Using NIST Special Publication (SP) 800-171r2/171B to assess and evaluate the Information Security posture of Technology Service Providers who support Covered Entities and/or t
share
This paper describes how NIST Special Publication (SP) 800.171r2 (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations) and 800.171B (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations, and Enhanced Security Requirements for Critical Programs and High Value Assets) can be used to evaluate the security posture of information systems and supporting frameworks relative to HIPAA and HITECH . It will be demonstrated that the provisions and baseline security requirements outlined in 800.171r2 and 171B for the protection of Controlled but Unclassified Information (CUI) can be applied to Electronic Protected Health Information (ePHI). An explanation of how 800.171r2 and 171B align with HIPAA and how this alignment is sufficient for evaluating the security of an IT environment which supports the healthcare sector will be detailed. The process for performing a security analysis will be described and demonstrated. Finally, the benefits of using such an approach to support other forms of risk assessment will be described.
READ FULL TEXT