REPORT!

Also, see HHS’s guidance from 2012 on De-identification of PHI, available at:  

HIPAA Guidance and Tools

Information Security Guidance

Document Retention Guidelines

Regulations, Standards, and Laws

Return to the main Resources page

              Copyright © 2002-2020 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us