Re: HITECH Breach Notifications - NIST Required or Safe Harbor?

[Doug Markiewicz <dmarkiew+educause () ANDREW CMU EDU>]

I see compliance with NIST guidance as merely a safe harbor against
notification.  The Security Rule lists encryption as an 'addressable'
control which leaves you room to implement other mitigating controls if
encryption isn't feasible.  However, since the Security Rule and the Breach
Rule both reference NIST documentation, aligning with NIST encryption
guidance would certainly be advisable if you don't have other mitigating
controls in place.  You don't have to read too far between the lines to see
that HHS likes them some NIST.  Working through how best to define our own
institutional requirements, I think they've taken a pretty solid approach in
terms of being flexible while still trying to drive some change.



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Kidd
Sent: Tuesday, September 15, 2009 12:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HITECH Breach Notifications - NIST Required or Safe
Harbor?

A question about the HITECH encryption standard for the breach notification
requirements: Do you view NIST/FIPS standards/certifications as a
requirement to meet the HITECH encryption requirements or is NIST just a
safe harbor, and other similar technological standards would also meet with
the HITECH standards?  Another way of asking the same question is whether
compliance with the encryption standards in the HIPAA security rule equates
with compliance under HITECH.  We have looked at the guidance on this and
it's hard to tell if NIST is the only relevant standard or just a safe
harbor.

Thanks,
Chris Kidd



Chris Kidd
650 Komas Drive, Suite 102
Salt Lake City, UT 84108
Office: 801.587.9241
Cell: 801.747.9028
chris.kidd () utah edu

http://www.secureit.utah.edu