Regulations, Standards, and Laws
Return to the main Resources page
• NIST has released a very useful HIPAA Security Rule Toolkit, which is a Java-based application that uses a tree of questions based on the regulations and NIST SP 800-series guidance to help organizations understand their HIPAA Security compliance position. The user guide, install guide, and applications are all freely available at http://scap.nist.gov/hipaa/
• The National Institute of Standards and Technology (NIST) has a wide variety of very useful information security guidance available in their Special Publications 800-series documents. Several SP 800 documents are listed below; see the list of available documents at http://csrc.nist.gov/publications/PubsSPs.html
• NIST releases ITL Security Bulletins approximately every two months, covering a variety of relevant information security topics, some more technical than others, but always worth perusing when looking for guidance. These bulletins work in concert with the SP 800 series documents to provide more background, context, and specific recommendations. The ITL Security Bulletins are available at: http://csrc.nist.gov/publications/PubsITLSB.html
• NIST pprovides a useful, simple Risk Assessment Procedure in SP 800-30, Risk Management Guide for Information Technology Systems: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
NIST also has published an initial public draft of revision 1 to SP 800-30 that I don't like as much -- too wordy, too complicated, too much for most healthcare providers, it's a real disappointment and I hope subsequent drafts are better. It's available at: http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf
• NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), released April 6, 2010, provides practical, context-based guidelines for identifying PII and appropriate levels of protection, including safeguards and incident response plans. The guide is available at: http://csrc.nist.gov/publications/PubsSPs.html#800-122 The April 2010 NIST ITL Security Bulletin discussing the SP 800-122 guide is available at: http://csrc.nist.gov/publications/nistbul/april-2010_guide-protecting-pii.pdf
• NIST SP 800-53 Revision 3, updated May 1, 2010, is a comprehensive update of the Recommended Security Controls guide, providing a comprehensive set of safeguards and countermeasures for information systems. The updated SP 800-53 Rev. 3 is available at: http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf and the guide for assessing security controls, SP 800-53A Revision 1 (draft) is available at: http://csrc.nist.gov/publications/PubsDrafts.html#800-53A-rev1
• NIST provides some excellent guidance for telework and remote access to an organization's nonpublic computing resources and is recommended for security implementers, policy developers, trainers, and end users. See SP 800-114 User's Guide to Securing External Devices for Telework and Remote Access: http://csrc.nist.gov/publications/nistpubs/800-114/SP800-114.pdf
• NIST offers a guide to encryption of laptops and portable devices in SP 800-111 Guide to Storage Encryption Technologies for End User Devices, available at: http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf
• NIST provides a good overall reference and lists key compliance activities for HIPAA Security Rule compliance in SP 800 - 66 Revision 1 (October 2008): Introductory Resource Guide for Implementing the HIPAA Security Rule, at:
http://csrc.nist.gov/publications/PubsSPs.html#800-66-Rev1
• If you're considering moving information to "the cloud", you'd best consider the security implications. December 9, 2011 saw the release of NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing, available at: http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494
• NIST provides a list of cryptographic modules meeting the FIPS 140-2 standard, used in products meeting the HIPAA Breach notification exemption, at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2009.htm
• NIST released on March 7, 2008 an update to their Computer Security Incident Handling Guide in SP 800-61 Revision 1, a practical guide to responding to incidents and establishing a computer security incident policy and process as required under HIPAA, PCI, and many other information security regulations and standards. See: http://csrc.nist.gov/publications/PubsSPs.html#800-61_Rev1
• NIST released on October 1, 2008, SP 800-115, Technical Guide to Information Security Testing and Assessment, designed to assist organizations in planning and conducting technical information security testing and assessments, analyzing findings, and developing mitigation strategies, including recommendations for designing, implementing, and maintaining technical information security assessment processes and procedures. SP 800-115 is available at: http://csrc.nist.gov/publications/PubsSPs.html#SP800-115
• NIST released on October 31, 2008, SP 800-124, Guidelines on Cell Phone and PDA Security, providing an overview of cell phone and personal digital assistant (PDA) devices in use today and offering insights into making informed information technology security decisions on their treatment. SP 800-124 gives details about the threats and technology risks associated with the use of these devices and the available safeguards to mitigate them. The Executive Summary of this report is highly recommended reading for all cell phone and PDA users. SP 800-124 is available at: http://csrc.nist.gov/publications/PubsSPs.html#800-124
• NIST provides a video for the small business community titled "Information Technology Security for Small Business. It's not just good business. It's essential business" giving small business owners a glimpse into the resources from NIST, SBA, and the FBI that protect them from cyber crime. The video describes hacking, denial-of-service, laptop theft, insider abuse, computer viruses, and computers made into bots, and encourages small business owners to define their security needs, establish security practices, and stay current. To see the video and other resources, go to: http://csrc.nist.gov/groups/SMA/sbc/library.html#04 Also see the draft of NISTIR 7621, Small Business Information Security: The Fundamentals, intended to help small businesses and organizations implement the fundamental concepts of an effective information security program. The draft is available at: http://csrc.nist.gov/publications/PubsDrafts.html#ir7621