Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

HIPAA impact on NIST Cybersecurity Framework could influence Cloud Service Providers

David Sweigert
David Sweigert

Presently, those institutions affected by HIPAA (health care and public health industry) are preparing to meet a September 23, 2013 deadline to comply with the HIPAA Omnibus Final Rule, requiring the strengthening of BAAs to increase privacy and security amongst suppliers and subcontractors that serve covered entities (CEs) as “business associates ”. It may come as a surprise to these business associates that a new Cybersecurity Framework (CSF) may also be imposed upon their operations

Related slideshows

Guide to hipaa compliance for containers
Guide to hipaa compliance for containersGuide to hipaa compliance for containers
Guide to hipaa compliance for containers
 
HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations
 
GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical Overview
 
1 of 3
Download to read offline
1 Cybersecurity Framework’s application to health care and public health per E.O. 13636 and PPD-21 Part six of a series July 2013 Author: David Sweigert, M.Sci., CISSP, CISA, PMP (non-attorney who is not providing legal advice) ABSTRACT Presidential Policy Directive 21, issued jointly with Executive Order 13636, empowers regulatory agencies to apply the new Cybersecurity Framework to regulated industries. “Health care and public health” is named in Directive 21. Background One nefarious employee of a health records processor helped himself to confidential patient records; including credit card numbers, social security numbers, etc. When the employer discovered these activities the employee was fired. However, when the employer’s client heard of these violations of the Health Insurance Portability and Accountability Act (HIPAA) it immediately cancelled the processing agreement and contract with the processing center. The processor sued the client for breach of contract. However, a federal judge agreed that the Business Associate Agreement (BAA) between the two parties had been breached, by the violation of the HIPAA Security and Privacy Rules. In sum, the BAA had been nullified by the actions of only one employee. Managed Care Solutions, Inc. v. Community Health Systems, Inc., No. 10-60170-CIV (S.D. Fla. June 20, 2013). *** Presently, those institutions affected by HIPAA (health care and public health industry) are preparing to meet a September 23, 2013 deadline to comply with the HIPAA Omnibus Final Rule, requiring the strengthening of BAAs to increase privacy and security amongst suppliers and subcontractors that serve covered entities (CEs)1 as “business associates2 ”. It may come as a surprise to these business associates that a new Cybersecurity Framework (CSF) may also be imposed upon their operations 1 A covered entity is a health care entity that has access to protected health information (PHI). 2 A business associate is a supplier or subcontractor to a covered entity; bill collectors, processing centers, accountants, etc. can be considered business associates.
2 to manage overall risk to privacy and security. Presidential Policy Directive 21 and Sector Specific Agencies (SSAs) Concurrently issued with Executive Order 13636, Presidential Policy Directive 21 (PPD-21) requires those regulatory agencies that maintain oversight of organizations (such as the U.S. Department of Health and Human Services (DHHS)) to review the forthcoming CSF for applicability to their constituents3 (health care and public health). The CSF is a standards and consensus- based security and risk management framework under development by the U.S. National Institutes for Standards and Technology (NIST). This effort is also referred to as the NIST CSF4 . The primary goals of EO 13636 and PPD-21 are to increase the resiliency of critical infrastructure (CI). Health care and public health entities are included within this broad definition of CI. Pursuant to PPD-21 agencies, like DHHS, will ‘‘review the preliminary Cybersecurity Framework and determine if current regulatory requirements are sufficient given current and projected risks’’ and submit a report to the president ‘‘that states whether or not the agency has clear authority to establish requirements based upon the 3 PPD-21, section entitled “Designated Critical Infrastructure Sectors and Sector-Specific Agencies.” 4 EO 13636, § 7(e) Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required.’5 ’ This 90-day review would commence on October 10, 2013, after NIST has published the preliminary CSF6 . Will the NIST CSF reach the Cloud Services Providers? Cloud Service Providers (CSPs), that are processing electronic protected health information (ePHI), may soon have to deal with the combination of the new HIPAA BAA requirements and the potential that the NIST CSF may increase the reach of DHHS into their CSP operations. When initially released, EO 13636 and PPD-21 did not specifically address CSPs as critical infrastructure; purportedly a specific carve-out of CSP services from these initiatives was arranged with industry representatives prior to the release of these documents. However, one could make an argument that CSPs are within the domain of communications and information critical infrastructure. If true, CSPs operations would be addressed by the Sector Specific Agency (SSA) for that domain (for communications and information infrastructure the SSA is the U.S. 5 EO 13636, § 10(a) 6 EO 13636, § 7(e)
3 Department of Homeland Security (DHS)). However, those CSPs acting as a HIPAA business associate (processing health care related data) might find themselves under portions of the NIST CSF if DHHS (not DHS) extends the reach the framework. The NIST CSF, ostensibly designed to enable an Enterprise Risk Management (ERM) approach, may become the de facto risk management tool for those CSPs processing ePHI. Self-regulatory compliance of CSPs Presently, the CSP industry has created a self-regulatory privacy and security compliance scheme relying on the International Standards Organization (ISO) standards 270017 and 270028 . But, reliance on a commonly accepted standard to manage enterprise risk has not generally been agreed upon. It can be claimed that NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems, is already a de facto standard for HIPAA CEs, as the DHHS Office of Civil Rights (OCR) has endorsed NIST standards as “supplemental guidance” for assessing an organization’s risk.9 7 ISO 27001:2005, Information Security Management Systems (ISMS). 8 ISO 27002:2005, Code of Practice for Information Security Management. 9 DHHS, OCR, “HIPAA Security Series”, March, 2007. HIPAA Security Rule, Section 164.308 (a)(1)(ii)(A), requires a CE to, “conduct and accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity…”. The CSP industry is weighing other non- NIST SP 800-30 ERM options (ISO 31000 and ISO 27005). Meanwhile, those CSPs handling ePHI would be well advised to carefully review their clients’ new BAAs. Attention should be paid to the areas of contract breach and best industry practices. It would also be prudent to monitor the release of the Preliminary NIST CSF, which coincidently occurs in October 2013 (a few weeks after the HIPAA Omnibus Final Rule becomes effective). About the author: David Sweigert is a Certified Information Systems Security Professional, Certified Information Systems Auditor, Project Management Professional and holds Master’s degrees in Information Security and Project Management. He is a former member of the HIPAA Administrative Simplification committee, has testified before the National Committee on Vital Health Statistics (NCVHS) about HIPAA implementation and is a practitioner in the implementation of the HIPAA Privacy and Security Rules in his role of assisting organizations in securing their I.T. enterprise infrastructure.

More Related Content

HIPAA impact on NIST Cybersecurity Framework could influence Cloud Service Providers

  • 1. 1 Cybersecurity Framework’s application to health care and public health per E.O. 13636 and PPD-21 Part six of a series July 2013 Author: David Sweigert, M.Sci., CISSP, CISA, PMP (non-attorney who is not providing legal advice) ABSTRACT Presidential Policy Directive 21, issued jointly with Executive Order 13636, empowers regulatory agencies to apply the new Cybersecurity Framework to regulated industries. “Health care and public health” is named in Directive 21. Background One nefarious employee of a health records processor helped himself to confidential patient records; including credit card numbers, social security numbers, etc. When the employer discovered these activities the employee was fired. However, when the employer’s client heard of these violations of the Health Insurance Portability and Accountability Act (HIPAA) it immediately cancelled the processing agreement and contract with the processing center. The processor sued the client for breach of contract. However, a federal judge agreed that the Business Associate Agreement (BAA) between the two parties had been breached, by the violation of the HIPAA Security and Privacy Rules. In sum, the BAA had been nullified by the actions of only one employee. Managed Care Solutions, Inc. v. Community Health Systems, Inc., No. 10-60170-CIV (S.D. Fla. June 20, 2013). *** Presently, those institutions affected by HIPAA (health care and public health industry) are preparing to meet a September 23, 2013 deadline to comply with the HIPAA Omnibus Final Rule, requiring the strengthening of BAAs to increase privacy and security amongst suppliers and subcontractors that serve covered entities (CEs)1 as “business associates2 ”. It may come as a surprise to these business associates that a new Cybersecurity Framework (CSF) may also be imposed upon their operations 1 A covered entity is a health care entity that has access to protected health information (PHI). 2 A business associate is a supplier or subcontractor to a covered entity; bill collectors, processing centers, accountants, etc. can be considered business associates.
  • 2. 2 to manage overall risk to privacy and security. Presidential Policy Directive 21 and Sector Specific Agencies (SSAs) Concurrently issued with Executive Order 13636, Presidential Policy Directive 21 (PPD-21) requires those regulatory agencies that maintain oversight of organizations (such as the U.S. Department of Health and Human Services (DHHS)) to review the forthcoming CSF for applicability to their constituents3 (health care and public health). The CSF is a standards and consensus- based security and risk management framework under development by the U.S. National Institutes for Standards and Technology (NIST). This effort is also referred to as the NIST CSF4 . The primary goals of EO 13636 and PPD-21 are to increase the resiliency of critical infrastructure (CI). Health care and public health entities are included within this broad definition of CI. Pursuant to PPD-21 agencies, like DHHS, will ‘‘review the preliminary Cybersecurity Framework and determine if current regulatory requirements are sufficient given current and projected risks’’ and submit a report to the president ‘‘that states whether or not the agency has clear authority to establish requirements based upon the 3 PPD-21, section entitled “Designated Critical Infrastructure Sectors and Sector-Specific Agencies.” 4 EO 13636, § 7(e) Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required.’5 ’ This 90-day review would commence on October 10, 2013, after NIST has published the preliminary CSF6 . Will the NIST CSF reach the Cloud Services Providers? Cloud Service Providers (CSPs), that are processing electronic protected health information (ePHI), may soon have to deal with the combination of the new HIPAA BAA requirements and the potential that the NIST CSF may increase the reach of DHHS into their CSP operations. When initially released, EO 13636 and PPD-21 did not specifically address CSPs as critical infrastructure; purportedly a specific carve-out of CSP services from these initiatives was arranged with industry representatives prior to the release of these documents. However, one could make an argument that CSPs are within the domain of communications and information critical infrastructure. If true, CSPs operations would be addressed by the Sector Specific Agency (SSA) for that domain (for communications and information infrastructure the SSA is the U.S. 5 EO 13636, § 10(a) 6 EO 13636, § 7(e)
  • 3. 3 Department of Homeland Security (DHS)). However, those CSPs acting as a HIPAA business associate (processing health care related data) might find themselves under portions of the NIST CSF if DHHS (not DHS) extends the reach the framework. The NIST CSF, ostensibly designed to enable an Enterprise Risk Management (ERM) approach, may become the de facto risk management tool for those CSPs processing ePHI. Self-regulatory compliance of CSPs Presently, the CSP industry has created a self-regulatory privacy and security compliance scheme relying on the International Standards Organization (ISO) standards 270017 and 270028 . But, reliance on a commonly accepted standard to manage enterprise risk has not generally been agreed upon. It can be claimed that NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems, is already a de facto standard for HIPAA CEs, as the DHHS Office of Civil Rights (OCR) has endorsed NIST standards as “supplemental guidance” for assessing an organization’s risk.9 7 ISO 27001:2005, Information Security Management Systems (ISMS). 8 ISO 27002:2005, Code of Practice for Information Security Management. 9 DHHS, OCR, “HIPAA Security Series”, March, 2007. HIPAA Security Rule, Section 164.308 (a)(1)(ii)(A), requires a CE to, “conduct and accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity…”. The CSP industry is weighing other non- NIST SP 800-30 ERM options (ISO 31000 and ISO 27005). Meanwhile, those CSPs handling ePHI would be well advised to carefully review their clients’ new BAAs. Attention should be paid to the areas of contract breach and best industry practices. It would also be prudent to monitor the release of the Preliminary NIST CSF, which coincidently occurs in October 2013 (a few weeks after the HIPAA Omnibus Final Rule becomes effective). About the author: David Sweigert is a Certified Information Systems Security Professional, Certified Information Systems Auditor, Project Management Professional and holds Master’s degrees in Information Security and Project Management. He is a former member of the HIPAA Administrative Simplification committee, has testified before the National Committee on Vital Health Statistics (NCVHS) about HIPAA implementation and is a practitioner in the implementation of the HIPAA Privacy and Security Rules in his role of assisting organizations in securing their I.T. enterprise infrastructure.