Second Draft of NIST Cybersecurity Framework Published: HIPAA & HITECH Act Blog by Jonathan P. Tomes


The National Institute for Standards and Technology (“NIST”) has published its second draft of its revised Cybersecurity Framework (“the Framework”). Version 1.0 of the NIST Cybersecurity Framework was first published in 2014 to help critical infrastructure users better assess their risk profiles and improve their ability to prevent, detect, and respond to cyberattacks. The Framework is based on globally accepted cybersecurity best practices and standards, and adoption of the Framework helps organizations take a more proactive approach to risk management. Since its publication in 2014, the Framework has been adopted by many private and public sector organizations to help them develop and implement effective risk management practices. The Department of Health and Human Services (“DHHS”), while not adopting the Framework per se, makes breaches of PHI encrypted or destroyed in a manner set forth in the NIST standards nonreportable to DHHS.

NIST incorporated comments to the first draft in the first revised draft of the Framework, published in January 2017. This draft includes several refinements based on feedback received on the first draft of the revised Framework.

The latest version of the Framework clarifies some of the language relating to cybersecurity measurement, includes further guidance on improving supply chain security, and has made changes to incorporate mitigating risk of Internet of Things (“IoT”). IoT is the network of physical objects—that is, devices, vehicles, buildings, and other items—embedded with electronics, software, sensors, and network connectivity that enable these objects to collect and exchange data.

NIST is accepting your comments on the second draft of the revised NIST Cybersecurity Framework until January 19, 2018. The final version of version 1.1 of the Cybersecurity Framework is expected to be released in spring 2018.


The NIST standards are not incorporated in HIPAA unless you are a federal entity. The Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure in May 2017 made adoption of the Framework mandatory for all federal agencies. Even if you are not a federal entity, however, reference to them and adoption thereof would go a long way toward helping you meet the “reasonable and appropriate” standard for the security of electronic protected health information (“EPHI”). For the text of the Framework, go to

Heads-up reminder and notice of date change: We plan to conduct our two-day Hands-on HIPAA workshop in the Kansas City area, at the Baker University campus at Metcalf and College, on Thursday and Friday, March 15–16, 2018. Advance registration for the two-day Hands-on HIPAA workshop is $1,095 through Valentine’s Day, February 14, 2018, and regular registration thereafter goes up to $1,295. Registration includes a Gap Analysis Survey Questionnaire, which we will need for you to fill out and return to us so that we can help you identify where you are in your HIPAA compliance efforts, where you need to be, and exactly how to fill that gap and write a report tailored to your organization. Registration also includes copies of the following books: Your Happy HIPAA Book, The Complete HIPAA Policies and Procedures Guide, with accompanying CD, HIPAA in the Digital Age (forthcoming), and HIPAA Hysteria, perhaps among others. During the two days, you will use your Gap Analysis and our report about it to develop your initial Risk Analysis or update your last year’s version with help from our faculty and our Risk Analysis ToolKit. Then, with more help from our faculty, you will use your completed Risk Analysis and our CD of sample policies and procedures to develop your policies and procedures, required, addressable, and others, tailored to your organization. To help you maintain your stamina during this workshop designed to help you get your organization HIPAA compliant, your registration will also include refreshments during the sessions, two lunches, and a happy hour on Thursday evening, tentatively planned for at a nearby Hilton. We hope to have registration available on our website soon. More exact info to follow, so stay tuned and block out your calendars!


seo by: k.c. seo