Resources: Guidance from NIST
(The National Institute of Standards and Technologies)


HIPAA Guidance and Tools

Information Security Guidance

Document Retention Guidelines

Regulations, Standards, and Laws

Return to the main Resources page


NIST Guidance and Tools for HIPAA

• NIST provides a good overall reference and lists key compliance activities for HIPAA Security Rule compliance  in SP 800 - 66 Revision 1 (October 2008): Introductory Resource Guide for Implementing the HIPAA Security Rule, at:
http://csrc.nist.gov/publications/PubsSPs.html#800-66-Rev1  

• NIST has released a useful HIPAA Security Rule Toolkit, which is a Java-based application that uses a tree of questions based on the regulations and NIST SP 800-series guidance to help organizations understand their HIPAA Security compliance position.  The user guide, install guide, and applications are all freely available at  http://scap.nist.gov/hipaa/  

NIST Security Guidance

• The National Institute of Standards and Technology (NIST) has a wide variety of very useful information security guidance available in their Special Publications 800-series documents.  Several SP 800 documents are listed below; see the list of available documents at http://csrc.nist.gov/publications/PubsSPs.html 

• A good place to start is NIST Draft Special Publications (SP) 800-12 Revision 1, Introduction to Information Security which was made available available for public comment on January 26, 2017.  See http://csrc.nist.gov/publications/PubsDrafts.html#800-12r1  

• NIST releases ITL Security Bulletins approximately every two months, covering a variety of relevant information security topics, some more technical than others, but always worth perusing when looking for guidance.  These bulletins work in concert with the SP 800 series documents to provide more background, context, and specific recommendations.  The ITL Security Bulletins are available at:  http://csrc.nist.gov/publications/PubsITLSB.html

• NIST released in June, 2013 a quite useful NIST Interagency Report (IR) 7298, Revision 2, Glossary of Key Information Security Terms, derived from a variety of the most recent (as of June, 2013) NIST resources, available at  http://csrc.nist.gov/publications/PubsNISTIRs.html#NIST-IR-7298  

• The NIST Interagency Report 7621 Revision 1 (NISTIR 7621r1), Small Business Information Security: The Fundamentals provides guidance on how small businesses can provide basic security for their information, systems, and networks, presenting the fundamentals of a small business information security program in nontechnical language.  NISTIR 7621r1 is available at:  http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf   Also see the related NIST Information Technologies Laboratory Bulletin for March 2017, Fundamentals of Small Business Information Security, available at:  http://csrc.nist.gov/publications/nistbul/itlbul2017-03.pdf  

Security and Risk Assessments and Testing

• NIST pprovides a useful, simple Risk Assessment Procedure in the original version of SP 800-30, Risk Management Guide for Information Technology Systems:  http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf .  Revision 1 of Special Publication SP 800-30, Guide for Conducting Risk Assessments is much larger, contains a great deal of background information, and is much harder for the average compliance officer to approach.  It is thick with theory and explanations that only serve to obfuscate the meaning and goals.  The process described is much more complicated than the one in the original version, and is not necessarily appropriate for many health care organizations.  So warned, the new version is available at:  http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf, but the original version (recommended) is still available.  The October 2012 NIST ITL Security Bulletin, available at:  http://csrc.nist.gov/publications/nistbul/itlbul2012_10.pdf   provides additional guidance on using the new revision SP 800-30 Revision 1.  

• NIST released on October 1, 2008,  SP 800-115, Technical Guide to Information Security Testing and Assessment, designed to assist organizations in planning and conducting technical information security testing and assessments, analyzing findings, and developing mitigation strategies, including recommendations for designing, implementing, and maintaining technical information security assessment processes and procedures.  SP 800-115 is available at: http://csrc.nist.gov/publications/PubsSPs.html#SP800-115

• If you want to drive your IT staff nuts, have them give you answers for the DRAFT Baldrige Cybersecurity Excellence Builder: Key questions for improving your organization's cybersecurity performance.  (September 15, 2016)  While it does ask a lot of good questions, it can be a bit daunting to approach all at once.  It’s a good place to get to, but it will take time to get through.  See:  http://csrc.nist.gov/publications/PubsDrafts.html#Whitepaper-2016-baldridge-ceb  

NIST Recommended Controls

• NIST SP 800-53 Revision 4, updated May, 2012, is a comprehensive update of the Recommended Security Controls guide, providing a comprehensive set of safeguards and countermeasures for information systems.  The updated SP 800-53 Rev. 4 is available at: http://csrc.nist.gov/publications/PubsSPs.html#800-53 and the guide for assessing security controls, SP 800-53A Revision 1 (draft) is available at:  http://csrc.nist.gov/publications/PubsDrafts.html#800-53A-rev1    Also available is the May 2013 NIST ITL Bulletin, featuring the Topic of the Month: ITL Publishes Security And Privacy Controls For Federal Agencies.  The bulletin is available at http://csrc.nist.gov/publications/nistbul/itlbul2013_05.pdf and to see past ITL Bulletins, visit: http://csrc.nist.gov/publications/PubsITLSB.html

• NIST Special Publication 800-179, released December 12, 2016, Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist.  SP 800-179 is available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-179.pdf  and assists IT professionals in securing Apple OS X 10.10 desktop and laptop systems within various environments, providing detailed information about the security features of OS X 10.10 and security configuration guidelines. 

SP 800-179 recommends and explains tested, secure settings with the objective of simplifying the administrative burden of improving the security of OS X 10.10 systems in three types of environments: Standalone, Managed, and Specialized Security-Limited Functionality.

Additional project resources are available at:  https://github.com/usnistgov/applesec  

Guidance on Protecting Confidential Information

• NIST Draft SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, first draft released November 20, 2014, provides an excellent summary of security actions to take to protect information systems, and provides a great checklist of security considerations.  The SP has been finalized and is now (August 16, 2016) in draft for Revision 1.  See:  http://csrc.nist.gov/publications/PubsDrafts.html#800-171 

 • NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), released April 6, 2010, provides practical, context-based guidelines for identifying PII and appropriate levels of protection, including safeguards and incident response plans.  The guide is available at:   http://csrc.nist.gov/publications/PubsSPs.html#800-122   The April 2010 NIST ITL Security Bulletin discussing the SP 800-122 guide is available at:   http://csrc.nist.gov/publications/nistbul/april-2010_guide-protecting-pii.pdf

• NIST provides a video for the small business community titled "Information Technology Security for Small Business. It's not just good business. It's essential business" giving small business owners a glimpse into the resources from NIST, SBA, and the FBI that protect them from cyber crime. The video describes hacking, denial-of-service, laptop theft, insider abuse, computer viruses, and computers made into bots, and encourages small business owners to define their security needs, establish security practices, and stay current.  To see the video and other resources, go to:  http://csrc.nist.gov/groups/SMA/sbc/library.html#04   Also see NISTIR 7621, Revision 1 (announced November 15, 2016), Small Business Information Security: The Fundamentals, to help small businesses and organizations implement the fundamental concepts of an effective information security program.  See:  http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf 

• On June 22, 2017, NIST released Special Publication 800-63-3, Digital Identity Guidelines, including the password recommendations: see Appendix A to Draft SP 800-63-3 B for the details.  They suggest that periodic password changes are no longer necessary. The report also recommends changes to several other password policies that have become antiquated in the modern computing environment:

  • Allow at least 64 characters in length to support the use of passphrases.
  • Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
  • Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.

NIST is also recommending checking new passwords against several lists, such as:

  • Context specific words, such as the name of the service, the username, and derivatives thereof.
  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
  • Passwords obtained from previous breach corpuses.

Link to Special Publication 800-63-3 are provided below, on the CSRC Special Publications page: 
Main document: http://csrc.nist.gov/publications/PubsSPs.html#SP-800-63-3
SP 800-63-3 A: http://csrc.nist.gov/publications/PubsSPs.html#SP-800-63A
SP 800-63-3 B: http://csrc.nist.gov/publications/PubsSPs.html#SP-800-63B
SP 800-63-3 C: http://csrc.nist.gov/publications/PubsSPs.html#SP-800-63C

Guidance on Securing E-mail

• On September 16, 2016, NIST released Special Publication 800-177, Trustworthy Email, which overs and gives recommendations for state of the art email security technologies to detect and prevent phishing and other malicious email messages. Most of these new technologies rely on publishing email infrastructure-related information in DNSSEC, a secure version of the established Domain Name System (DNS). The guide was written for email administrators and for those developing security policies for enterprise’s email infrastructure.  See:  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-177.pdf  

• Also see the October 2016 NIST ITL Bulletin: Making Email Trustworthy, at  http://csrc.nist.gov/publications/nistbul/itlbul2016_10.pdf  and the Draft of NIST SP 1800-6, DRAFT Domain Name Systems-Based Electronic Mail Security (November 2, 2016), at:  http://csrc.nist.gov/publications/PubsDrafts.html#SP-1800-6  

Mobile Device and Remote Access Guidance

• On July 23, 2015, The National Cybersecurity Center of Excellence (NCCoE) released a draft of NIST SP 1800-1, Securing Electronic Records on Mobile Devices, a step-by-step guide (the first in a new series) that demonstrates how health care providers can make mobile devices that interact with an EHR system, such as smartphones and tablets, more secure.  The guide provides a detailed architecture so that engineers and administrators can copy, or recreate with different but similar technologies, the security characteristics of the guide. The draft document, in five parts, is available at  https://nccoe.nist.gov/projects/use_cases/health_it/ehr_on_mobile_devices  Part (e) includes a useful questionnaire for vendors that may be adapted for a number of kinds of HIPAA Business Associates.

• NIST Special Publication (SP) 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise, released June 24, 2013 helps organizations centrally manage and secure mobile devices against a variety of threats, providing recommendations for selecting, implementing, and using centralized management technologies, and explaining the security concerns inherent in mobile device use. The scope of SP 800-124 Revision 1 includes securing both organization-provided and personally-owned (bring your own device) mobile devices.  The guidelines are available at http://csrc.nist.gov/publications/PubsSPs.html#800-124

• NIST offers a guide to encryption of laptops and portable devices in SP 800-111 Guide to Storage Encryption Technologies for End User Devices, available at: http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf

• Also see Draft NISTIR 8144: Assessing Threats to Mobile Devices & Infrastructure — The Mobile Threat Catalogue, September 2016 Draft, which describes, identifies, and structures the threats posed to mobile information systems, at:  http://csrc.nist.gov/publications/drafts/nistir-8144/nistir8144_draft.pdf

• NIST provides some excellent guidance for telework and remote access to an organization's nonpublic computing resources and is recommended for security implementers, policy developers, trainers, and end users.  See SP 800-114 Rev 1 (July 2016) User's Guide to Telework and Bring Your Own Device Security:  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-114r1.pdf  

• NIST also provides a excellent companion guide: Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security.  See SP 800-46 Rev 2 (July 2016):  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf  

• When it comes to mobile device Apps, how do you know what you’re using is secure?  Look into NIST SP 800-163 (January 2015) Vetting the Security of Mobile Applications, available at:  http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-163.pdf  

Cloud Computing Guidance

• If you're considering moving information to "the cloud", you'd best consider the security implications.  December 9, 2011 saw the release of NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing, available at:  http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494  

• On May 29, 2012, NIST released the final version of NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations which is a is NIST’s general guide to cloud computing.  It explains cloud systems in plain language, provides recommendations for information technology decision makers, and presents information on how clouds are deployed, what kind of services are available, economic considerations, technical characteristics such as performance and reliability, typical terms of service, and security issues. It also offers recommendations on how and when cloud computing is an appropriate tool, and surveys open issues for cloud computing.  The guide is available at:  http://csrc.nist.gov/publications/nistpubs/800-146/sp800-146.pdf  

• On June 29, 2012, NIST published its June 2012 NIST ITL Security Bulletin, on the topic of Cloud Computing: A Review Of Features, Benefits, And Risks, And Recommendations For Secure, Efficient Implementations.  The bulletin is at:  http://csrc.nist.gov/publications/nistbul/june-2012_itl-bulletin.pdf  

• NIST provides a list of cryptographic modules meeting the FIPS 140-2 standard, used in products meeting the HIPAA Breach notification exemption, at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2009.htm 

Incident Handling Guidance

• NIST SP 800-184, released December 2016, is an excellent overall Guide for Cybersecurity Event Recovery that now incorporates incident handling and contingency planning.  The press release (at https://www.nist.gov/news-events/news/2016/12/nist-guide-provides-way-tackle-cybersecurity-incidents-recovery-plan ) provides a good overview, and the Guide is available at:   http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf   In addition, NIST’s February 2017 ITL Bulletin focuses on the guide, with additional information and insights, available at:  http://csrc.nist.gov/publications/nistbul/itlbul2017-02.pdf  

• NIST released in August 2012 an update to their Computer Security Incident Handling Guide in SP 800-61 Revision 2, a practical guide to responding to incidents and establishing a computer security incident policy and process as required under HIPAA, PCI, and many other information security regulations and standards. See: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf   In addition, the September 2012 NIST ITL Bulletin focuses on the revised SP 800-61, providing additional insights and guidance, available at:  http://csrc.nist.gov/publications/nistbul/itlbul2012_09.pdf  

• NIST’s September 2013 ITL Security Bulletin presents Guidance on Preventing and Handling Malware Incidents, available on the CSRC website at:  http://csrc.nist.gov/publications/nistbul/itlbul2013_09.pdf  

Guidance on De-Identification of Information

• NIST IR 8053, released December 17, 2015, is a report on De-Identification of Personal Information.  The report document summarizes two decades of de-identification research, discusses current practices, and presents opportunities for future research, including discussion of HIPAA methods for de-identification, and the effectiveness of the HIPAA Safe Harbor method.  The report is available at http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf  If you are dealing with any issues of de-identifying PHI, READ THIS REPORT!

Also, see HHS’s guidance from 2012 on De-identification of PHI, available at:  http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/coveredentities/De-identification/hhs_deid_guidance.pdf  


HIPAA Guidance and Tools

Information Security Guidance

Document Retention Guidelines

Regulations, Standards, and Laws

Return to the main Resources page

              Copyright © 2002-2017 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us