Cybersecurity News

NIST Shares Risk-Based Guide to Information Exchange Security

Newly proposed NIST guidance tackles the use of information exchange channels, providing insights on risk-based considerations to protect and manage shared information.

health information exchange NIST guidance risk management

By Jessica Davis

NIST released a proposed guide designed to support the use of information exchange channels, which provides insights on risk-based considerations to protect data throughout the sharing process and case studies around the effective management of exchanged information.

For healthcare, the guide could support health information exchanges (HIEs), as well as the increased data sharing between entities in support of the COVID-19 response. The NIST insights could be used in conjunction with recent guidance from the Office for Civil Rights, which outlines HIPAA-compliant disclosures of protected health information through HIEs.

Managing the Security of Information Exchanges details the needed security to protect the integrity, confidentiality, and availability of exchanged data to reduce the risk of compromise. NIST stressed the importance of similar levels of protections used at the entities sharing data.

Administrators can use the insights to find risk-based considerations for protecting exchanged information before, during, and after it’s exchanged.

The publication does not focus on “any particular type of technology-based connection or information access.” Rather, it details the benefits of securely managing information exchanges, identifies types of data exchanges, and outlines potential risks associated with the process.

“Despite the advantages, information exchange exposes the participating organizations to risk,” according to the guide. “If the information exchange is not properly planned and managed, a failure to protect the information from a loss of confidentiality, integrity, or availability could compromise the information and associated systems.”

“Similarly, if one of the systems is compromised, the exchanged information could be compromised, or an interconnection used to exchange information could be leveraged as a conduit to compromise the other system and information,” it added. “The risk is underscored because, in most cases, the participating organizations have little or no control over the operation and management of the other organization’s system.”

The guidance also includes a four-phase methodology to securely manage information exchange between systems and other entities. NIST explained that organizations are meant to tailor the guidance to meet the specific needs and requirements of their organization.

Specifically, administrators will find planning information and relevant preliminary activities, which includes all potential technical, security, and administrative issues. There are also steps for developing an appropriate agreement for governing both the management and use of the shared data and how it can be exchanged, such as through a database or VPN.

Once the planning process is complete, the guide outlines how to establish the information exchange with implemented and configured security controls, as well as how to maintain the data exchange and the relevant agreements.

The final phase details how to discontinue the information exchange after it’s no longer needed, or if it was designed to be a temporary situation, such as those used amid the pandemic. The guidance explains that discontinuing the exchange must be done in a manner that avoids disruption to any other party’s system.

There are also insights into immediately discontinuing an information exchange in response to an incident or another emergency.

“Significant benefits can be realized through information exchange, such as reduced operating costs, greater functionality, improved efficiency, centralized access to data, and reduction of duplicative datasets,” according to the guide. “Information exchange between systems may also strengthen ties among participating organizations by promoting communication and cooperation.”

“This publication provides recommended steps for completing each phase with an emphasis on the security measures necessary to protect the shared data,” it added. “Also included is information for selecting and developing appropriate information exchange agreements and agreement templates.”

NIST is asking organizations to provide feedback on the guidance, including whether the proposed agreements are comprehensive enough to manage security of the data exchange process and if the provided matrix is helpful in determining appropriate agreement types.

Organizations can also provide comments on whether more agreement types are needed for the guidance, as well as whether any further resources are needed to better manage information exchange security.

The comment period is open through March 12, 2021.