News Feature | May 11, 2016

Do New NIST Standards Mean A New Day For Healthcare Encryption?

By Megan Williams, contributing writer

Encryption For Backup

A new set of cryptographic standards released by the NIST could impact practices around healthcare data encryption.

Encryption has always been a multilayered question in healthcare, as it continues to be one for your clients. With all of HIPAA’s intent to protect and improve the exchange of healthcare information, it fell short on encryption, a gap the HITECH Act was intended to fill.

While HITECH did not impose any mandates around the encryption of healthcare data, much like the Meaningful Use program, it did provide incentives. Still, as of September last year, over 40 percent of healthcare employees weren’t using file-level, or full-disk encryption according to a Forrester research report.

The release of NIST Cryptographic Standards And Guidelines Development Process (NISTIR 7977) marks potential change in healthcare. According to Donna Dodson, NIST’s chief cybersecurity advisor and its Information Technology Laboratory’s associate director for cybersecurity, “Our goal is to develop strong and effective cryptographic standards and guidelines that are broadly accepted and trusted by our stakeholders. While our primary stakeholder is the federal government, our work has global reach across the public and private sectors. We want a process that results in standards and guidelines that can be used to secure information systems worldwide.”

The standards are based on a list of 10 principles, many of which align with many of the values of recent healthcare legislation.


  • openness
  • balance
  • integrity
  • technical merit
  • global acceptability
  • usability
  • continuous improvement
  • innovation and intellectual property

NIST also specifically gives a nod to the challenges the healthcare industry currently faces, writing “NIST brings its cryptographic expertise to bear on priority national issues when directed by Congress, the President, or OMB and it also assists individual agencies that have specific needs. Recent examples include secure electronic voting, protecting the electric power ‘smart grid,’ and health information technology initiatives that must ensure the protection of personal and proprietary business data.”

Interested vendors will want to pay special attention to page 14, where the details of NIST’s public notice practices are listed. All announcements will be posted on the NIST CSRC website, while requests for comments will be published in the Federal Register.