Problem solve Get help with specific problems with your technologies, process and projects.

All aboard the new federal security rules' super train, part 1

All aboard the new federal security rules' super train, part 1

Editor's note: This is a white paper from the Evaluator Group discussing new security regulations and how important having a good grasp of the finer points of each will be for proper compliance and implementation. Beginning here in part 1, you'll find an overview of what every CIO and Chief Legal Officer (CLO) will need to know. Included are three tables showing implementation specifications for administration, physical and technical safeguards. Part 2 of this white paper delves into the security environment itself, the technology, applicability and timing along with a list of four sound practices that will be the basis for all large IT organizations.

It is irresponsible for any medium to large IT organization not to have a person who is responsible to craft and propose data security policy and to audit its implementation –– a Security Officer for Information Risk Management. This had best be a person with storage and/or network administration experience and a bright and capable person. Sadly some IT organizations have avoided the issue entirely or have assigned the responsibility as a part-time priority without adequate training to support the person(s) responsible.

New regulations in two areas will define best practices (and become the norm against which liability and malfeasance cases are judged) for all industries by the end of this decade.

1. The new Security Regulations (45 CFR Parts 160, 162 and 164) of the Final Rule from the U.S. Department of Health and Human Services Health Insurance Portability and Accountability Act of 1996 (HIPAA) for health care plans, clearing houses and some providers issued by the Services on February 20, (finally).

2. The interagency white paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System publication by the Board of Governors of the Federal Reserve System (Docket No. R-1128), the Office of the Comptroller of the Currency (Docket No. 02-13) and the Securities and Exchange Commission (Release No. 34-46432; File No. S7-32-02).

Every CIO and Chief Legal Officer needs to read these documents. While they apply only to their industries in the short run (healthcare and core financial institutions), they catalog best practices and will define security standards for much of the IT industry by the end of this decade. The Interagency Paper will in effect have Final Rule status in 2004 for Core Financial Institutions and in 2005 for other firms are that play significant roles in critical financial markets. In my opinion they are both well vetted and practical but they will definitely present additional administrative burden for those organizations that have already adopted best security practices and for those that haven't they define an immense amount of necessary work ahead. One would expect them to overlap somewhat in critical areas and they do.

The HIPAA Final Rule from HHS was published in the Federal Register on February 20, 2003 meaning that its effective date will be April 20, 2003 and covered entities (excepting small health plans) must comply by April 20, 2005 and small health plans by April 20, 2006. The Final Rule does not make the standards technology-specific as in some of the earlier directives from NRC and SEC, a problem that is gradually being fixed and has retarded its implementation in my opinion. In fact HHS properly points out that "technology is moving too fast, for example the increased use and sophistication of Internet-enabled hand held devices" and "encryption/decryption," to tie it to regulatory rules which are created and revised much more slowly.

The Final Security Rule is expressed in "Implementation Specifications" which can be either "required" or "addressable." If "required" the specification must be implemented by the compliance date. If "addressable" a covered entity must:

1. Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment with regard to protecting the entity's electronic protected health information.

2. If implementing the specification is not reasonable and appropriate then the entity must document why not and implement an equivalent alternative measure.

The tables below show Implementation Specifications, whether they are required or addressable and other information (Appendix A to Subpart C of Part 164, 45 CFR):

Administration safeguards

Security management process 164.308(a)(1) Risk analysis Required
- - Risk management Required
- - Sanction policy Required
- - Info systems activity review Required
Assigned workforce responsibility 164.308(a)(2) - Required
Workforce security 164.308(a)(3) Authorization and/or supervision Addressable
- - Workforce clearance procedure Addressable
- - Termination procedure Addressable
Information access management 164.308(a)(4) Isolating healthcare clearinghouse function Required
- - Access authorization Addressable
- - Access establishment & modification Addressable
Security awareness & training 164.308(a)(5) Security reminders Addressable
- - Protection from malicious software Addressable
- - Log-in Monitoring Addressable
- - Password Management Addressable
Security incident procedures 164.308(a)(6) Response & reporting Required
Contingency Plan 164.308(a)(7) Data Backup Plan Required
- - Disaster recovery plan Required
- - Emergency mode operations plan Required
- - Testing & revisions procedure Addressable
- - Applications & data critical analysis Addressable
Evaluation 164.308(a)(8) - Required
Business associates contracts & other arrangements 164.308(b)(1) Written contract or other arrangements Required

Physical safeguards

Facility access controls 164.310(a)(1) Unique User Identification Required
- - Emergency access procedure Required
- - Automatic logoff Addressable
- - Encryption/decryption Addressable
Workstation use 164.310(b) - Required
Workstation security 164.310(c) - Required
Device and media controls 164.310(d)(1) Disposal Required
- - Media re-use Required
- - Accountability Addressable
- - Data backup & storage Addressable

Technical safeguards

Access control 164.312(a)(1) Unique user identification Required
Audit Control 164.312(b) - Required
Integrity 164.312(c)(1) Method to authenticate electronic protected health information Addressable
Person or entity authentication 164.312(d) - Required
Transmission security 164.312(e) Integrity controls Addressable
- - Encryption Addressable

*The text of the Implementation Specifications can be found in a 289-page PDF document.

Interagency paper

On April 7, 2003 the interagency paper was officially published with some changes to the draft language. The agencies expect these practices to be adopted by the affected agencies within the time frame described. This article summarizes its key points.

Post 9/11 environment

Our financial system operates as a network of interrelated markets and participants. The ability of an individual participant to function can have wide-ranging effects beyond its immediate counter-parties. Because of the interdependent nature of the U.S. financial markets, all financial firms have a role in improving the overall resilience of the financial system. To that end, Board of Governors of the Federal Reserve System; the Office of the Comptroller of the Currency and the Securities and Exchange Commission assisted by The Federal Reserve Bank of New York issued this paper defining sound practices to advise financial institutions on steps necessary to protect the financial system in light of new risks posed by the post September 11 environment.

Click here for part 2.

Dig Deeper on Data storage compliance and regulations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.