NIST SP800-66 Rev1：HIPAA安全规则实施指南

需积分: 10 162 浏览量更新于2024-07-16 收藏 665KB PDF 举报

"NIST SP800-66 Rev1.pdf" NIST（美国国家标准与技术研究所）是负责制定联邦机构在确保信息安全方面所需最低要求的标准和指南的机构。其信息科技实验室（ITL）开发了改善信息技术（IT）规划、实施、管理和操作效率的指导方针。NIST发布了一系列关于信息安全的出版物，这些对联邦机构以及非联邦公共机构和私营组织来说，是应对现有和新联邦信息安全要求的重要资源。其中，NIST SP800-66 Revision 1 是一份关于实施《健康保险可携带性和责任法案》（HIPAA）安全规则的入门资源指南。HIPAA旨在通过标准化电子交易促进医疗行业的效率，同时保护健康信息的隐私和安全。根据HIPAA的行政简化条款，卫生与公众服务部部长制定了以下标准： 1. 电子医疗交易和代码集 2. 保护健康信息的隐私 3. 电子保护健康信息（EPHI）的安全 4. 唯一健康标识符 NIST SP800-66 摘要了HIPAA安全标准，并解释了安全规则的结构和组织。它帮助读者理解HIPAA安全规则中使用的信息安全术语，增强对安全标准的理解。该出版物还引导读者查阅其他NIST出版物，以获取有关HIPAA安全规则所涵盖主题的更多信息。尽管医疗保险和医疗补助服务中心（CMS）在HIPAA安全规则的序言中提到了一些NIST出版物，但CMS并未要求在遵守安全规则时必须使用它们。这份报告是理解和讨论HIPAA安全规则中安全概念的辅助工具，但不补充、替代或超越安全规则本身。它由Matthew Scholl、Kevin Stine、Joan Hash、Pauline Bowen、Arnold Johnson、Carla Dancy Smith和Daniel I. Steinberg等人共同编写，属于NIST的信息安全领域，计算机安全分部的一部分，旨在通过技术领导力支持国家的测量和标准基础设施，开发测试、测试方法、参考数据、概念验证实现和技术分析，以推动美国经济并增进公共福利。

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)

Security Rule

• Organizational Requirements - includes standards for business associate contracts

and other arrangements, including memoranda of understanding between a covered

entity and a business associate when both entities are government organizations; and

requirements for group health plans.

• Policies and Procedures and Documentation Requirements - requires

implementation of reasonable and appropriate policies and procedures to comply with

the standards, implementation specifications and other requirements of the Security

Rule; maintenance of written (which may be electronic) documentation and/or

records that includes policies, procedures, actions, activities, or assessments required

by the Security Rule; and retention, availability, and update requirements related to

the documentation.

Within the Security Rule sections are standards and implementation specifications. Each

HIPAA Security Rule standard is required. A covered entity is required to comply with

all standards of the Security Rule with respect to all EPHI.

Many of the standards contain implementation specifications. An implementation

specification is a more detailed description of the method or approach covered entities

can use to meet a particular standard.

Implementation specifications are either required

or addressable. However, regardless of whether a standard includes implementation

specifications, covered entities must comply with each standard.

• A required implementation specification is similar to a standard, in that a covered

entity must comply with it.

• For addressable implementation specifications, covered entities must perform an

assessment to determine whether the implementation specification is a reasonable and

appropriate safeguard for implementation in the covered entity’s environment. In

general, after performing the assessment, a covered entity decides if it will implement

the addressable implementation specification; implement an equivalent alternative

measure that allows the entity to comply with the standard; or not implement the

addressable specification or any alternative measures, if equivalent measures are not

reasonable and appropriate within its environment. Covered entities are required to

document these assessments and all decisions. For federal agencies, however, all of

the HIPAA Security Rule’s addressable implementation specifications will most

likely be reasonable and appropriate safeguards for implementation, given their sizes,

missions, and resources.

Where there are no implementation specifications identified in the Security Rule for a

particular standard, such as for the “Assigned Security Responsibility” and “Evaluation”

standards, compliance with the standard itself is required.

Appendix D of this document provides a crosswalk of the HIPAA Security Rule

standards and implementation specifications to relevant NIST publications and security

controls detailed in NIST SP 800-53.

For more information on the required analysis used to determine the manner of implementation of an implementation

specification, see § 164.306(d) of the HIPAA Security Rule (Security standards — General rules: Flexibility of

approach).

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)

Security Rule

For general HIPAA Security Rule information, visit the CMS HIPAA Web site at

http://www.cms.hhs.gov/SecurityStandard/.

2.2. NIST and its Role in Information Security

Founded in 1901, NIST is a non-regulatory federal agency within the U.S. Department of

Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness

by advancing measurement science, standards, and technology in ways that enhance

economic security and improve our quality of life. NIST is composed of several

laboratories that conduct research in a wide variety of physical and engineering sciences.

Lab researchers respond to industry needs for measurement methods, tools, data, and

technology, and collaborate with colleagues in industry, academic institutions, and other

government agencies.

The Computer Security Division (CSD), a component within NIST’s Information

Technology Laboratory (ITL), provides standards and technology to protect information

systems against threats to the confidentiality of information, the integrity of information

and processes, and the availability of information and services in order to build trust and

confidence in IT systems.

CSD develops and issues standards, guidelines, and other publications to assist federal

agencies in implementing the requirements of FISMA and in managing cost-effective

security programs to protect their information and information systems. Table 1

identifies and describes the types of NIST publications.

Table 1: NIST Publication Types

Publication Type Description

Federal Information

Processing Standards

(FIPS)

Developed by NIST in accordance with FISMA. They are

approved by the Secretary of Commerce and are compulsory and

binding for federal agencies. Since FISMA requires that federal

agencies comply with these standards, agencies may not waive their

use. FIPS may be used voluntarily by nonfederal organizations

(e.g., state/local/tribal governments, industry).

Special Publication (SP)

800-series

Reports on ITL’s research, guidelines, and outreach efforts in

information system security and its collaborative activities with

industry, government, and academia. Office of Management and

Budget (OMB) policies state that for other than national security

programs and systems, federal agencies must follow NIST

guidelines. SPs may be used voluntarily by nonfederal

organizations.

Other Security

Publications

Other publications including interagency reports (NISTIRs) and

ITL bulletins that provide technical and other information about

NIST’s activities.

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA)

Security Rule

3. A Framework for Managing Risk

The HIPAA Security Rule is all about implementing effective risk management to

adequately and effectively protect EPHI. The assessment, analysis, and management of

risk provides the foundation of a covered entity’s Security Rule compliance efforts,

serving as tools to develop and maintain a covered entity’s strategy to protect the

confidentiality, integrity, and availability of EPHI.

All EPHI created, received, maintained, or transmitted by a covered entity is subject to

the Security Rule. Covered entities are required to implement reasonable and appropriate

security measures to protect against reasonably anticipated threats or vulnerabilities to the

security of EPHI. Under the Security Rule, covered entities are required to evaluate risks

and vulnerabilities in their environments and to implement security controls to address

those risks and vulnerabilities.

The selection and specification of security controls can be accomplished as part of an

organization-wide information security program that involves the management of

organizational risk - that is, the risk to information, individuals, and the organization as a

whole. The management of risk is a key element in the organization's information

security program and provides an effective framework for selecting the appropriate

security controls for an information system - the security controls necessary to protect

individuals and the operations and assets of the organization.

This section describes a process of managing risk to organizational missions and business

functions that arise from the operation and use of information systems by discussing each

phase of the NIST Risk Management Framework

and providing a mapping of this

framework to complementary requirements of the HIPAA Security Rule.

3.1. NIST Risk Management Framework (RMF)

The NIST RMF, illustrated in Figure 2, provides the covered entity with a disciplined,

structured, extensible, and repeatable process for achieving risk-based protection related

to the operation and use of information systems and the protection of EPHI. It represents

an information security life cycle that facilitates continuous monitoring and improvement

in the security state of the information systems within the organization.

The activities that compose the NIST RMF are paramount to an effective information

security program and can be applied to both new and legacy information systems within

the context of a system development life cycle. A risk-based approach to security control

selection and specification considers effectiveness, efficiency, and constraints due to

applicable laws, directives, Executive Orders, policies, standards, or regulations.

The flexible nature of the NIST RMF allows other communities of interest (e.g., state,

local, and tribal governments and private sector entities) to use the framework voluntarily

either with the NIST security standards and guidelines or with industry-specific standards

and guidelines. The RMF provides organizations with the flexibility needed to apply the

right security controls to the right information systems at the right time to adequately

NIST Special Publication 800-39, Managing Risk from Information Systems: An Organizational Perspective, (Second

Public Draft), April 2008.

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

Table 2: Linking the NIST RMF and the Security Rule

RMF Phase RMF Step Description Security Rule Link

Categorize Information Systems Security categorization, the first and arguably the most

important step in the RMF, employs FIPS 199 and NIST

SP 800-60 to determine the criticality and sensitivity of the

information system and the information being processed,

stored, and transmitted by the system. This exercise aids in

determining priorities for organizational information

systems and subsequently applying appropriate measures to

adequately protect the organizational missions and business

functions supported by those missions. The security

controls applied to a particular information system should

be commensurate with the potential impact on

organizational operations and assets, individuals, or other

organizations should there be a loss of confidentiality,

integrity, or availability.

Identify assets and information systems that create, receive,

transmit, or maintain EPHI.

Related Standards and Implementation Specifications:

164.308(a)(1)(i) – Security Management Process

Select Security Controls Security control selection, the second step in the RMF,

employs FIPS 200 and NIST SP 800-53 to identify and

specify appropriate security controls for the information

system. The selection of security controls for an

organization’s mission/business processes and the

information systems supporting those processes is a risk

mitigation activity. The security control selection process

consists of three activities:

• Selection of baseline security controls for each

information system from NIST SP 800-53 in

accordance with FIPS 199 impact levels determined

during the security categorization process;

• Application of security control tailoring guidance for

the information systems to allow organizations to

adjust the initial security control baselines with respect

to specific mission and business processes,

Select the standards and required implementation

specifications as the initial security control set. These

required security controls establish the baseline from which

to assess risk to EPHI.

Once the baseline is established, perform a risk assessment

and analysis to evaluate whether the standards and required

implementation specifications alone are reasonable and

appropriate to provide adequate protection against reasonably

anticipated threats or hazards to the confidentiality, integrity,

or availability of EPHI. The results of this risk assessment

and analysis will drive the selection of addressable

implementation specifications to adequately supplement the

baseline.

Supplement the initial set of standards and required

implementation specifications (baseline) with addressable

implementation specifications. The decisions to supplement

剩余116页未读，继续阅读

艾米的爸爸

粉丝: 790
资源: 314

NIST SP800-66 Rev1：HIPAA安全规则实施指南

NIST SP800-107 rev1：安全使用批准哈希算法的指南

NIST SP800-67 Rev1：三重数据加密算法（TDEA）

NIST SP800-135 Rev1: 安全应用特定密钥衍生函数要求

NIST SP800-107 rev1.pdf

NIST SP800-51rev1.pdf

NIST SP800-22rev1a.pdf

NIST SP800-67 Rev1.pdf

NIST SP800-18 Rev1.pdf

NIST SP800-61 rev1.pdf

NIST SP800-135 rev1.pdf

最新资源