Educause Security Discussion mailing list archives

Re: HITECH Breach Notifications - NIST Required or Safe Harbor?


From: "Jones, Dan" <Dan.Jones () UMASSMED EDU>
Date: Tue, 15 Sep 2009 16:18:28 -0400

This was in reference to federally funded research, specifically NIH
funded research. NIH defaults to NIST for its security requirements.
When applicable, the grant opportunity will state the level of data
sensitivity (low-medium-high), and NIST SP 800-53 rev 3 is the document
that ties the data sensitivity level to the requisite controls. The
controls required for even low sensitivity data (audit trails, security
awareness training, etc.) often surprise people. 

 

Dan Jones, CGEIT, CISM

IT Security Manager

University of Massachusetts Medical School

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Plesco, Todd
Sent: Tuesday, September 15, 2009 1:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HITECH Breach Notifications - NIST Required or
Safe Harbor?

 

"although if you are doing grant funded research then the NIST/FIPS
standards must be observed"

Is this for any federal grant work or only those deemed sensitive or
"classified" present/future?  How do you determine?  Also, does anyone
have a "waiver" for the Principal Investigator of a grant to sign if
they want to forego encryption on a device? (such as if they want to
have a dual boot laptop which may be unsupported?)

 

Todd A. Plesco  CISM, CBCP

Chapman University, Director of Information Security

One University Drive, Orange, CA 92866

Phone: (714) 744-7979/Fax: (714) 744-7041

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, Dan
Sent: Tuesday, September 15, 2009 9:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HITECH Breach Notifications - NIST Required or
Safe Harbor?

 

HITECH (ARRA HIPAA) defines two classes of PHI. They are Protected PHI
and Unprotected PHI. PHI is considered protected when it is encrypted.
The safe harbor was created for Protected PHI. Essentially, encryption
obviates the requirement to report data loss under ARRA/HIPAA. 

 

NIST/FIPS compliance does not change this. Personally I think that an
ISO 27k aligned policy set is more durable than following NIST/FIPS,
although if you are doing grant funded research then the NIST/FIPS
standards must be observed, and can be used as minimum standards in a
27k policy set. 

 

Best,

Dan Jones

UMass Medical School

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Kidd
Sent: Tuesday, September 15, 2009 12:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HITECH Breach Notifications - NIST Required or Safe
Harbor?

 

A question about the HITECH encryption standard for the breach
notification requirements: Do you view NIST/FIPS
standards/certifications as a requirement to meet the HITECH encryption
requirements or is NIST just a safe harbor, and other similar
technological standards would also meet with the HITECH standards?
Another way of asking the same question is whether compliance with the
encryption standards in the HIPAA security rule equates with compliance
under HITECH.  We have looked at the guidance on this and it's hard to
tell if NIST is the only relevant standard or just a safe harbor.

 

Thanks,

Chris Kidd

 

 

 

Chris Kidd

650 Komas Drive, Suite 102

Salt Lake City, UT 84108

Office: 801.587.9241

Cell: 801.747.9028

chris.kidd () utah edu 

 

http://www.secureit.utah.edu

 


Current thread: