NIST’s Role in Securing Health Information
AMA-IEEE Medical Technology
Conference on Individualized Healthcare
Kevin Stine, Information Security Specialist
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
March 22, 2010
NIST’s Mission
To promote U.S. innovation
and industrial competitiveness
by advancing measurement
science, standards, and
technology …
Credit: R. Rathe
… in ways that enhance
economic security and
improve our quality of life.
Credit: NIST
2
Computer Security Division’s Mission
A division with the Information
Technology Lab, CSD provides
standards and technology to
protect information systems
against threats to the
confidentiality, integrity, and
availability of information and
services …
… in order to build trust and
confidence in Information
Technology (IT) systems
3
Agenda
 Meaningful Use, Standards, and Certification (Oh My)
 NIST HIT Security Activities… Past, Present, and Near
Future
 Wireless and Mobile Technology Resources
4
Meaningful Use, Standards, and Certifications (Oh
My)
Meaningful Use (NPRM)

Adopt and meaningfully use certified electronic health record (EHR)
technology

Stage 1(beginning in 2011): Ensure adequate privacy and security
protections for personal health information.
Standards and Certification (IFR)
 Represents the first step in an incremental approach to adopting standards,
implementation specifications, and certification criteria to enhance the
interoperability, functionality, utility, and security of health information
technology and to support its meaningful use.
 Standards for HIT to protect Electronic Health Info (IFR,
§170.210)
 Encryption and decryption of EHI, Record actions related to EHI, Verification
that electronic health information has not been altered in transit, Crossenterprise authentication
 Certification Criteria (IFR, §170.302)
 Access Control, Audit Log, Integrity, Authentication, Encryption
Agenda
 Meaningful Use, Standards, and Certification (Oh My)
 NIST HIT Security Activities… Past, Present, and Near
Future
 Wireless and Mobile Technology Resources
6
Risk Management
ORGANIZATIONAL VIEW
Architecture Description
FEA Reference Models
Segment and Solution Architectures
Mission and Business Processes
Information System Boundaries
Repeat as necessary
Risk Executive Function
Starting
Point
Organizational Inputs
Laws, Directives, Policy Guidance
Strategic Goals and Objectives
Priorities and Resource Availability
Supply Chain Considerations
Step 1
CATEGORIZE
Information Systems
Step 6
MONITOR
FIPS 199 / SP 800-60
Step 5
RISK
MANAGEMENT
FRAMEWORK
Security Plan
Step 3
Information Systems
Plan of Actions & Milestones
FIPS 200 / SP 800-53
Security Life Cycle
AUTHORIZE
SP 800-37
SELECT
Security Controls
Security State
SP 800-37 / 800-53A
Step 2
IMPLEMENT
Step 4
Security Controls
ASSESS
SP 800-70
Security Controls
SP 800-53A
Security Assessment Report
7
Health IT Security - What We’ve Done…
Standards
Harmonization
Outreach &
Awareness
Publications &
Resources
•Support ONC and HITSP in
harmonizing and integrating
standards to enable exchange
of health information
•Present on application of
security standards and
guidelines to HIPAA and
HIT security
implementations
•HIPAA Security Rule Guide
•HIE Security Architecture
Health IT Security - What We Plan To Do…
Security Automation
•HIPAA Security Rule toolkit
•Security configuration checklists
HIT Test Infrastructure
•Provide capability for current and future
EHR testing needs against standards
•Conformance and interoperability testing
capabilities
Agenda
 Meaningful Use, Standards, and Certification (Oh My)
 NIST HIT Security Activities… Past, Present, and Near
Future
 Wireless and Mobile Technology Resources
10
Wireless and Mobile Technology Security
Resources
 Wireless
 800-127 Draft, Guide to Security for WiMAX Technologies
 800-121, Guide to Bluetooth Security
 800-120, Recommendations for EAP Methods Used in Wireless Network
Access Authentication
 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE
802.11i
 800-48 Revision 1, Guide to Securing Legacy IEEE 802.11 Wireless
Networks
 Mobile Technologies
 800-124, Guidelines on Cell Phone and PDA Security
 800-114, User’s Guide to Securing External Devices for Telework and
Remote Access
 800-101, Guidelines on Cell Phone Forensics
 800-46 Rev 1, Guide to Enterprise Telework and Remote Access Security
Thank You
Kevin Stine
kevin.stine@nist.gov
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Computer Security Resource Center: http://csrc.nist.gov
NIST Health IT Standards and Testing: http://healthcare.nist.gov
12