The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates national standards for electronic health care transactions in the United States. The National Institute of Standards and Technology (NIST) published a Security Rule for HIPAA in 2008 that assists covered entities in applying federal information security requirements adopted under HIPAA. Many sub-contractors who bid or work on Department of Defense (DoD) projects will need to achieve NIST compliance by the end of 2017. The following items illustrate some of the ways in which Rappahannock IT can help you meet the standards specified in NIST publication 800-171 for Controlled Unclassified Information (CUI).
Rappahannock IT Responsibilities
Rappahannock IT can assess the application of security controls in information systems, typically for the purpose of developing and implementing procedures for correcting observed deficiencies in those controls. Configuration management responsibilities of Rappahannock IT include the establishment of baseline configurations for information systems. We also perform inventories for those systems, including documentation, hardware, software and firmware.
Rappahannock IT can establish the capability for responding to operational incidents, including documenting, tracking and reporting those incidents to the appropriate authorities. The identification and correction of system vulnerabilities can also help protect those systems from malicious code.
Rappahannock IT helps clients create and retain audit records for information systems, which facilitate the reporting of illegal or unauthorized activity on those systems. We can also ensure that this activity is traced back to individual users so they can be held accountable for their actions. Rappahannock IT can provide training on current security requirements, including the identification of system vulnerabilities and methods of mitigating their risk.
Clients must assess the security controls in their information systems periodically to determine their effectiveness. They also need to develop and implement plans to correct deficiencies in those controls. The configuration management responsibilities of clients primarily include informing Rappahannock IT when their baseline configurations and inventories change.
Clients should establish capabilities for handling operational incidents, including the documentation, tracking and reporting of those incidents. They also need to provide physical protection for their information systems, which generally involves limiting the physical access of those systems and operating environments to authorized individuals.
The audit and accountability responsibilities of the client primarily include periodic reviews of the audit records to ensure the activities on their information systems are lawful, authorized and appropriate. Clients must ensure they can trace those actions back to individual users and hold them accountable for their actions. Clients must also train the users of their information systems on the security risks of those systems.
Rappahannock IT has experience in providing IT services to small and medium-sized businesses for over 10 years. Our managed services and on-site engagements include NIST and HIPAA compliance in partnership with companies like Dell, HP, Cisco, Fortinet and Microsoft. We can also manage our client’s IT infrastructure remotely and provide helpdesk services. Contact us today for an assessment of your compliance requirements.