SlideShare a Scribd company logo
1
Are NIST standards clouding the
implementation of HIPAA protections?
Part nine of a series
September 2013
Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP
(non-attorney providing scholarly (non-legal) advice)
ABSTRACT
Subcontractors processing protected health information should be aware of legal
liabilities regarding the adequacy of bona fide security risk assessments.
Background
September 23, 2013 is the deadline for
those entities processing “protected
health information” (PHI) to ensure their
subcontractors align their security
practices with the national PHI
protection floor known as the Security
Rule of the Health Insurance Portability
and Accountability Act (HIPAA). The
mechanism to accomplish this objective
is known as the Business Associate
Agreement (BAA). Subcontractors are
considered “business associates” in this
model and their BAA may require their
compliance with the HIPAA Security
Rule; which among other things,
requires a “security risk assessment”;
Title 45 Code of Federal Regulations
(C.F.R.) Section 164.308(a)(1). It would
be an over-simplification to assume that
a 45 C.F.R. 164.308(a)(1) security risk
assessment is open to broad
interpretation, as to adequacy, by the
entity conducting such a security risk
assessment.
NIST Standards Mandated
There is a bright-line test as to the
required level of sufficiency for a 45
C.F.R. 164.308(a)(1) security risk
assessment.
“Federal contractors” have been bound
by pre-existing requirements regarding
the level of quality required of their
information security practices for a
decade.
The Medicare Prescription Drug,
Improvement, and Modernization Act of
2003 (MPDIMA) added information
security requirements for Medicare
administrative contractors (MAC), fiscal
intermediaries, and carriers.
MPDIMA imposed the requirements of
the Federal Information Security
Management Act (FISMA, 44 U.S.C.
3541 et seq.) as the prevailing bright-
line test for information security
practices of CMS “federal contractors”.
See 42 U.S.C. § 1395kk-1.
2
Requirements for NIST compliance
The 1988 Omnibus Trade and
Competitiveness Act (OTCA) gave the
exclusive domain for the promulgation of
federal computer security standards to
the U.S. National Institute of Standards
and Technology (NIST). The NIST
Information Security Laboratory and the
Computer Security Division are the only
pertinent, relevant and chartered (by
Congress), organizations to render
opinions on behalf of the U.S.
Government in matters of computer
security technology and standardization.
Office of Management and Budget
(OMB in the Executive Office of the
President (EOP)) instruction M-10-15,
(OMB M-10-15), entitled, Reporting
Instructions for the Federal Information
Security Management Act (FISMA, 44
U.S.C. 3541 et seq.) and Agency
Privacy Management 13-14 (2010),
requires federal contractors to ensure
the operation of information technology
infrastructure is in compliance with the
security provisions of the FISMA law.
Quoting OMB instructions M-10-15 in
relevant part (at page 15):
“..Agencies are fully responsible and
accountable for ensuring all FISMA and
related policy requirements are
implemented and reviewed and such
must be included in the terms of the
contract. Agencies must ensure
identical, not "equivalent," security
procedures. For example, annual
reviews, risk assessments, security
plans, control testing, contingency
planning, and security authorization
(C&A) must, at a minimum, explicitly
meet guidance from NIST. Additionally,
IGs shall include some contractor
systems in their “representative subset
of agency systems,” and not doing so
presents an incomplete independent
evaluation. [emphasis added]
The U.S. Department of Health and
Human Services (DHHS), Office of
Chief Information Officer (OCIO) policy
regarding Cybersecurity; known as
HHS-OCIO-2011-0003, states: (quoting
in relevant part)
“…This Policy applies to all HHS
organizational components (i.e.,
Operating Divisions [OPDIVs] and Staff
Divisions [STAFFDIVs]) and
organizations conducting business for
and on behalf of the Department
through contractual relationships. This
Policy does not supersede any other
applicable law, higher-level agency
directive, or existing labor management
agreement in place as of the effective
date of this Policy….” [emphasis added];
and,
“…4.1.1 OPDIVs/STAFFDIVs shall use
the National Institute of Standards and
Technology (NIST) Special Publication
(SP) 800-37 Revision (Rev.) 1, Guide
for Applying the Risk Management
Framework to Federal Information
Systems: A Security Life Cycle
Approach (dated February 2010), as the
methodology for the security
authorization of information systems
(formerly known as “certification and
accreditation” or “C&A”), in accordance
3
with FISMA and direction from the Office
of Management and Budget (OMB)…”;
[emphasis added] and,
“…4.1.4 Information assurance and
privacy activities conducted within the
Department shall be consistent with the
guidance, methodologies, and intent
prescribed by the NIST SP series, in
particular NIST SP 800-53 Rev. 3 and
NIST SP 800-53A Rev. 1, Guide for
Assessing the Security Controls in
Federal Information Systems and
Organizations, Building Effective
Security Assessment Plans, and other
relevant Federal laws and guidance
documents. It is incumbent upon each
OPDIV to appropriately follow the steps
in the NIST SP 800-37 Rev. 1 Risk
Management Framework (RMF) to
select, implement, assess, authorize,
and monitor such controls
commensurate with a system’s FIPS
199 categorization….”[emphasis added]
Bona fide risk assessment
The foregoing authorities can be
summarized within the industry term
“bona fide security risk assessment”.
That is, to meet the bright-line test and
legal sufficiency for assessing security
management practices an adequate risk
assessment must be completed (for
those subcontractors supporting HIPAA
“covered entities” that are federal
contractors) to the NIST standard.
Such bona fide assessments will
demonstrate a baseline of adequate
security policies, standards and
guidelines (PSGs) that have been put in
place to protect PHI. A risk assessment
will measure the implementation
maturity of those guidelines (practical
implementation in the I.T infrastructure
with appropriate evidence to
demonstrate compliance) and identify
gaps. Gaps (material weaknesses) will
then be compared with the downstream
consequences of failure or exploit.
These gaps, and consequences, will be
presented to senior management so that
remediation can be planned and
prioritized.
The foregoing represents a significant
departure from the usual check-box
compliance approach of conducting a
network penetration study or red team
dumpster diving and then hoping for the
best. Business associates of federal
contractors processing PHI, especially
on behalf of DHHS, would be prudent to
accurately assess their need to comply
with the authorities cited.
About the author: Dave Sweigert is a
Certified Information Systems Security
Professional, Certified Information
Systems Auditor, Project Management
Professional and holds Master’s
degrees in Information Security and
Project Management. A former
consultant to the U.S. Department of
Homeland Security, he is a practitioner
of developing HIPAA Security Rule
compliant policies, standards and
guidelines that demonstrate compliance
for many organizations (including Delta
Dental, Kaiser Permanente and others).
He can be reached at LINKEDIN.COM.

More Related Content

What's hot

Ffiec cat may_2017
Ffiec cat may_2017Ffiec cat may_2017
Ffiec cat may_2017
Josef Sulca Cueva
 
Cisa 2013 ch2
Cisa 2013 ch2Cisa 2013 ch2
Cisa 2013 ch2
Aladdin Dandis
 
Implementing IT Security Controls
Implementing IT Security ControlsImplementing IT Security Controls
Implementing IT Security Controls
Thomas Jones
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
Redspin, Inc.
 
Does Your Organization Have A Privacy Incident Response Plan?
Does Your Organization Have A Privacy Incident Response Plan?Does Your Organization Have A Privacy Incident Response Plan?
Does Your Organization Have A Privacy Incident Response Plan?
bdana68
 
It security-plan-template
It security-plan-templateIt security-plan-template
It security-plan-templatejbmills1634
 
Cisa 2013 ch3
Cisa 2013 ch3Cisa 2013 ch3
Cisa 2013 ch3
Aladdin Dandis
 
Thinking Ahead to Litigation While Developing Cybersecurity Plans
Thinking Ahead to Litigation While Developing Cybersecurity PlansThinking Ahead to Litigation While Developing Cybersecurity Plans
Thinking Ahead to Litigation While Developing Cybersecurity PlansJason Glass, CFA, CISSP
 
Glossary - Standard Security Terms - NIST Vocabulary
Glossary - Standard Security Terms - NIST VocabularyGlossary - Standard Security Terms - NIST Vocabulary
Glossary - Standard Security Terms - NIST Vocabulary
David Sweigert
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
Christina33713
 
vmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepapervmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepaperTony Amaddio
 
Case Study
Case StudyCase Study
Case Studylneut03
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Report
tbeckwith
 
A New Approach to Healthcare Security
A New Approach to Healthcare SecurityA New Approach to Healthcare Security
A New Approach to Healthcare Security
Angel Villar Garea
 
Event security companies in london want www.ieventsecurity.co.uk
Event security companies in london want www.ieventsecurity.co.ukEvent security companies in london want www.ieventsecurity.co.uk
Event security companies in london want www.ieventsecurity.co.uk
Ahsan Gill
 
HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment Report
Belinda Edwards
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance Requirements
DoubleHorn
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
gppcpa
 

What's hot (19)

DKapellmann_Security Compliance Models
DKapellmann_Security Compliance ModelsDKapellmann_Security Compliance Models
DKapellmann_Security Compliance Models
 
Ffiec cat may_2017
Ffiec cat may_2017Ffiec cat may_2017
Ffiec cat may_2017
 
Cisa 2013 ch2
Cisa 2013 ch2Cisa 2013 ch2
Cisa 2013 ch2
 
Implementing IT Security Controls
Implementing IT Security ControlsImplementing IT Security Controls
Implementing IT Security Controls
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
 
Does Your Organization Have A Privacy Incident Response Plan?
Does Your Organization Have A Privacy Incident Response Plan?Does Your Organization Have A Privacy Incident Response Plan?
Does Your Organization Have A Privacy Incident Response Plan?
 
It security-plan-template
It security-plan-templateIt security-plan-template
It security-plan-template
 
Cisa 2013 ch3
Cisa 2013 ch3Cisa 2013 ch3
Cisa 2013 ch3
 
Thinking Ahead to Litigation While Developing Cybersecurity Plans
Thinking Ahead to Litigation While Developing Cybersecurity PlansThinking Ahead to Litigation While Developing Cybersecurity Plans
Thinking Ahead to Litigation While Developing Cybersecurity Plans
 
Glossary - Standard Security Terms - NIST Vocabulary
Glossary - Standard Security Terms - NIST VocabularyGlossary - Standard Security Terms - NIST Vocabulary
Glossary - Standard Security Terms - NIST Vocabulary
 
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKSRISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
RISK MANAGEMENT: 4 ESSENTIAL FRAMEWORKS
 
vmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepapervmware-best-practices-healthcare-it-security-whitepaper
vmware-best-practices-healthcare-it-security-whitepaper
 
Case Study
Case StudyCase Study
Case Study
 
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized ReportHipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Report
 
A New Approach to Healthcare Security
A New Approach to Healthcare SecurityA New Approach to Healthcare Security
A New Approach to Healthcare Security
 
Event security companies in london want www.ieventsecurity.co.uk
Event security companies in london want www.ieventsecurity.co.ukEvent security companies in london want www.ieventsecurity.co.uk
Event security companies in london want www.ieventsecurity.co.uk
 
HSN Risk Assessment Report
HSN Risk Assessment ReportHSN Risk Assessment Report
HSN Risk Assessment Report
 
An Overview of the Major Compliance Requirements
An Overview of the Major Compliance RequirementsAn Overview of the Major Compliance Requirements
An Overview of the Major Compliance Requirements
 
Dental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business AssociatesDental Compliance for Dentists and Business Associates
Dental Compliance for Dentists and Business Associates
 

Similar to Are NIST standards clouding the implementation of HIPAA security risk assessments?

Implementation of NIST guidelines for the CISO / ISO / Privacy Officer
Implementation of NIST guidelines for the CISO / ISO / Privacy OfficerImplementation of NIST guidelines for the CISO / ISO / Privacy Officer
Implementation of NIST guidelines for the CISO / ISO / Privacy Officer
David Sweigert
 
NIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdfNIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdf
>hey> whee hey
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
newbie2019
 
crucet1crucet2crucet
crucet1crucet2crucetcrucet1crucet2crucet
crucet1crucet2crucet
MargenePurnell14
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
PYA, P.C.
 
CHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapCHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chap
EstelaJeffery653
 
NIST Special Publication 800-37 Revision 2 Ris.docx
 NIST Special Publication 800-37 Revision 2  Ris.docx NIST Special Publication 800-37 Revision 2  Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx
robert345678
 
NIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NISTNIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NIST
ebonyman0007
 
httpsclass.waldenu.eduwebappsassessmenttakelaunchAssess
httpsclass.waldenu.eduwebappsassessmenttakelaunchAssesshttpsclass.waldenu.eduwebappsassessmenttakelaunchAssess
httpsclass.waldenu.eduwebappsassessmenttakelaunchAssess
LizbethQuinonez813
 
Computer Forensics in the Age of Compliance
Computer Forensics in the Age of ComplianceComputer Forensics in the Age of Compliance
Computer Forensics in the Age of Compliance
Anton Chuvakin
 
Sp800 30-rev1-ipd
Sp800 30-rev1-ipdSp800 30-rev1-ipd
Sp800 30-rev1-ipd
FISMA-COMPARED
 
NIST 800-125 a DRAFT (HyperVisor Security)
NIST 800-125 a DRAFT   (HyperVisor Security)NIST 800-125 a DRAFT   (HyperVisor Security)
NIST 800-125 a DRAFT (HyperVisor Security)
David Sweigert
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
Contingency Planning Guide for Federal Information Systems Maria.docx
Contingency Planning Guide for Federal Information Systems Maria.docxContingency Planning Guide for Federal Information Systems Maria.docx
Contingency Planning Guide for Federal Information Systems Maria.docx
maxinesmith73660
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
Bradley Susser
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloJohn Intindolo
 
NIST Patch Management SP 800-40 Rev 3
NIST Patch Management SP 800-40 Rev 3NIST Patch Management SP 800-40 Rev 3
NIST Patch Management SP 800-40 Rev 3
David Sweigert
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance Guide
Rapid7
 
NIST Special Publication 800-39 Managi.docx
NIST Special Publication 800-39 Managi.docxNIST Special Publication 800-39 Managi.docx
NIST Special Publication 800-39 Managi.docx
vannagoforth
 
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAMIT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
IJCSEA Journal
 

Similar to Are NIST standards clouding the implementation of HIPAA security risk assessments? (20)

Implementation of NIST guidelines for the CISO / ISO / Privacy Officer
Implementation of NIST guidelines for the CISO / ISO / Privacy OfficerImplementation of NIST guidelines for the CISO / ISO / Privacy Officer
Implementation of NIST guidelines for the CISO / ISO / Privacy Officer
 
NIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdfNIST.SP.800-37r2.pdf
NIST.SP.800-37r2.pdf
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
 
crucet1crucet2crucet
crucet1crucet2crucetcrucet1crucet2crucet
crucet1crucet2crucet
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
 
CHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapCHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chap
 
NIST Special Publication 800-37 Revision 2 Ris.docx
 NIST Special Publication 800-37 Revision 2  Ris.docx NIST Special Publication 800-37 Revision 2  Ris.docx
NIST Special Publication 800-37 Revision 2 Ris.docx
 
NIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NISTNIST to CSF to ISO or EC 27002 2022 with NIST
NIST to CSF to ISO or EC 27002 2022 with NIST
 
httpsclass.waldenu.eduwebappsassessmenttakelaunchAssess
httpsclass.waldenu.eduwebappsassessmenttakelaunchAssesshttpsclass.waldenu.eduwebappsassessmenttakelaunchAssess
httpsclass.waldenu.eduwebappsassessmenttakelaunchAssess
 
Computer Forensics in the Age of Compliance
Computer Forensics in the Age of ComplianceComputer Forensics in the Age of Compliance
Computer Forensics in the Age of Compliance
 
Sp800 30-rev1-ipd
Sp800 30-rev1-ipdSp800 30-rev1-ipd
Sp800 30-rev1-ipd
 
NIST 800-125 a DRAFT (HyperVisor Security)
NIST 800-125 a DRAFT   (HyperVisor Security)NIST 800-125 a DRAFT   (HyperVisor Security)
NIST 800-125 a DRAFT (HyperVisor Security)
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
 
Contingency Planning Guide for Federal Information Systems Maria.docx
Contingency Planning Guide for Federal Information Systems Maria.docxContingency Planning Guide for Federal Information Systems Maria.docx
Contingency Planning Guide for Federal Information Systems Maria.docx
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
ISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_IntindoloISSC471_Final_Project_Paper_John_Intindolo
ISSC471_Final_Project_Paper_John_Intindolo
 
NIST Patch Management SP 800-40 Rev 3
NIST Patch Management SP 800-40 Rev 3NIST Patch Management SP 800-40 Rev 3
NIST Patch Management SP 800-40 Rev 3
 
Rapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance GuideRapid7 FISMA Compliance Guide
Rapid7 FISMA Compliance Guide
 
NIST Special Publication 800-39 Managi.docx
NIST Special Publication 800-39 Managi.docxNIST Special Publication 800-39 Managi.docx
NIST Special Publication 800-39 Managi.docx
 
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAMIT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
IT SECURITY PLAN FOR FLIGHT SIMULATION PROGRAM
 

More from David Sweigert

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
David Sweigert
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting  Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting
David Sweigert
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark Analysis
David Sweigert
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month poster
David Sweigert
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
David Sweigert
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017
David Sweigert
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9
David Sweigert
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber Security
David Sweigert
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
David Sweigert
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking Threats
David Sweigert
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector Chart
David Sweigert
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
David Sweigert
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team   NIMS   Public CommentCyber Incident Response Team   NIMS   Public Comment
Cyber Incident Response Team NIMS Public Comment
David Sweigert
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team  -  NIMS  -  Public CommentCyber Incident Response Team  -  NIMS  -  Public Comment
Cyber Incident Response Team - NIMS - Public Comment
David Sweigert
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFT
David Sweigert
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public Feedback
David Sweigert
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
David Sweigert
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals  2015  2nd editionNational Preparedness Goals  2015  2nd edition
National Preparedness Goals 2015 2nd edition
David Sweigert
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness Plan
David Sweigert
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector  -  DHSCyber Risk Assessment for the Emergency Services Sector  -  DHS
Cyber Risk Assessment for the Emergency Services Sector - DHS
David Sweigert
 

More from David Sweigert (20)

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting  Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark Analysis
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month poster
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber Security
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking Threats
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector Chart
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team   NIMS   Public CommentCyber Incident Response Team   NIMS   Public Comment
Cyber Incident Response Team NIMS Public Comment
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team  -  NIMS  -  Public CommentCyber Incident Response Team  -  NIMS  -  Public Comment
Cyber Incident Response Team - NIMS - Public Comment
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFT
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public Feedback
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals  2015  2nd editionNational Preparedness Goals  2015  2nd edition
National Preparedness Goals 2015 2nd edition
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness Plan
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector  -  DHSCyber Risk Assessment for the Emergency Services Sector  -  DHS
Cyber Risk Assessment for the Emergency Services Sector - DHS
 

Recently uploaded

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 

Recently uploaded (20)

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 

Are NIST standards clouding the implementation of HIPAA security risk assessments?

  • 1. 1 Are NIST standards clouding the implementation of HIPAA protections? Part nine of a series September 2013 Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP (non-attorney providing scholarly (non-legal) advice) ABSTRACT Subcontractors processing protected health information should be aware of legal liabilities regarding the adequacy of bona fide security risk assessments. Background September 23, 2013 is the deadline for those entities processing “protected health information” (PHI) to ensure their subcontractors align their security practices with the national PHI protection floor known as the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA). The mechanism to accomplish this objective is known as the Business Associate Agreement (BAA). Subcontractors are considered “business associates” in this model and their BAA may require their compliance with the HIPAA Security Rule; which among other things, requires a “security risk assessment”; Title 45 Code of Federal Regulations (C.F.R.) Section 164.308(a)(1). It would be an over-simplification to assume that a 45 C.F.R. 164.308(a)(1) security risk assessment is open to broad interpretation, as to adequacy, by the entity conducting such a security risk assessment. NIST Standards Mandated There is a bright-line test as to the required level of sufficiency for a 45 C.F.R. 164.308(a)(1) security risk assessment. “Federal contractors” have been bound by pre-existing requirements regarding the level of quality required of their information security practices for a decade. The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MPDIMA) added information security requirements for Medicare administrative contractors (MAC), fiscal intermediaries, and carriers. MPDIMA imposed the requirements of the Federal Information Security Management Act (FISMA, 44 U.S.C. 3541 et seq.) as the prevailing bright- line test for information security practices of CMS “federal contractors”. See 42 U.S.C. § 1395kk-1.
  • 2. 2 Requirements for NIST compliance The 1988 Omnibus Trade and Competitiveness Act (OTCA) gave the exclusive domain for the promulgation of federal computer security standards to the U.S. National Institute of Standards and Technology (NIST). The NIST Information Security Laboratory and the Computer Security Division are the only pertinent, relevant and chartered (by Congress), organizations to render opinions on behalf of the U.S. Government in matters of computer security technology and standardization. Office of Management and Budget (OMB in the Executive Office of the President (EOP)) instruction M-10-15, (OMB M-10-15), entitled, Reporting Instructions for the Federal Information Security Management Act (FISMA, 44 U.S.C. 3541 et seq.) and Agency Privacy Management 13-14 (2010), requires federal contractors to ensure the operation of information technology infrastructure is in compliance with the security provisions of the FISMA law. Quoting OMB instructions M-10-15 in relevant part (at page 15): “..Agencies are fully responsible and accountable for ensuring all FISMA and related policy requirements are implemented and reviewed and such must be included in the terms of the contract. Agencies must ensure identical, not "equivalent," security procedures. For example, annual reviews, risk assessments, security plans, control testing, contingency planning, and security authorization (C&A) must, at a minimum, explicitly meet guidance from NIST. Additionally, IGs shall include some contractor systems in their “representative subset of agency systems,” and not doing so presents an incomplete independent evaluation. [emphasis added] The U.S. Department of Health and Human Services (DHHS), Office of Chief Information Officer (OCIO) policy regarding Cybersecurity; known as HHS-OCIO-2011-0003, states: (quoting in relevant part) “…This Policy applies to all HHS organizational components (i.e., Operating Divisions [OPDIVs] and Staff Divisions [STAFFDIVs]) and organizations conducting business for and on behalf of the Department through contractual relationships. This Policy does not supersede any other applicable law, higher-level agency directive, or existing labor management agreement in place as of the effective date of this Policy….” [emphasis added]; and, “…4.1.1 OPDIVs/STAFFDIVs shall use the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Revision (Rev.) 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (dated February 2010), as the methodology for the security authorization of information systems (formerly known as “certification and accreditation” or “C&A”), in accordance
  • 3. 3 with FISMA and direction from the Office of Management and Budget (OMB)…”; [emphasis added] and, “…4.1.4 Information assurance and privacy activities conducted within the Department shall be consistent with the guidance, methodologies, and intent prescribed by the NIST SP series, in particular NIST SP 800-53 Rev. 3 and NIST SP 800-53A Rev. 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans, and other relevant Federal laws and guidance documents. It is incumbent upon each OPDIV to appropriately follow the steps in the NIST SP 800-37 Rev. 1 Risk Management Framework (RMF) to select, implement, assess, authorize, and monitor such controls commensurate with a system’s FIPS 199 categorization….”[emphasis added] Bona fide risk assessment The foregoing authorities can be summarized within the industry term “bona fide security risk assessment”. That is, to meet the bright-line test and legal sufficiency for assessing security management practices an adequate risk assessment must be completed (for those subcontractors supporting HIPAA “covered entities” that are federal contractors) to the NIST standard. Such bona fide assessments will demonstrate a baseline of adequate security policies, standards and guidelines (PSGs) that have been put in place to protect PHI. A risk assessment will measure the implementation maturity of those guidelines (practical implementation in the I.T infrastructure with appropriate evidence to demonstrate compliance) and identify gaps. Gaps (material weaknesses) will then be compared with the downstream consequences of failure or exploit. These gaps, and consequences, will be presented to senior management so that remediation can be planned and prioritized. The foregoing represents a significant departure from the usual check-box compliance approach of conducting a network penetration study or red team dumpster diving and then hoping for the best. Business associates of federal contractors processing PHI, especially on behalf of DHHS, would be prudent to accurately assess their need to comply with the authorities cited. About the author: Dave Sweigert is a Certified Information Systems Security Professional, Certified Information Systems Auditor, Project Management Professional and holds Master’s degrees in Information Security and Project Management. A former consultant to the U.S. Department of Homeland Security, he is a practitioner of developing HIPAA Security Rule compliant policies, standards and guidelines that demonstrate compliance for many organizations (including Delta Dental, Kaiser Permanente and others). He can be reached at LINKEDIN.COM.