NIST/CMMC/HIPAA/HITRUST/GDPR

CMMC CERTIFICATION

 

 

CMMC certification is required by organizations operating with DoD information. If the organization is operating with non-classified DoD information, it may only need a Level 3 clearance or below. If the organization is operating with high-value information, it will likely need a clearance of Level 4 or higher.

 

NIST compliance is complying with the requirements of one or more NIST standards. NIST (National Institute of Standards and Technology) is a non-regulatory agency under the US Department of Commerce. Its primary role is to develop standards (particularly for security controls) that apply to various industries.

NIST COMPLIANCE REQUIREMENTS

 

 

Implementing Defense Federal Acquisition Regulation Supplement (DFARS) clauses that apply to all contractors who process, store, or transmit “covered defense information.” As a result, many businesses are required to implement the NIST 800-171 security framework.

 

Adopting the defense-in-depth methodology requires the implementation of the 14 families of controls leveraging existing practices and infrastructure. In addition, this creates opportunities to implement advanced solutions such as privilege management and next generation firewalls.

  

All requirements in the NIST 800-171 are traced to NIST 800-53 and most controls require both a procedural and technical control to implement the procedure. Here are some important considerations when investigating NIST compliant controls.

 

Control 1: Access Control - The Access Control requirement is the most salient control in the NIST 800-171. In general, this control family specifies limiting system access to authorized users and making sure those users are only able to do specified actions based on job functions (also known as the principle of least functionality). Separation of duties through security groups and Access Control Lists (ACLs) can be applied to meet this control.

 

Control 2: Awareness and Training - Leadership and employees should receive security and awareness training on secure usage of the information systems. This is essential to satisfying NIST 800-171 requirements. Conducting mandatory annual security training and exercises is necessary to keep employees lucid and vigilant.

 

Control 3: Audit and Accountability - NIST 800-71 Audit and Accountability requirements focus specifically on ensuring that an organization’s audit generation and reporting capabilities sufficiently support proper security monitoring and management.

 

Control 4: Configuration Management - Change is defined as the addition, modification, or removal of configuration items.  Processes and standard configurations promote systematic changes to maintain integrity over time.

 

Control 5: Identification and Authentication - Identification and authentication requirements ensure systems are properly identifying users and verifying their identity prior to granting any access. Multi-Factor Authentication can be a key component to meeting this control.

 

Control 6: Incident Response - Organizations should have operational incident-handling capabilities that include adequate preparation, detection, analysis, containment, recovery, and user response activities.

 

Control 7: Maintenance - System maintenance should be performed at regular intervals to protect organizational information systems from zero-day attacks and other vulnerabilities.

 

Control 8: Media Protection - On-premise media should be physically protected and monitored to adequately prevent loss or theft.    

 

Control 9: Personnel Security - Verifying and validating personnel though background checks and other vetting processes are important steps to onboarding procedures.   

 

Control 10: Physical Protection - Physical protection can be enforced with alarm systems, locks, and security cameras.  

 

Control 11: Risk Assessment - Standard assessments are needed to identify risks related to procedures, functions, and information systems. Implementing standard controls and security scans can be used to stay abreast of system vulnerabilities.  

 

Control 12: Security Assessment - Auditing controls, processes, and procedures should be completed to validate that the security posture meets the NIST standards. An outside assessment can also be a validation of the security framework.    

 

Control 13: System and Communications Protection - Highly secure firewalls should guard the perimeter of your organization and provide intrusion prevention/detection capabilities. Segmented networks are another best practice for both security and performance.

 

Control 14: System and Information Integrity - Keeping antivirus signatures up to date while scanning for viruses and malware is an essential step in maintaining system and information integrity. Malicious websites should be filtered with access denied from corporate resources.    

 

Let us know if we can help! Understanding the NIST compliance controls can be both challenging and daunting, but Kingston Bay Technologies can help interpret how these controls can be applied to your environment to create both a compliant and secure infrastructure.

HIPAA COMPLIANCE REQUIREMENTS

 

 

HIPAA is a law requiring organizations that create, receive, maintain or transmit protected health information (PHI) to keep it protected and secure. If you have PHI, you must comply with HIPAA – it’s as simple as that.

 

Five Key Steps to HIPAA

 

Step 1 – Choose a Privacy and Security Officer - For a smaller practice, your Privacy and Security Officer may be the same person. For larger practices, these duties will probably be split between two people. These are the folks who are going to be spearheading your Compliance Plan.  If you don’t have someone designated to fill this role, you are not compliant.

 

Step 2 – Risk Assessment - This step requires you to review your workplace and electronic devices to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) held by the Covered Entity or Business Associate. A Risk Assessment extends not only to the accessibility of ePHI -- such as passwords -- but also to threats to your access of ePHI caused by natural risks, such as hurricanes and tornadoes, and even human risks, such as malicious hacking. You can perform the Assessment yourself or hire an outside contractor to come in and complete the process for you.

 

The key is to be very detailed and identify where all your potential Privacy and Security issues may lie. This will include listing all computing and mobile devices, where paper files are stored, how you will secure your offices when you are closed, etc. This is not a one-time event and will change over time as technology and risks change. You will want to revisit your Risk Assessment anytime you have a Breach, theft, or major change in hardware or software, but at a minimum every 2-3 years.

 

Step 3 – Privacy and Security Policies and Procedures - After completing your Risk Assessment, it’s time to create your blueprint for achieving HIPAA Compliance. The Compliance Plan should include Policies and Procedures - ensuring the Privacy of Protected Health Information and the Security of such information. The Security Policies and Procedures deal with ePHI (electronic PHI) and how you will protect that information.

 

Policies and Procedures need to be updated regularly and any changes need to be clearly documented and communicated to your staff.

 

Step 4 – Business Associate Agreements - Most of you use vendors or contractors to help run your practice or business. Under HIPAA, persons or entities outside your workforce who use or have access to your patient’s PHI or ePHI in performing service on your behalf are “Business Associates” and hold special status in the Privacy equation. Some examples of Business Associates include third party billing agents, attorneys, laboratories, cloud storage companies, IT vendors, email encryption companies, web hosts, etc. This list can get pretty long, and should be documented in your Risk Assessment.

 

Make sure you do an audit of your Business Associates before you accept a signed Agreement from them. We’ve seen a lot of folks sign these Agreements, and have no clue what they’ve agreed to. Auditing means looking at their Compliance Plan. They have to have one, or you can’t do business with them. Your legal counsel should have an Agreement you can use.

 

Step 5 – Training Employees - You’ve got your Risk Assessment, Privacy and Security Policies and Procedures and Business Associate Agreements in hand. You’re all good, right? NO! Employees are many times your weakest link.

 

You need to annually train your employees on the HIPAA Rule and communicate information about your Privacy and Security Policies and Procedures that you’ve worked so hard to create. Train employees both on the HIPAA Law and your specific plan. In addition, you must keep records that they have been trained.

HITRUST COMPLIANCE REQUIREMENTS

 

The HITRUST Common Security Framework (HITRUST CSF) is a certifiable framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management.

 

The HITRUST CSF gives organizations a way to show evidence of compliance with HIPAA-mandated security controls. HITRUST takes the requirements of HIPAA and builds on them, incorporating them into a framework based on security and risk.

 

With many payers and providers requiring their vendors to be HITRUST certified, many healthcare vendors are finding that HITRUST is an essential business priority.

But certification is hard. Requiring around 200-400 hours or more from company employees, the path to HITRUST can be daunting and difficult to navigate for newcomers. To help you better understand what you’re up against and how you can be successful in achieving HITRUST certification, Kingston Bay Technologies will work with you on your certification journey.

GDPR COMPLIANCE REQUIREMENTS

 

The General Data Protection Regulation, but it is more commonly known as the GDPR.

 

The GDPR regulates personal data, which is defined as any information that can identify an individual, called a “data subject.” Affected companies must comply with data subjects’ wishes on how their personal data is processed, as well as keep records of how this processing occurs.

 

Why US companies must comply with the GDPR

 

The GDPR applies to companies outside the EU because it is extra-territorial in scope. Specifically, the law is designed not so much to regulate businesses as it is to protect the data subjects’ rights. A “data subject” is any person in the EU, including citizens, residents, and even, visitors.

 

What this means in practice is that if you collect any personal data of people in the EU, you are required to comply with the GDPR. The data could be in the form of email addresses in a marketing list or the IP addresses of those who visit your website.

 

You may be wondering how the European Union will enforce a law in territory it does not control. The fact is, foreign governments help other countries enforce their laws through mutual assistance treaties and other mechanisms all the time. GDPR Article 50 addresses this question directly. So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis.