tag:blogger.com,1999:blog-4384692836709903146.post4713917502255138431..comments2024-03-27T09:55:23.143-07:00Comments on Dispatch from the Digital Health Frontier: Security Assessment KickoffJohn Halamkahttp://www.blogger.com/profile/04550236129132159307noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-4384692836709903146.post-54457108468571149232012-10-10T11:09:45.856-07:002012-10-10T11:09:45.856-07:00Don't overlook the usefulness of NIST SP800-30...Don't overlook the usefulness of NIST SP800-30 (Guideline for Conducting Risk Assessments) and SP800-66 (Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule).<br /><br />Both of these can be excellent resources for providers trying to better understand the Security Rule and Risk Assessments as necessary under MU.<br /><br />If you really want to better understand how HHS/CMS view/address security, take a look at CMS's Acceptable Risk Safeguards for Moderate level systems (http://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/downloads/ARS_App_B_CMSR_Moderate.pdf). Think of it as SP800-53 with all of the blanks filled in.<br /><br />NIST also provides an excellent (and free) tool to to help collect artifacts related to the Risk Assessment in their HIPAA Security Rule Toolkit. (http://scap.nist.gov/hipaa/)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4384692836709903146.post-4783041727383990762012-10-02T09:54:18.017-07:002012-10-02T09:54:18.017-07:00I'm excited to hear about the results of this ...I'm excited to hear about the results of this audit. Do you believe your environment is ready for the NIST audit or is it more of an implementation approach?<br /><br />Also, why did you not consider HITRUST as it includes NIST? I know it is a somewhat immature framework, but in theory it should map to NIST and allow you to also get coverage of many other regulations. Interested in your thoughts!Austinhttps://www.blogger.com/profile/15530262791217286906noreply@blogger.com