The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates national standards for electronic health care transactions in the United States. The National Institute of Standards and Technology (NIST) published a Security Rule for HIPAA in 2008 that assists covered entities in applying federal information security requirements adopted under HIPAA. Many sub-contractors who bid or work on Department of Defense (DoD) projects will need to achieve NIST compliance by the end of 2017. The following items illustrate some of the ways in which CSCi can help you meet the standards specified in NIST publication 800-171 for Controlled Unclassified Information (CUI).
CSCi Responsibilities
CSCi can assess the application of security controls in information systems, typically for the purpose of developing and implementing procedures for correcting observed deficiencies in those controls. Configuration management responsibilities of CSCi include the establishment of baseline configurations for information systems. We also perform inventories for those systems,including documentation, hardware, software and firmware.
CSCi can establish the capability for responding to operational incidents, including documenting, tracking and reporting those incidents to the appropriate authorities. The identification and correction of system vulnerabilities can also help protect those systems from malicious code. CSCi does not directly protect remote locations, although we do provide guidance in implementing physical security measures.
CSCI helps customers create and retain audit records for information systems, which facilitate the reporting of illegal or unauthorized activity on those systems. We can also ensure that this activity is traced back to individual users so they can be held accountable for their actions. CSCi can provide training on current security requirements, including the identification of system vulnerabilities and methods of mitigating their risk.
Customer Responsibilities
Customers must assess the security controls in their information systems periodically to determine their effectiveness. They also need to develop and implement plans to correct deficiencies in those controls. The configuration management responsibilities of customers primarily include informing CSCi when their baseline configurations and inventories change.
Customers should establish capabilities for handling operational incidents, including the documentation, tracking and reporting of those incidents. They also need to provide physical protection for their information systems, which generally involves limiting the physical access of those systems and operating environments to authorized individuals.
The audit and accountability responsibilities of the customer primarily include periodic reviews of the audit records to ensure the activities on their information systems are lawful, authorized and appropriate. Customers must ensure they can trace those actions back to individual users and hold them accountable for their actions. Customers must also train the users of their information systems on the security risks of those systems.
CSCI has been providing IT services for small and medium-size businesses in the San Diego area for 31 years. Our managed services and on-site engagements include NIST and HIPAA compliance in partnership with companies like HP, Cisco, Fortinet and Microsoft. We can also manage our client’s IT infrastructure remotely and provide helpdesk services. Contact us today for a free assessment of your compliance requirements.