Under the Affordable Care Act (ACA) of 2010, there are now online marketplaces to buy health insurance. These are essentially websites that allow consumers to shop around for an insurance policy by comparing plans from different private providers.
Result: US consumers can purchase health insurance using the same technology that allows them to buy books, gadgets, and artisanal coffees on the web.
I think we can agree that health data that’s collected on these web sites deserves some extra protections.
The Origin of MARSTo address security issues of the exchanges, the ACA required the Department of Health and Human Services (HHS) to come up with data security standards.
Specifically, the Centers for Medicare & Medicaid Services (CMS), a part of HHS, was made responsible for providing guidance and oversight for the exchanges, including defining technical standards.
CMS then established the Minimum Acceptable Risk Standards for Exchanges (MARS-E), which defines a series of security controls. MARS-E is now in its second version, which was released in 2015.
Those familiar with NIST 800-53 ― a securitystandard underlying other federal data laws such as FISMA ― will immediately recognize the two-letter abbreviation used by MARS. They borrowed 17 control families from NIST 800-53, which for the record are:
Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Security Assessment and Authorization (CA), Configuration Management (CM), Contingency Planning (CP), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Physical and Environment Protection (PE), Planning (PL), Personnel Security (PS), Risk Assessment (RA), System and Services Acquisition (SA), Systems and Communication Protection (SC), Systems and Information Integrity (SI).
The complete catalog of controls can be found here .
The controls provide only guidance ― they are not meant to force specific security technologies on the exchanges!
HIPAA ConfusionYou may ask whether HIPAA rules on privacy and security for protected health information (PHI) also apply to the health exchanges?
Great question!
Health exchanges are not covered entities under HIPAA. So HIPAA’s Privacy and Security rules wouldn’t seem to apply.
But … are they Business Associates (BAs) of the covered entity?
As you may recall, after the new rules that were published back in 2013 (the “HIPAA Omnibus Final Rule”) third-party contractors and their subcontractors who handle or process PHI would fall under HIPAA.
The short answer is that the exchanges can be BAs if they perform more than minimal data functions and have a deeper relationship with the insurer.
It’s really the same question that comes up with healthwearables. HIPAA doesn’t apply to these gadgets, unless the gadget provider has a direct relationship with the insurer or health plan for example, through a corporate wellness plan .
To get a little more insight into this confusing issue of health exchanges and HIPAA, read this article .
In the meantime, you can peruse the table below showing the mapping of relevant MARS-E controls to Varonis products.
MARS Control Family Requirement Varonis Solution AC Access Control AC-2 Account Managementa. Identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary);
b. Establishing conditions for group membership;
c. Identifying authorized users of the information system and specifying access privileges;
By combining user and group information taken directly from Active Directory, LDAP, NIS, or other directory services with a complete picture of the file system, Varonis DatAdvantage gives organizations a complete picture of their permissions structures. Both logical and physical permissions are displayed and organized highlighting and optionally aggregating NTFS and share permissions. Flag, tag and annotate your files and folders to track, analyze and report on users, groups and data. Varonis DatAdvantage also shows you every user and group that can access data as well as every folder that can be accessed by any user or group . AC-6 Least Privilegea. Employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) that are necessary to accomplish assigned tasks in accordance with Exchange missions and business functions
Varonis DataPrivilege helps organizations not only define the policies that govern who can access, and who can grant access to unstructured data, but it also enforces the workflow and the desired action to be taken (i.e. allow, deny, allow for a certain time period). This has a two-fold effect on the consistent and broad communication of the access policy: 1) it unites all of the parties responsible including data owners, auditors, data users and IT around the same set of information and 2) it allows organizations to continually monitor the access framework in order to make changes and optimize both for compliance and for continuous enforcement of warranted access. AU Audit and Accountability AU-2 Auditable Events …(a) … that the information system must be capable of auditing the list of auditable events specified in the Implementation Standards;
…
Implementation Standards
Generate audit records for the following events …
h. File creation,
i. File deletion
j. File modification,
…
m. use of administrator privileges
Varonis DatAdvantage helps organizations examine and audit the use of ordinary and privileged access accounts to detect and prevent abuse. With a continual audit record of all file , email, SharePoint, and Directory Services activity, DatAdvantage provides visibility into users’ actions. The log can be viewed interactively or via email reports. DatAdvantage can also identify when users have administrative rights they do not use or need and provides a way to safely remove excess privileges without impacting the business. Through Varonis DataPrivilege