Apr 2017: HIPAA and FISMA: Computing with Regulated Data
With cyberattacks and breaches rising exponentially, there is increasing pressure on federally funded scientific and academic institutions to protect regulated data, including identifiable patient data protected by the Health Insurance Portability and Accountability Act (HIPAA), and data collected or processed on behalf of the government, which is subject to the Federal Information Security Modernization Act (FISMA). Each comes with its own set of cybersecurity requirements, including physical, administrative, technical controls, to be applied using a risk-centric approach. FISMA specifies the risk methodology to use, namely the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), but still provides considerable latitude in how it can be deployed. HIPAA leaves the choice entirely to the practitioner. Organizations are also allowed by both regulations to tailor implementation to fit their size, budget, risk tolerance, etc. This provides great flexibility, but the flexibility comes at a cost. Without prescriptive checklists and tools from the government, interpreting the regulations can be a nightmare, especially for the newly initiated. Commercial expertise comes at a premium, and may even be beyond reach due to budget. Fortunately, the news is not all bad. Cybersecurity has seen great improvements in the scientific and academic community in recent years, with a majority of required controls in place already. Remaining obstacles generally are policies and procedures, risk assessment, mitigation, and, most of all, documentation. While these take time and effort, the bulk is limited to initial implementation, with considerable gains in security and efficiency. To illustrate this, this webinar will feature two institutions, the National Center for Atmospheric Research (NCAR) and Indiana University (IU). They will share their stories of how they faced and overcame the FISMA and HIPAA challenges in their research computing environments, and benefited. The webinar will also touch upon the basics of HIPAA and FISMA, the NIST RMF, and how it can be leveraged for HIPAA and FISMA and other types of cyber compliance.
This talk is presented by Susan Ramsey and Anurag Shankar.