Log In Sign Up

Using NIST Special Publication (SP) 800-171r2/171B to assess and evaluate the Information Security posture of Technology Service Providers who support Covered Entities and/or t

by   Thomas P. Dover, et al.

This paper describes how NIST Special Publication (SP) 800.171r2 (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations) and 800.171B (Protecting Controlled but Unclassified Information in Nonfederal Systems and Organizations, and Enhanced Security Requirements for Critical Programs and High Value Assets) can be used to evaluate the security posture of information systems and supporting frameworks relative to HIPAA and HITECH . It will be demonstrated that the provisions and baseline security requirements outlined in 800.171r2 and 171B for the protection of Controlled but Unclassified Information (CUI) can be applied to Electronic Protected Health Information (ePHI). An explanation of how 800.171r2 and 171B align with HIPAA and how this alignment is sufficient for evaluating the security of an IT environment which supports the healthcare sector will be detailed. The process for performing a security analysis will be described and demonstrated. Finally, the benefits of using such an approach to support other forms of risk assessment will be described.


A NIS Directive compliant Cybersecurity Maturity Assessment Framework

The NIS Directive introduces obligations for the security of the network...

Evaluating Medical IoT (MIoT) Device Security using NISTIR-8228 Expectations

How do healthcare organizations (from small Practices to large HDOs) eva...

Evaluation of Security Training and Awareness Programs: Review of Current Practices and Guideline

Evaluating the effectiveness of security awareness and training programs...

A Security-Aware Access Model for Data-Driven EHR System

Digital healthcare systems are very popular lately, as they provide a va...

Beyond PS-LTE: Security Model Design Framework for PPDR Operational Environment

National disasters can threaten national security and require several or...

Risk-Oriented Design Approach For Forensic-Ready Software Systems

Digital forensic investigation is a complex and time-consuming activity ...

A replication of a controlled experiment with two STRIDE variants

To avoid costly security patching after software deployment, security-by...