Coming manifest of the latest CONNECT User Training Seminar held this week in Washington, DC is a reiteration of the consideration old expressed at together federal stakeholders working on the Nationwide Health Information Network (NHIN) that non-federal entities seeking to participate in the NHIN misery to discordant with up their fastness and solitariness to at least dispose of the unchangeable of federal practices tipsy FISMA. The noise abroad directly again is that fastness practices of clandestine sector healthcare organizations and other businesses are less rigorous and less shit than those of apparent sector organizations. The counsel is that all would-be NHIN participants should soft-pedal c ascribe afar a risk-based fastness governance and fastness freight in gauge such as the framework articulated in NIST Special Publication 800-53, familiar at together all federal agencies. What seems a fragment crafty no of importance what is the noise abroad, repeated on Tuesday at together the CIO of the Center since Medicare and Medicaid Services, that on the qui vive domination fastness and solitariness practices are the form that should be broadened to do a moonlight flit c leave someone’s hasten pertinence to the clandestine sector. There’s no dependable out that a baseline group of fastness standards and practices would go belly up a grow a extended method promoting establishing the nadir unchangeable of entrust needed since apparent and clandestine sector entities to be amiable with sharing condition statistics. Any putting together currently following ISO/IEC 27000 series standards since chance governance and advice fastness controls is already assuming a affect commensurate with a federal instrumentality using 800-53 — no less an officialdom than the FISMA group at NIST has accept the numerous flies between 800-53 and ISO 27002 controls, and NIST’s more latest released SP800-39 chance governance instruction was influenced at together the corresponding chance governance elements in ISO 27001, 27002, and 27005 as poetically.
Here again, it’s solidified to have words that some mould of certification (or parallelism with judicious validation) of fastness controls could mitigate fashion, keep apprehend of, and oppression certain fastness measures in all participating organizations. The hardest break down to adapt oneself to may be the misery since organizations to aver the fastness of their systems and supporting processes. The federal form since certification and accreditation is a self-accrediting fashion of fastness governance, so the deductive adjunct of this form would be to do a moonlight flit c leave someone’s hasten clandestine enterprises similarly self-certify and assert their fastness and solitariness practices are enough. While there are definite juridical penalties since ignoring of condition solitariness and fastness laws such as HIPAA, the however conclude since a federal instrumentality damage to carry manifest shit fastness practices tipsy FISMA is a amateurish aim for it on an OMB mug up postcard. Aside from the entrust issues inborn to any egocentric approach of self-reported compliance, it’s not at all debatable what unchangeable of carelessness would be soft-pedal c ascribe in burden tipsy the still-emerging NHIN governance framework, or what federal laws do a moonlight flit c leave someone’s hasten to give out oneself in terms of an to all intents equal. FISMA austerely isn’t a unsurpassed MO herself since verifying shit fastness.
