"Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process."
Yesterday, we kicked off the enterprise security audit at BIDMC.
Every audit requires a framework. For security, framework choices include NIST, ISO 27002, HITRUST, PCI and COBIT. We've elected to use a NIST approach.
NIST is the National Institute of Standards and Technology, a component of the Department of Commerce (formerly National Bureau of Standards). One of the NIST subject areas is Information Technology - the "800" series.
NIST publishes hundreds of Bulletins, Standards and Guidelines related to Information Technology. Topics range from "What about Cloud Security" to "Smart Grid Interoperability". Relevant to security audits is the NIST 800-30 "Guide for Conducting Risk Assessments".
Why did we choose NIST?
NIST is mandated within the Federal Government. It is gradually being extended to contractors, including Medicare providers. Recently, several NIH grants I've reviewed have included the need for a NIST-based risk assessment. The Center for Medicare and Medicaid Services (CMS) increasingly refers to NIST assessments in their compliance efforts.
All security frameworks, including NIST 800, share common themes. For example, risk is defined in terms of threat, vulnerability, likelihood of occurrence, and impact.
"Threat" could be malware, a natural disaster, disgruntled employee or a myriad of other things
"Vulnerability" is a weakness that makes a system susceptible to the threat
"Likelihood" is the probability the threat and vulnerability will come together
"Impact" is the consequence to the organization of an occurrence
- Threat = thief
- Vulnerability = laptop visible on front seat of a car parked in a public lot
- Likelihood of Occurrence = high,
- Impact = significant if the laptop contains ePHI
NIST 800 also provides recommended controls for mitigating risk. NIST 800-53 describes 194 security controls that roll up into 18 families. (see the above graphic)
I'll report back on the results of our audit and lessons learned when it is completed in November.