Information Security 

Topic Brief

This topic brief provides definition of information security and cybersecurity and reasons why information security and cybersecurity matter so that healthcare organizations can understand the impact information security and cybersecurity have on the delivery of care.


Information Security

Information Security: (NIST) The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.


The NIST Computer Security Resource Center (CSRC): This center facilitates broad sharing of information security tools and practices, provides a resource for information security standards and guidelines, and identifies key security web resources to support users in industry, government, and academia.


Cybersecurity: (NIST) The ability to protect or defend the use of cyberspace from cyber

attacks. Additionally, cybersecurity is a subset of information security, albeit concerning cyberspace (i.e., the realm of electronic information).


In healthcare, information which is relevant or necessary to the delivery of care exists virtually everywhere. As a result, this information must be protected and defended from compromises such as cyber attacks, data leakage, breaches, and the like. In particular, the confidentiality, integrity, and availability of information must be protected. The HIPAA Security Rule requires covered entities and business associates to protect the confidentiality, integrity, and availability of information with the following safeguards:


  • Physical
  • Administrative
  • Technical

NIST Cybersecurity Framework: This framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. 


Confidentiality refers to information being kept confidential (i.e., private). Consistent with the HIPAA Privacy Rule, protected health information may be used or disclosed as permitted or required under certain circumstances. Other confidentiality laws and regulations may apply, depending upon the jurisdiction and other factors. From a broad perspective, examples of measures taken to keep information confidential include the following:

  • Physical safeguard: A physical lock on a file drawer which contains protected health information (whether in hardcopy, film, electronic media, or another format).
  • Technical safeguard: Information which is encrypted, if such information is in electronic form.
  • Administrative safeguard: Having a policy and training staff on disclosing the “minimum necessary” amount of information concerning a patient.

Integrity refers to ensuring that no intentional or unintentional modification of information has occurred. Consistent with the HIPAA Security Rule, electronic protected health information must have integrity. From a broad perspective, examples of ensuring the integrity of information include the following: