Experior Data Encryption Blog » NIST

White House is Concerned About Protecting PHI

admin — Tue, 18 May 2010 01:28:56 +0000

Howard Schmidt, Obama administration's cyber security czar, prepared a fantastic presentation about the four guiding principles of his cyber security plan:

Deterrence is a primary factor in preventing cyber security threats. Applying strong protectionlike two factor authentication, one time passwords, smart cards, and implementing standard data protection systems were mentioned.
Resilience is the ability to recover from an attack. Designing systems that are able to recover from an attack is paramount to national security, and especially protected health information (PHI). It was noted (in a different part) of the NIST Conference that doctors relying on Health information systems (HIT) need to ensure that a disaster recovery and backup plan is in place and is tested regularly. A doctor’s office or a hospital would be nearly impossible to operate if access to PHI is not available after moving entirely to electronic medical records.
Privacy is important to the White House. It’s clear that legislation and the regulations that follow have privacy in mind. An good example is the Breach Notification law written into section 13402 in the HITECH ACt, part of the American Recovery and Reinvestment Act of 2009 (ARRA). The HITECH Act specifically provides safe harbors in case of a breach of encrypted PHI. The government is clearly incentivizing the use of data encryption to protect privacy.

Partnerships with private industry were mentioned as well, although not in too much detail. Perhaps the White House wants to make sure that whatever steps they put in place have transparency to the public and the private industry.

Risk Management Framework recommended by NIST for HITECH Act and HIPAA Compliance

admin — Fri, 14 May 2010 15:22:55 +0000

In order to help the government and private industry standardize on a risk management process NIST created the RMF - Risk Management Framework. The framework into 6 steps:

Categorize the information systems
Select security controls
Implement security controls
Access security controls
Authorize information systems
Monitor security controls

At the 2010 NIST HIPAA Security Conference presentation, Pat Toth, a computer scientist working for NIST , discussed the importance of the integrating risk management and security into your enterprise computing environment. Security is often thought of as an after-the-fact process that becomes important after IT systems and applications are deployed. Toth pointed out that our perception of security’s role needs to change in order to protect the our healthcare information systems.

The HIPAA security rule specifically requires that a risk assessment be performed on IT systems that contain PHI (protected health information). Rather than creating the assessment from scratch the RMF is a great place to start your research and perhaps implement the steps recommended by NIST to secure your HIT systems.

The RMF is of particular importance for helping to obtain a safe harbor from penalties in the HIPAA security rule, particularly when deciding to implement (or not implement) technologies like data encryption. For example: if you decide that encryption is not needed in your environment and an incident happens where PHI is breached you will need to show the reason behind your decisions to HHS OCR (U.S Department of Health and Human Services, Office of Civil Rights).

Safeguarding Health Information: Building Assurance through HIPAA Security NIST Conference

admin — Tue, 11 May 2010 10:35:02 +0000

We will be tweeting live from the NIST HIPAA security conference on 5/11 and 5/12. If you use twitter we will be using the #NISTHIPAA hashtag. To see our tweets you can go to search.twitter.com and search for #NISTHIPAA after 9:30 am. You can also follow @experiordata