Configuration management remains a challenging issue especially for small and mid-size organizations. With the complex dependencies of modern applications a modification to an organization browser, a security patch of the operating system, and even hard-ware upgrades can introduce incompatibilities or security vulnerabilities into your organization’s information system. Today NIST announced the publication of Initial Public Draft Special Publication 800-128, Guide for Security Configuration Management of Information Systems. This publication provides guidelines for managing the configuration of information system architectures and associated components for secure processing, storing, and transmitting of information. Security configuration management is an important function for establishing and maintaining secure information system configurations, and provides important support for managing organizational risks in information systems. This publication beyond providing an excellent resource includes two invaluable [...]
|
||||
|
By Robert Hudock, on March 19th, 2010
 Print This PostMarch 19th, 2010 | Tags: Configuration Management, NIST, SP 800-128 | Category: Computer Security Law -- Federal, Data Hemorrages, Destruction, Encryption, FIPS 140-2, HIPAA Security, NIST, Uncategorized |
Leave a comment
Print This PostBy Robert Hudock, on March 12th, 2010
Print This PostHIMSS is the largest health care technology conference in the United States. This year the conference was held in Atlanta, the conference brought $25 million to Atlanta. The tone of HIMSS 2010 was cautiously optimistic in light of the uncertainty surrounding threatened Governments legislative actions. Vendors are working hard to meet recently promulgated regulatory requirements for EHR systems; some of legislated requirements for EHRs are not essential or likely to be used by most physicians. The government is positioned as the primary funding source for EHR and HIE technology. Grants for HIE implementation total almost 400 million dollars, with a promise of more grants to come. Implementation models for state HIE’s vary from a federated model to states with loosely associated local HIE’s. Thus far a strong centralized structure seems to be the most effective implementation [...] March 12th, 2010 | Tags: Google Health, Health Vault, HIMSS, HIMSS 2010, Interoperability, ownership, patients, proprietary formats, rights | Category: American Recovery and Reinvestment Act, HIMSS, HIPAA Security, HL-7, Health Information Technology, Health Reform, Health and Humans Services (HHS), Interoperability, NIST |
Leave a comment
Print This PostBy Robert Hudock, on February 5th, 2010
Print This PostLargely in reaction to a devastating cyber attack against Google last week, and general concern about the vulnerability of the nations information superhighway, the house passes the Cybersecurity Enhancement Act of 2009 (available at http://thomas.loc.gov/cgi-bin/query/z?c111:h4061) 422 to 5. The companion bill in the senate is Cybersecurity Act of 2009, or Senate Bill 773, will “ensure the continued free flow of commerce within the United States and with its global trading partners through secure cyber communications, to provide for the continued development and exploitation of the Internet and intranet communications for such purposes, to provide for the development of a cadre of information technology specialists to improve and maintain effective cyber security defenses against disruption, and for other purposes.” The senate bill is much broader in scope (calling for example a cybersecurity [...] February 5th, 2010 | Tags: Cybersecurity Act of 2009, Cybersecurity Enhancement Act of 2009 . HR4061, SB773 | Category: Computer Security Law -- Federal, Cyber Security Enhancement Act of 2009, Expert Systems, Law and Technology, NIST |
Leave a comment
Print This PostBy Robert Hudock, on November 17th, 2009
Print This PostNext year should be interesting. From Red Flag compliance, federal breach reporting requirements, significantly augmented HIPAA penalties, and HIPAA security standards that are based on NIST guidelines will change the traditional compliance model for Covered Entities and Business Associates. Hot topics for enforcement next year (based on recent CMS audits of their business partners) will likely be in the areas encryption of portable media devices, remote access by employees to protected health information, and failure to document a rational risk management [...] November 17th, 2009 | Tags: ARRA, breach, EHR, Encryption, enforcement actions, FISMA, HIPAA, Interoperability, NIST, OIG, security | Category: American Recovery and Reinvestment Act, EMR, Encryption, FIPS 140-2, HIPAA Security, HITECH Act, Health Information Technology, Health and Humans Services (HHS), Interoperability, Meaningful Use, NIST, unsecured protected health information |
2 comments
Print This PostBy Robert Hudock, on September 22nd, 2009
Print This PostI am a little unclear as to why privacy advocates and security vendors believe that the harm standard, found within the new HHS regulations for security breaches, in any way hampers the HITECH Act’s security breach notice rule for covered entities and business associates. Many states use a similar risk based type analysis, in fact only seven states have a strict acquisition based standard, of those only a couple of these states link their definition of encryption to FIPS 140-2. In comparison to risk based states where one assesses the potential risk to a consumer resulting from theft of sensitive informatioin, the federal standard is more helpful in the sense that it highlights key criteria to be evaluated in assessing risk to consumers. [...] September 22nd, 2009 | Tags: fear mongering, FIPS 140-2, FISMA, harm standard, HIPAA, OMB, Risk Analysis, security incident | Category: Computer Security Law -- Federal, Data Hemorrages, Encryption, FIPS 140-2, HIPAA Privacy, HIPAA Security, HITECH Act, Health and Humans Services (HHS), Identity Theft, Individually identifiable health information, NIST, Privacy, State Security Breach Laws, unsecured protected health information |
One comment
Print This PostBy Robert Hudock, on September 8th, 2009
Print This PostSecurity Incidents can be accidental incursions or deliberate attempts to break into systems and can be benign to malicious in purpose or consequence, each incident requires a careful response at a level commensurate with its potential impact to the security of individuals and your organization as a whole however few organizations have an appropriate security incident policy. The fundamental components of a security incident response plan include the following — [...] September 8th, 2009 | Tags: malicious hackers, malware, NIST, policy, Privacy, security, security incident | Category: Computer Security Law -- Federal, Data Hemorrages, FTC Security Breach Notification, Forensic Tools, HIPAA Privacy, HIPAA Security, Identity Theft, Law and Technology, Media Sanitization, NIST, Peer-2-Peer File Sharing, Privacy, State Privacy and Computer Security Laws, State Security Breach Laws |
2 comments
Print This PostBy Robert Hudock, on August 21st, 2009
Print This PostRegulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when personal health information is breached were issued August 19th, 2009, by the U.S. Department of Health and Human Services (HHS). These “breach notification” regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 [...] August 21st, 2009 | Tags: Data at Rest, Data Disposed, Data in Motion, Data in Use, Destruction, Encryption, FTC, Health Breach Notification Rule - FTC, HHS, HIPAA, OCR, paper, redaction, Report, security breach | Category: American Recovery and Reinvestment Act, Computer Security Law -- Federal, Encryption, FIPS 140-2, FTC Security Breach Notification, HIPAA Security, HITECH Act, Health and Humans Services (HHS), Media Sanitization, NIST, Office of Civil Rights, unsecured protected health information |
Leave a comment
Print This PostBy Robert Hudock, on August 18th, 2009
Print This PostNIST approved XTS-AES for the secure encryption of block devices in NIST Special Publication 800-38E, Recommendation for Block Cipher Modes of Operation: The XTS-AES Mode for Confidentiality on Block-Oriented Storage Devices (Draft August 2009)(available at http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/XTS/follow-up_XTS_comments-Ball.pdf) subject to a caveat on the file size. The number of blocks that can be securely encrypted using this method is 2^20 blocks. The Advanced Encryption Standard (AES) is a FIPS-approved cryptographic algorithm (Rijndael, designed by Joan Daemen and Vincent Rijmen, published in 1998) that may be used by US federal departments and agencies to cryptographically protect sensitive information. There are various modes of operation some of them are approved by NIST FIPS 140-2. NIST’s decision approves the use of XTS-AES for encrypting block devices (hard drives, optical media, etc.) is particularly significant because TrueCrypt is an open source implementation of [...] August 18th, 2009 | Tags: Ciphertext Stealing, csrc, IEEE, NIST, Standard 1619-2007, TrueCrypt, truecrypt certified by NIST, XEX, XTS-AES | Category: Computer Security Law -- Federal, FIPS 140-2, HIPAA Security, NIST |
Leave a comment
Print This PostImprove the web with Nofollow Reciprocity. |
||||
|
Copyright © 2010 Law Blog 2.0 - Robert Hudock, Esq., CISSP - All Rights Reserved - This Blog is a personal blog of Robert Hudock. |
||||
Business Associate and Covered Entity HIPAA Compliance -- Auditing Questions and NIST 800-53 Security Controls.
This article discusses techniques for implementing the updated requirements of the HIPAA Security Rule, with particular focus on strategies for assessing the effectiveness of implemented security controls to support compliance and audit, as well as a covered entity’s (or business associate) overarching risk management program in the context of HIPAA Compliance. Covered entities are becoming more pro-active in monitoring their business associate compliance with HIPAA privacy and security regulations and the recent changes largely the product of the HITECH Act. In the past I have used a series of questions to ascertain the compliance status of business associates to comply with HIPAA privacy and security rules. I find it useful to map security controls to NIST Special Publication 800-53. The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems. The controls are included in the final version of Special Publication 800-53, Revision 3 “Recommended Security Controls for Federal Information Systems and Organizations,” released in August of 2009. (Available at http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final.pdf). [...]