The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
This final rule defines ‘‘Security incident’’ as ‘‘the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. The final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers. The use of the security standards will improve the Medicare and Medicaid programs, and other Federal health programs and private health programs, and the effectiveness and efficiency of the health care industry in general by establishing a level of protection for certain electronic health information. The final rule implements some of the requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Recovery Act funding will accelerate HHS efforts to improve the security of its computer systems, which must protect the sensitive information held by the agencies many health, social, and research programs. Recent compromises of Federal government computer systems and data require concerted and coordinated actions across HHS that are commensurate with the sustained level of sophisticated cyber attacks targeting Federal government computer systems, including HHS computer systems. Department and Operating Division (OPDIV) security leadership embarked in early FY 2009 on multiple discussions to define the requirements, scope, and desired security capabilities that would substantially improve the IT security posture of HHS as a whole. The initiatives identified here reflect agency-wide collaboration. A primary objective of HHS IT security efforts is to have the ability to rapidly determine the enterprise security risk posture of operational IT systems and computer networks throughout the Department. Significant enhancements to our key information assurance capabilities will be required to more effectively detect, defend, and mitigate attacks against HHS systems. Current capabilities vary across HHS organizational components. With interconnected computer systems, a weakness in any OPDIV potentially introduces security risks for all OPDIVs. Reviews by the Office of the Inspector General (OIG) and the Government Accountability Office (GAO) recommended a number of HHS computer systems security capabilities for enhancement. This HHS IT security Recovery Act spend plan addresses the issues and recommendations arising from forensics and audit reports. IT security is a critical issue throughout the Federal government, as nation states, commercial competitors, identity thieves, and computer hackers have significantly ramped up their efforts to attack and penetrate U.S. government computer systems. HHS’ ability to continue to fulfill our national health related mission and functions as our budget grows to support economic recovery depends on our ability to maximize the secure use of the powerful computing resources that are available to us today.
Recovery Act funds will be used to purchase hardware, software and IT security related services. The plan encompasses four initiatives, which streamline the original five developed at the start of the program. The new initiatives reorganize program activities in a more logical and efficient manner:
• Security Incident Response & Situational Awareness; (CSIRC): Expand capabilities of the HHS Computer Security Incident Response Center (CSIRC), which is co-located with the CDC Security Operations Center in Atlanta, GA. Provide enhanced Department-wide computer systems intrusion detection capabilities, security information event management systems, and network forensics capabilities.
• Federal Information Security Management Act (FISMA) – Security Engineering and Technical Staff Support: Alleviate the current security workload backlog of OPDIV security staffs, allowing OPDIVs to respond in a more timely manner to FISMA program tasks, begin more timely reviews of system audit logs, and reduce the Plan of Action and Milestones (POA&M) backlog.
• Computing Infrastructure Security Redesign Projects: Develop or update OPDIV plans for securely architecting our computing environments into secure enclaves; implements a number of network security enhancements at several OPDIVs.
• Endpoint Protection Security Tools: Provide OPDIVs with advanced security tools to strengthen end user computer defense mechanisms against malware attacks, and help prevent sensitive data from being extracted from the HHS computer systems and databases.