Adding Privacy to the Cybersecurity Triad: A Call to Action

Organizations must embrace a shift in perspective and frameworks to achieve this evolution. 

Incorporating Privacy into the cybersecurity framework elevates its significance, ensuring other priorities do not overshadow it. By doing so, we align cybersecurity measures with modern expectations of data protection, building systems that are not only secure but also transparent and accountable.

Cybersecurity experts are (or should be) very familiar with the cybersecurity CIA triad of:

Confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information;

Integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; and

Availability, which means ensuring timely and reliable access to and use of information.

Source: Federal Information Security Modernization Act of 2014. (FISMA)

Privacy is no longer a mere extension of confidentiality; it commands its own space, requiring tailored controls that address the complexities of data collection, consent, and usage.

The CIAP Quartet

Frameworks are adopting and evolving with privacy demanding to be included, and prioritized, not a mere afterthought. 

• The upgrade of the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 from Revision 4 to Revision 5, “Security and Privacy Controls for Information Systems and Organizations,” was a precursor to cybersecurity and privacy merging. NIST 800-53 Rev 5 brought privacy from the relative obscurity of an appendix (in Rev 4) into the framework's core.
• The NIST Cybersecurity Framework (CSF) did it with V2, and the Centers for Medicare & Medicaid Services (CMS) has done it with Acceptable Risk Controls for Affordable Care Act, Medicaid, and Partner Entities (ARC-AMPE).

Legislation implemented across the United States and globally is focused on Privacy, with people demanding changes in privacy protections.

• The California Consumer Privacy Act (CCPA) has led the way for US adoption of privacy legislation.
• Privacy bills from various states, such as the Massachusetts Data Privacy Act (MDPA), are being considered through the legislative process.
• Various Global legislations are in place, such as Europe’s General Data Protection Regulation (GDPR) and Brazil’s General Data Protection Law (LGPD). 

The use and disclosure of Personally Identifiable Information (PII) and Protected Health Information (PHI) are being redefined, and this may even affect our current concepts of things like the safe harbor rule and expert determination for de-identification in non-production or research environments.

The traditional CIA triad needs to expand to the CIAP quartet, and the difference between confidentiality and privacy needs to be understood.

Confidentiality

Confidentiality refers to protecting information from unauthorized access, use, or disclosure. It ensures that only those who are authorized to access data can do so.

Confidentiality, used primarily for information security, is one of the core pillars of the CIA Triad (Confidentiality, Integrity, Availability).

The goal is to prevent unauthorized individuals or systems from viewing sensitive data.

Examples:

• Encrypting emails to prevent interception.
• Using access controls so that only authorized staff (including contractors and other third parties in the supply chain) have access to PII.
• Implementing VPNs to protect data in transit.

Privacy

Privacy concerns individuals’ rights to control how their personal information is collected, used, and shared. It is about respecting user autonomy and expectations.

Privacy is instituted in legal, ethical, and regulatory frameworks; laws like the Health Insurance Portability and Accountability Act (HIPAA), GDPR, CCPA, etc. drive privacy requirements.

The goal is to protect individuals’ personal data and uphold their rights.

Examples:

• A company asks for user consent before collecting PII.
• An app or website explaining how it uses and shares user data.
• Allowing individuals the right to delete their data from a service.
• Allowing individuals the right to correct their data.

Key Differences between Confidentiality and Privacy

Relationship

Confidentiality is a tool to help achieve privacy, but not all confidential information relates to privacy. You can maintain confidentiality without respecting privacy, e.g.,  processing personal data for purposes beyond the user consent agreement attested to.

HIPAA

In the U.S., the HIPAA Security Rule requires safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI).

Confidentiality is defined as the obligation of healthcare providers and institutions to protect patient information from unauthorized access, whether it is spoken, written, or electronic. 

Example Use Cases:

• A nurse accessing only the medical records of patients under their care.
• Encrypting electronic health records (EHR) to prevent breaches.
• Not discussing a patient’s diagnosis in a public hallway.

Privacy is defined as a patient’s right to control how their personal and health information is collected, used, and shared, including who has access to it and under what circumstances. It also allows the individual to make corrections to their health records. 

• Example Use Cases:
• Receiving a copy of the healthcare provider’s Notice of Privacy Practices.
• A patient chooses not to share their mental health history with a specialist.
• Giving consent (or denying it) before a provider shares records with a third party, e.g., a researcher, or insurance company.
• Opting out of having genetic information included in a family medical record.
• Protecting the PHI of individuals involved in reproductive healthcare (a Coalfire Whitepaper).