Educause Security Discussion mailing list archives
Re: HITECH Breach Notifications - NIST Required or Safe Harbor?
From: Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>
Date: Tue, 15 Sep 2009 13:58:13 -0400
I see compliance with NIST guidance as merely a safe harbor against notification. The Security Rule lists encryption as an 'addressable' control which leaves you room to implement other mitigating controls if encryption isn't feasible. However, since the Security Rule and the Breach Rule both reference NIST documentation, aligning with NIST encryption guidance would certainly be advisable if you don't have other mitigating controls in place. You don't have to read too far between the lines to see that HHS likes them some NIST. Working through how best to define our own institutional requirements, I think they've taken a pretty solid approach in terms of being flexible while still trying to drive some change. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Kidd Sent: Tuesday, September 15, 2009 12:13 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] HITECH Breach Notifications - NIST Required or Safe Harbor? A question about the HITECH encryption standard for the breach notification requirements: Do you view NIST/FIPS standards/certifications as a requirement to meet the HITECH encryption requirements or is NIST just a safe harbor, and other similar technological standards would also meet with the HITECH standards? Another way of asking the same question is whether compliance with the encryption standards in the HIPAA security rule equates with compliance under HITECH. We have looked at the guidance on this and it's hard to tell if NIST is the only relevant standard or just a safe harbor. Thanks, Chris Kidd Chris Kidd 650 Komas Drive, Suite 102 Salt Lake City, UT 84108 Office: 801.587.9241 Cell: 801.747.9028 chris.kidd () utah edu http://www.secureit.utah.edu
Current thread:
- HITECH Breach Notifications - NIST Required or Safe Harbor? Chris Kidd (Sep 15)
- <Possible follow-ups>
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Jones, Dan (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? St Clair, Jim (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Plesco, Todd (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Doug Markiewicz (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Jones, Dan (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Faith Mcgrath (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Plesco, Todd (Sep 15)