Healthcare Information Security

Cybersecurity News

How FTC Data Security Aligns with NIST Cybersecurity Framework

Organizations could benefit in their cybersecurity approach if they apply the NIST CSF risk management approach, along with FTC data security guidance.

By Elizabeth Snell

The NIST Cybersecurity Framework (CSF or The Framework) aligns with how FTC data security measures are outlined, according to a recent FTC blog post.

FTC data security measures overlap with NIST CSF

Specifically, “the alleged lapses the FTC has challenged through its law enforcement actions correspond well with the Framework’s five Core functions,” the agency said.

An organization’s approach to data security must be reasonable, and will likely vary depending on the size of the entity, the amount and type of data it holds, and expenses involved with implementing necessary security tools, FTC explained.

“There’s really no such thing as ‘complying with the Framework,’” the agency pointed out. “Instead, it’s important to remember that the Framework is about risk assessment and mitigation.  In this regard, the Framework and the FTC’s approach are fully consistent.”

For example, areas that the Framework wants organizations to evaluate are ones that the FTC has been evaluating for years as it determines whether entities’ data security and processes are reasonable.

“By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTC’s long-standing Section 5 enforcement,” the blost post stated.

The FTC also highlighted three ways in which organizations can use the Framework as a model for mitigation and for conducting risk assessments:

  • Establish or improve a data security program
  • Review current data security practices
  • Communicate data security requirements with stakeholders.

The FTC’s Start with Security guidance can also guide organizations when it comes to improving their cybersecurity measures. The guidance summarizes several FTC cases, showing how real world lessons can be taken away from alleged cases of data security issues.  

This guidance includes 10 lessons for organizations that discuss how vulnerabilities could affect daily operations, as well as how those risks can be reduced.

Basic security hygiene, such as not collecting unnecessary information and only holding onto data as long as there is a legitimate business need, are both part of the FTC security guidance. Access to data control should also be carefully monitored, along with having secure passwords and authentication measures in place.

The FTC also recommends organizations use industry-trusted methods to keep data secure throughout its entire lifecycle.

The other parts of the security guidance include the following:

  • Segment your network and monitor who’s trying to get in and out
  • Secure remote access to your network
  • Apply sound security practices when developing new products
  • Make sure your service providers implement reasonable security measures
  • Put procedures in place to keep your security current and address vulnerabilities that may arise
  • Secure paper, physical media, and devices

Overall, the FTC suggests for organizations to ensure they understand “fundamental security practices like those highlighted in the Framework,” as well as the key takeaways from their own investigations.

“Applying the risk management approach presented in the Framework with a reasonable level of rigor—as companies should do—and applying the FTC’s Start with Security guidance will raise the cybersecurity bar of the nation as a whole and lead to more robust protection of consumers’ data.”

While healthcare organizations can potentially benefit from adhering to both FTC data security guidelines and the NIST CSF, it is essential they also understand how HIPAA compliance comes into play with various entities.

Earlier this summer, the Office of the National Coordinator (ONC) released a report warning that there are potential PHI security gaps between HIPAA covered entities and non-HIPAA covered entities.

Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA, was developed in coordination with the Office for Civil Rights (OCR) and the FTC.

“This report is the first step in a conversation about these important issues. In the coming weeks, we look forward to engaging with stakeholders—from consumers to technologists to clinicians to our partners in Congress—on the report’s findings and their ideas for how the gaps identified in the report should be addressed,” National Coordinator Dr. Karen DeSalvo and OCR Director Jocelyn Samuels wrote in a blog post.

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks