cybersecurity becomes more established, privacy is often simplified to an outcome of an effective cybersecurity program.
In order to promote interoperability and access while protecting the privacy of individuals, the differences between privacy
and cybersecurity must be clearly defined.
While the term “privacy” is frequently used, there is no
universally accepted definition of the word. Privacy’s scope,
meaning, and value can be complex and confusing. To help
understand privacy, consider that it is primarily used to answer the following questions:
Who has access to personal information and under what
Which data can be collected?
How is personal information collected, stored, and used?
What are the justifications, if any, for data collected for
one purpose and then reused for a second purpose?
Has an individual authorized particular use of his or her
The term “security” is more tangible and therefore more easily understood. It can be defined as the procedural and technical measures required to:
Prevent unauthorized access, modification, use, or dissemination of data stored or processed in a computer
Prevent any deliberate denial of service
Protect the system in its entirety from physical harm
Privacy and Security Risk
When someone hacks into a computer system, there is a
breach of security and, potentially, a breach of privacy. No se-
curity measure, however, can prevent invasion of privacy by
those who have authority to access the record. Comprehensive
data security requires mitigation of both security risks and
privacy risks, as illustrated in Figure 2 (above).
The new NIST Privacy Framework offers a fresh approach to
privacy management. By applying an outcome-based meth-
odology to recognized privacy value statements, the NIST
framework approaches privacy as a manageable risk. This
approach, based on the widely accepted NIST Cybersecu-
rity Framework (CSF), 7 enables privacy compliance practi-
tioners to state goals and achieve a measurable outcome for
individuals’ privacy. Approaching privacy as a risk, NIST
applied their proven standards for identifying and manag-
ing security risks to develop guidelines for risk-based pri-
Aligning privacy risk and security risk to increase protection
of health information systems will bolster trust in such systems and promote their adoption. While the NIST framework
is designed to function as a standalone tool or in conjunction
with any cybersecurity program, it is also specifically designed to work with the CSF. Both NIST frameworks are based
on risk models that define the risk factors to be assessed, and
the relationships among those factors.
Security Risk Model
The NIST Security Risk Model, based on the widely known CIA
Security Triad, is focused on unauthorized activity creating a security risk, impacting confidentiality, integrity, or availability of
information or systems.
The key aspects of the CIA Security Triad are confidentiality,
integrity, and availability:
Confidentiality: preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
Integrity: guarding against improper information modification or destruction; includes ensuring information nonrepudiation and authenticity
Availability: ensuring timely and reliable access to and use
Figure 1: Privacy Principles
FIPPs ONC Privacy and Security
2. Individual participation
3. Purpose specification
4. Data minimization
5. Use limitation
6. Data quality and integrity
1. Individual access
3. Openness and transparency
4. Individual choice
5. Collection, use, and disclosure limitation
6. Data quality and integrity
Figure 2: Cybersecurity and Privacy
arise as a byproduct
of authorized data