Educause Security Discussion mailing list archives
Re: HITECH Breach Notifications - NIST Required or Safe Harbor?
From: "Jones, Dan" <Dan.Jones () UMASSMED EDU>
Date: Tue, 15 Sep 2009 16:18:28 -0400
This was in reference to federally funded research, specifically NIH funded research. NIH defaults to NIST for its security requirements. When applicable, the grant opportunity will state the level of data sensitivity (low-medium-high), and NIST SP 800-53 rev 3 is the document that ties the data sensitivity level to the requisite controls. The controls required for even low sensitivity data (audit trails, security awareness training, etc.) often surprise people. Dan Jones, CGEIT, CISM IT Security Manager University of Massachusetts Medical School From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Plesco, Todd Sent: Tuesday, September 15, 2009 1:41 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HITECH Breach Notifications - NIST Required or Safe Harbor? "although if you are doing grant funded research then the NIST/FIPS standards must be observed" Is this for any federal grant work or only those deemed sensitive or "classified" present/future? How do you determine? Also, does anyone have a "waiver" for the Principal Investigator of a grant to sign if they want to forego encryption on a device? (such as if they want to have a dual boot laptop which may be unsupported?) Todd A. Plesco CISM, CBCP Chapman University, Director of Information Security One University Drive, Orange, CA 92866 Phone: (714) 744-7979/Fax: (714) 744-7041 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jones, Dan Sent: Tuesday, September 15, 2009 9:32 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HITECH Breach Notifications - NIST Required or Safe Harbor? HITECH (ARRA HIPAA) defines two classes of PHI. They are Protected PHI and Unprotected PHI. PHI is considered protected when it is encrypted. The safe harbor was created for Protected PHI. Essentially, encryption obviates the requirement to report data loss under ARRA/HIPAA. NIST/FIPS compliance does not change this. Personally I think that an ISO 27k aligned policy set is more durable than following NIST/FIPS, although if you are doing grant funded research then the NIST/FIPS standards must be observed, and can be used as minimum standards in a 27k policy set. Best, Dan Jones UMass Medical School From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris Kidd Sent: Tuesday, September 15, 2009 12:13 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] HITECH Breach Notifications - NIST Required or Safe Harbor? A question about the HITECH encryption standard for the breach notification requirements: Do you view NIST/FIPS standards/certifications as a requirement to meet the HITECH encryption requirements or is NIST just a safe harbor, and other similar technological standards would also meet with the HITECH standards? Another way of asking the same question is whether compliance with the encryption standards in the HIPAA security rule equates with compliance under HITECH. We have looked at the guidance on this and it's hard to tell if NIST is the only relevant standard or just a safe harbor. Thanks, Chris Kidd Chris Kidd 650 Komas Drive, Suite 102 Salt Lake City, UT 84108 Office: 801.587.9241 Cell: 801.747.9028 chris.kidd () utah edu http://www.secureit.utah.edu
Current thread:
- HITECH Breach Notifications - NIST Required or Safe Harbor? Chris Kidd (Sep 15)
- <Possible follow-ups>
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Jones, Dan (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? St Clair, Jim (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Plesco, Todd (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Doug Markiewicz (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Jones, Dan (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Faith Mcgrath (Sep 15)
- Re: HITECH Breach Notifications - NIST Required or Safe Harbor? Plesco, Todd (Sep 15)