Resources: Guidance from NIST
(The National Institute of Standards and Technologies)

HIPAA Guidance and Tools

Information Security Guidance

Document Retention Guidelines

Regulations, Standards, and Laws

Return to the main Resources page

NIST Guidance and Tools for HIPAA

• A June 24, 2022 article in Health IT SecurityBreaking Down the NIST Cybersecurity Framework, How It Applies to Healthcare, describes how healthcare organizations can use the NIST Cybersecurity Framework's collection of standards and best practices to strengthen their overall security postures.  Healthcare organizations can use the framework in conjunction with other voluntary frameworks and HIPAA Security Rule compliance efforts to protect the confidentiality and security of patient data.  See:  

• NIST provides a good overall reference and lists key compliance activities for HIPAA Security Rule compliance  in SP 800 - 66 Revision 1 (October 2008): Introductory Resource Guide for Implementing the HIPAA Security Rule, at:  

• NIST has released a useful HIPAA Security Rule Toolkit, which is a Java-based application that uses a tree of questions based on the regulations and NIST SP 800-series guidance to help organizations understand their HIPAA Security compliance position.  The user guide, install guide, and applications are all freely available at  

NIST Security Guidance

• The National Institute of Standards and Technology (NIST) has a wide variety of very useful information security guidance available in their Special Publications 800-series documents.  Several SP 800 documents are listed below; see the list of available documents at 

• A good place to start is NIST Draft Special Publications (SP) 800-12 Revision 1, Introduction to Information Security which was made available available for public comment on January 26, 2017.  See  

• NIST releases ITL Security Bulletins approximately every two months, covering a variety of relevant information security topics, some more technical than others, but always worth perusing when looking for guidance.  These bulletins work in concert with the SP 800 series documents to provide more background, context, and specific recommendations.  The ITL Security Bulletins are available at:

• NIST released in June, 2013 a quite useful NIST Interagency Report (IR) 7298, Revision 2, Glossary of Key Information Security Terms, derived from a variety of the most recent (as of June, 2013) NIST resources, available at  Revision 3 is in draft, available at  and an online glossary is available at  Just for “fun,” consider the definition of a HIPAA Breach and look up “compromise” at  

• The NIST Interagency Report 7621 Revision 1 (NISTIR 7621r1), Small Business Information Security: The Fundamentals provides guidance on how small businesses can provide basic security for their information, systems, and networks, presenting the fundamentals of a small business information security program in nontechnical language.  NISTIR 7621r1 is available at:   Also see the related NIST Information Technologies Laboratory Bulletin for March 2017, Fundamentals of Small Business Information Security, available at:  

• To continue providing guidance and assist in the facilitation of utilizing the NIST Cybersecurity Framework (available at: , NIST has finalized a new guide, NIST Special Publication (SP) 1271, Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide, available at:  

  • The NIST Cybersecurity Framework is organized by five key Functions – Identify, Protect, Detect, Respond, Recover. This publication outlines key, high-level activities organized by Framework Function that may offer a good starting point for an organization when establishing a secure cybersecurity posture and is applicable for any sector or community seeking to improve cybersecurity risk management.
  • The NIST Cybersecurity Framework enables organizations, regardless of size, degree of cybersecurity risk, or cybersecurity sophistication, to apply the principles and best practices of risk management to improve security and resilience. Through implementation of the NIST Cybersecurity Framework, organizations can better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives.

Security and Risk Assessments and Testing

• NIST pprovides a useful, simple Risk Assessment Procedure in the original version of SP 800-30, Risk Management Guide for Information Technology Systems: .  Revision 1 of Special Publication SP 800-30, Guide for Conducting Risk Assessments is much larger, contains a great deal of background information, and is much harder for the average compliance officer to approach.  It is thick with theory and explanations that only serve to obfuscate the meaning and goals.  The process described is much more complicated than the one in the original version, and is not necessarily appropriate for many health care organizations.  So warned, the new version is available at:, but the original version (recommended) is still available.  The October 2012 NIST ITL Security Bulletin, available at:   provides additional guidance on using the new revision SP 800-30 Revision 1.  

• NIST released on October 1, 2008,  SP 800-115, Technical Guide to Information Security Testing and Assessment, designed to assist organizations in planning and conducting technical information security testing and assessments, analyzing findings, and developing mitigation strategies, including recommendations for designing, implementing, and maintaining technical information security assessment processes and procedures.  SP 800-115 is available at:

• If you want to drive your IT staff nuts, have them give you answers for the DRAFT Baldrige Cybersecurity Excellence Builder: Key questions for improving your organization's cybersecurity performance.  (September 15, 2016)  While it does ask a lot of good questions, it can be a bit daunting to approach all at once.  It’s a good place to get to, but it will take time to get through.  See:  

• The NIST FEBRUARY 2019 ITL Security Bulletin topic is: The Next Generation Risk Management Framework (RMF 2.0): A Holistic Methodology to Manage Information Security, Privacy and Supply Chain Risk.  This bulletin summarizes the information found in NIST SP 800-37, Revision 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy which provides guidelines for applying the RMF to information systems and organizations.  Available at: and  

• NIST SP 800-161 Rev. 1 Draft Cyber Supply Chain Risk Management Practices for Systems and Organizations is in development and receiving comments through June 25, 2021.  Developers and Managers need to ensure the products they procure from others are developed securely.  See  

• NISTIR 8286A, Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management, provides an in-depth discussion of the concepts introduced in NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM), and is available at:

NISTIR 8286A is intended to help organizations better implement cybersecurity risk management (CSRM) as an integral part of ERM. The increasing frequency, creativity, and severity of cybersecurity attacks mean that all enterprises should ensure that cybersecurity risk is receiving appropriate attention within their ERM programs and that the CSRM program is anchored within the context of ERM.

A companion document, NISTIR 8286C, Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight, will be available for review and comment in the coming weeks.

Related publications:

NIST Recommended Controls

• On March 15, 2021, the NIST Risk Management Framework Team Did Some Spring Cleaning!  There is a new and improved Risk Management Framework (RMF) website that better highlights the resources NIST developed to support implementers. In addition, NIST has:

• On January 21, 2021, NIST released Supplemental Materials for SP 800-53 and SP 800-53B: Control Catalog and Control Baselines in Spreadsheet Format, providing new and updated supplemental materials for NIST Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, and NIST SP 800-53B, Control Baselines for Information Systems and Organizations, supporting the December 10, 2020, errata release of SP 800-53 and SP 800-53B The materials include:

Control Catalog Spreadsheet (NEW) The entire security and privacy control catalog in spreadsheet format

Control Baselines Spreadsheet (NEW) The control baselines of SP 800-53B in spreadsheet format

Both spreadsheets have been preformatted for improved data visualization and allow for alternative views of the catalog and baselines. Users can also convert the contents to different data formats, including text only, comma-separated values (CSV), and other formats that can provide greater flexibility (e.g., by ingesting it into an existing product or platform and/or to facilitate automation). The spreadsheets were created from the Open Security Controls Assessment Language (OSCAL) version of the SP 800-53 Rev. 5 controls, which is offered as a supplemental material to the publications.

Additionally, the following existing supplemental materials for SP 800-53 were recently updated:

More information is available on the SP 800-53 publication page. Contact with any questions and comments.

• NIST Special Publication (SP) 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, announced September 23, 2020, represents a multi-year effort to develop the next generation of security and privacy controls, which offer a proactive and systematic approach to ensuring that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience.

The most significant changes to SP 800-53, Revision 5 include:

  • Consolidating the control catalog
  • Integrating supply chain risk management
  • Adding new state-of-the-practice controls
  • Making controls outcome-based
  • Improving descriptions of content relationships
  • Separating the control selection processes from the controls
  • Transferring control baselines and tailoring guidance to NIST SP 800-53B

• NIST SP 800-53 Revision 4, updated May, 2012, is a comprehensive update of the Recommended Security Controls guide, providing a comprehensive set of safeguards and countermeasures for information systems.  The updated SP 800-53 Rev. 4 is available at: and the guide for assessing security controls, SP 800-53A Revision 1 (draft) is available at:    Also available is the May 2013 NIST ITL Bulletin, featuring the Topic of the Month: ITL Publishes Security And Privacy Controls For Federal Agencies.  The bulletin is available at and to see past ITL Bulletins, visit:

• On June 24, 2022, NIST released new guidance and resources on macOS Security, in the final version of Special Publication (SP) 800-219, Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP). This document explores mSCP resources that system administrators, security professionals, security policy authors, information security officers, and auditors can leverage to secure and assess macOS desktop and laptop system security in an automated way.

See SP 800-219 at and the announcement at  

SP 800-219 incorporates and deprecates content from SP 800-179 (December 12, 2016) and SP 800-179 Draft Revision 1 (November 16, 2018).

Additional project resources are available at:  

NISTIR 8228 explores Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, published in June 2019, available at:  From the Abstract: “The Internet of Things (IoT) is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology (IT) devices do.”  

Guidance on Protecting Confidential Information

• In February 2022, NIST released the final version of NIST SP 1800-30: Securing Telehealth Remote Patient Monitoring Ecosystem, including three parts: Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C).  Increasingly, healthcare delivery organizations (HDOs) are relying on telehealth and remote patient monitoring (RPM) capabilities to treat patients at home.  Without adequate privacy and cybersecurity measures unauthorized individuals may expose sensitive data or disrupt patient monitoring services.  The National Cybersecurity Center of Excellence (NCCoE) built a laboratory environment to demonstrate how HDOs can implement cybersecurity and privacy controls to enhance telehealth RPM resiliency.  See:  and an article on the new SP 1800-30 in Healthcare IT News at:  

• Every day, in order to perform their jobs, workers exchange files over the Internet through email attachments, file sharing services, and other means. To help organizations reduce potential exposure of sensitive information, NIST has released a new Information Technology Laboratory (ITL) Bulletin for August 2020: Security Considerations for Exchanging Files Over the Internet discussing several possible solutions for secure file exchanges, as well as numerous examples of methods for detecting file exchanges that aren't properly protected.  See:  

• NIST ITL Bulletin for June 2020: NIST Privacy Framework: An Overview summarizes the information found in the voluntary NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Version 1.0). The Privacy Framework is a tool developed in collaboration with stakeholders intended to help organizations identify and manage privacy risk to build innovative products and services while protecting individuals' privacy.  See:

• NIST Draft SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, first draft released November 20, 2014, provides an excellent summary of security actions to take to protect information systems, and provides a great checklist of security considerations.  The SP has been finalized and is now (August 16, 2016) in draft for Revision 1.  See: 

 • NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), released April 6, 2010, provides practical, context-based guidelines for identifying PII and appropriate levels of protection, including safeguards and incident response plans.  The guide is available at:   The April 2010 NIST ITL Security Bulletin discussing the SP 800-122 guide is available at:

• NIST provides a video for the small business community titled "Information Technology Security for Small Business. It's not just good business. It's essential business" giving small business owners a glimpse into the resources from NIST, SBA, and the FBI that protect them from cyber crime. The video describes hacking, denial-of-service, laptop theft, insider abuse, computer viruses, and computers made into bots, and encourages small business owners to define their security needs, establish security practices, and stay current.  To see the video and other resources, go to:   Also see NISTIR 7621, Revision 1 (announced November 15, 2016), Small Business Information Security: The Fundamentals, to help small businesses and organizations implement the fundamental concepts of an effective information security program.  See: 

• On June 22, 2017, NIST released Special Publication 800-63-3, Digital Identity Guidelines, including the password recommendations: see Appendix A to Draft SP 800-63-3 B for the details.  They suggest that periodic password changes are no longer necessary. The report also recommends changes to several other password policies that have become antiquated in the modern computing environment:

  • Allow at least 64 characters in length to support the use of passphrases.
  • Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
  • Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.

NIST is also recommending checking new passwords against several lists, such as:

  • Context specific words, such as the name of the service, the username, and derivatives thereof.
  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
  • Passwords obtained from previous breach corpuses.

Link to Special Publication 800-63-3 are provided below, on the CSRC Special Publications page: 
Main document:
SP 800-63-3 A:
SP 800-63-3 B:
SP 800-63-3 C:

Guidance on Securing E-mail

• On February 27, 2019, NIST released Special Publication (SP) 800-177 Rev. 1, Trustworthy Email, which describes guidelines for enhancing trust in email and recommendations for the support of core SMTP and Domain Name Systems (DNS) through the use of authentication mechanisms. The document includes newly specified email protocol additions, such as Mail Transfer Agent Strict Transport Security (MTA-STS) and Transport Layer Security (TLS) Reporting, as well as an email system FISMA overly developed to aid systems administrators in deploying email services that address relevant FISMA controls. It is intended to be a guide for enterprise email administrators, information security specialists, and network managers.  See:  

• Also see the October 2016 NIST ITL Bulletin: Making Email Trustworthy, at  and the Draft of NIST SP 1800-6, DRAFT Domain Name Systems-Based Electronic Mail Security (November 2, 2016), at:  

Mobile Device and Remote Access Guidance

• On March 18, 2021, the National Institute of Standards and Technology (NIST) released a draft of Mobile Device Security--Bring Your Own Device (BYOD): Draft SP 1800-22.  The goal of Draft NIST Special Publication (SP) 1800-22 is to provide an example solution that helps organizations use both a standards-based approach and commercially available technologies to help meet their security and privacy needs when permitting personally-owned mobile devices to access enterprise resources.  The draft guide is available at:  

• On September 16, 2020, NIST announced the publication of Special Publication (SP) 1800-21, Mobile Device Security: Corporate-Owned Personally-Enabled (COPE).  On February 10, 2021, NIST announced a Web-based version of the practice guide.  One deployment model for mobile devices is COPE devices, owned by the enterprise and issued to the employee. COPE architectures provide the flexibility of allowing both enterprises and employees to install applications onto the enterprise-owned mobile device.  The NIST Cybersecurity Practice Guide demonstrates how organizations can use standards-based, commercially available products to help meet their COPE mobile device security and privacy needs.  Both the PDF and Web-based versions are available at:  

• On July 27, 2018, the NIST National Cybersecurity Center of Excellence (NCCoE) released the final version 1 of Special Publication 1800-1, Securing Electronic Health Records on Mobile Devices, which includes valuable information on establishing strong authentication and secure practices when accessing EHR systems remotely from mobile devices.  While much of the report is technical in nature, such that it can be used to guide development of secure implementations, the overall goals of security AND ease of use are well-explained, and a questionnaire for EHR providers is included to help assess the security posture of an EHR vendor.  The NIST page with the Abstract of SP 1800-1 is available at:  and the publication, including all the subsections, is available at:  

• NIST Special Publication (SP) 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise, released June 24, 2013 helps organizations centrally manage and secure mobile devices against a variety of threats, providing recommendations for selecting, implementing, and using centralized management technologies, and explaining the security concerns inherent in mobile device use. The scope of SP 800-124 Revision 1 includes securing both organization-provided and personally-owned (bring your own device) mobile devices.  The guidelines are available at

• NIST offers a guide to encryption of laptops and portable devices in SP 800-111 Guide to Storage Encryption Technologies for End User Devices, available at:

• Also see Draft NISTIR 8144: Assessing Threats to Mobile Devices & Infrastructure — The Mobile Threat Catalogue, September 2016 Draft, which describes, identifies, and structures the threats posed to mobile information systems, at:

• NIST provides some excellent guidance for telework and remote access to an organization's nonpublic computing resources and is recommended for security implementers, policy developers, trainers, and end users.  See SP 800-114 Rev 1 (July 2016) User's Guide to Telework and Bring Your Own Device Security:  

• NIST also provides a excellent companion guide: Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security.  See SP 800-46 Rev 2 (July 2016):  

• When it comes to mobile device Apps, how do you know what you’re using is secure?  Look into NIST SP 800-163 (January 2015) Vetting the Security of Mobile Applications, available at:  

Guidance from NIST on Wireless Infusion Pumps

On August 21, 2018, the NIST National Cybersecurity Center of Excellence (NCCoE) published Special Publication (SP) 1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations.  The title says it all.  If you use wireless infusion pumps or are thinking about using them, best to consult this.  See  

The December 2018 ITL Security Bulletin on the Topic of the Month, Securing Wireless Infusion Pumps, summarizes the information found in NIST SP 1800-8, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations which discusses the cybersecurity risks associated with medical devices, such as infusion pumps, which can connect to a variety of healthcare systems, networks, and other tools within a healthcare delivery organization.

See: and the PDF version at

For a complete list of ITL Bulletins:

NIST SP 1800-24 on Cybersecurity and PACS

On December 20, 2020, NIST published Special Publication 1800-24, on Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector.  The practice guide helps health delivery organizations (HDOs) implement current cybersecurity standards and best practices to reduce their cybersecurity risk and protect patient privacy while maintaining the performance and usability of PACS.  

This NIST Cybersecurity Practice Guide demonstrates how organizations can securely configure and deploy PACS. This guide presents an example solution that helps HDOs improve medical imaging ecosystem privacy and cybersecurity.  If your organization uses a PACS, best to read!  See:  

Cloud Computing Guidance

• If you're considering moving information to "the cloud", you'd best consider the security implications.  December 9, 2011 saw the release of NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing, available at:  

• On May 29, 2012, NIST released the final version of NIST Special Publication 800-146, Cloud Computing Synopsis and Recommendations which is a is NIST’s general guide to cloud computing.  It explains cloud systems in plain language, provides recommendations for information technology decision makers, and presents information on how clouds are deployed, what kind of services are available, economic considerations, technical characteristics such as performance and reliability, typical terms of service, and security issues. It also offers recommendations on how and when cloud computing is an appropriate tool, and surveys open issues for cloud computing.  The guide is available at:  

• On June 29, 2012, NIST published its June 2012 NIST ITL Security Bulletin, on the topic of Cloud Computing: A Review Of Features, Benefits, And Risks, And Recommendations For Secure, Efficient Implementations.  The bulletin is at:  

• NIST provides a list of cryptographic modules meeting the FIPS 140-2 standard, used in products meeting the HIPAA Breach notification exemption, at 

Incident Handling Guidance

• NIST SP 800-184, released December 2016, is an excellent overall Guide for Cybersecurity Event Recovery that now incorporates incident handling and contingency planning.  The press release (at ) provides a good overview, and the Guide is available at:   In addition, NIST’s February 2017 ITL Bulletin focuses on the guide, with additional information and insights, available at:  

• NIST released in August 2012 an update to their Computer Security Incident Handling Guide in SP 800-61 Revision 2, a practical guide to responding to incidents and establishing a computer security incident policy and process as required under HIPAA, PCI, and many other information security regulations and standards. See:   In addition, the September 2012 NIST ITL Bulletin focuses on the revised SP 800-61, providing additional insights and guidance, available at:  

• NIST’s September 2013 ITL Security Bulletin presents Guidance on Preventing and Handling Malware Incidents, available on the CSRC website at:  

Guidance on De-Identification of Information

• NIST IR 8053, released December 17, 2015, is a report on De-Identification of Personal Information.  The report document summarizes two decades of de-identification research, discusses current practices, and presents opportunities for future research, including discussion of HIPAA methods for de-identification, and the effectiveness of the HIPAA Safe Harbor method.  The report is available at  If you are dealing with any issues of de-identifying PHI, READ THIS REPORT!

Also, see HHS’s guidance from 2012 on De-identification of PHI, available at:  

HIPAA Guidance and Tools

Information Security Guidance

Document Retention Guidelines

Regulations, Standards, and Laws

Return to the main Resources page

              Copyright © 2002-2023 Lewis Creek Systems, LLC  Charlotte, Vermont, USA
Privacy Policy   Terms and Conditions of Use   Contact Us