What You NIST to Know About Upcoming Regulation of Data Security by the ONC, FDA and FCC

Amidst amplified interest in, and enforcement efforts of, data security practices by multiple federal agencies, three regulators are collaborating to determine standards across all industries.

The Office of the National Coordinator for Health Information Technology (ONC) is joining efforts with the Food and Drug Administration (FDA) and the Federal Communications Commission (FCC) to develop a common approach to regulating data security. While details are still in flux, we know the three groups are leaning heavily on guidance from the National institute of Standards and Technology (NIST) framework.

What does this mean for those who are tasked with safeguarding protected health information? Familiar priorities, such as conducting a thorough Risk Analysis, just became even more critical to defending your organization’s financial and reputational assets.

NIST guidance for information security includes detailed instructions on how organizations are expected to approach risk management. The guidelines call for organizations to effectively:

1. Frame risk – document and describe the environment in which risk-based decisions are made

2. Assess risk – identify threats, vulnerabilities, potential adverse impacts and the likelihood harm will occur

3. Respond to risk – establish protocols for consistently addressing risk in accordance with the organization’s risk framework

4. Monitor risk – commit to consistent monitoring risks, changing environments and effectiveness of risk management strategies

Again, much of what the new crop of federal enforcers will be expecting should come as no surprise to those who have been actively responding to HIPAA-HITECH. Yet, statistics show many organizations still have work to do in this area.

So, where do we go from here? At Clearwater, we have spent a great deal of time guiding our customers in the execution of bona fide risk analyses and systematic risk management plans. We suggest the following steps as good starting points to enhance your HIPAA standing and to equip you to successfully meet expectations from the ONC, FDA, FCC collaborative efforts.

Step One: Closely review existing NIST standards to ensure you have a firm understanding of what constitutes a thorough approach to managing risk.

Step Two: Create a task force within your organization to prioritize this body of work and provide the resources needed to do it right (in terms of time, money and expertise).

Step Three: Evaluate tools that can assist you, particularly those built to specifically respond to NIST guidelines. View Clearwater’s Risk Analysis software solution as an example.

Step Four: Get help if you need it. Some organizations have the internal expertise and bandwidth to build an effective risk management platform, likely leveraging external tools and software. Others need to supplement their team with outside expertise. Make sure as you choose a partner that they are specifically focused on HIPAA-HITECH compliance, that they will be staffing your account with verified experts in the field and that they have a proven track record helping organizations become and remain compliant. Click here for a buyer’s guide that can help you evaluate potential partners.


Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.