Performing independent security assessments


May 29, 2018

Context

To implement key provisions in the Affordable Care Act (ACA), Centers for Medicare and Medicaid Services (CMS) provides matching funds to state health agencies for major health information technology (IT) initiatives. State health agencies receiving Federal funding to implement their health IT solutions must adhere to security requirements specified by CMS in the Minimum Acceptable Risk Safeguards for Exchanges (MARS-E), including developing detailed security and privacy documentation and undergoing an independent security assessment. The assessment process and the system certifications it supports presents each state and the Federal government with a verified measurement of the extent to which required security controls are implemented correctly and operating as intended. Federal approval of state compliance with security and privacy requirements is a critical milestone in the successful deployment of major health IT systems.

 

Challenge

The MARS-E security and privacy framework mandates more than 250 controls derived from Federal, legal, and regulatory requirements. Although most states have long-standing security policies, procedures, and controls in place, few state agencies are accustomed to the large number of controls or the level of detail that must be included in security plans and other documentation that must be submitted for approval. Preparing this security documentation demands a significant commitment of time and resources, and often puts substantial pressure on system development and implementation teams. The security assessment offers an opportunity for state agencies to ensure compliance with Federal requirements, to help meet deadlines for receiving authority to operate or to connect to Federal systems, and to identify and respond to areas where system security can be improved.

The scope of required security and privacy controls spans managerial, operational, and technical control, whether those controls are specific to the system, or are “inherited” or implemented as common controls used by the system, but not dedicated solely to the system. Common controls often result from operating a system in a data center or managed hosting environment, or by leveraging services, capabilities, or infrastructure provided by the state (or, increasingly, through a cloud-computing service provider) to support multiple systems. To perform security assessments effectively, assessors must have a thorough understanding of information security control objectives and associated procedures and technologies. A small assessment team, or an assessor working alone, must have broad security knowledge across all 18 security-control families and eight privacy-control families, and enough experience examining security and privacy controls in practice to be able to accurately evaluate the effectiveness of specific security controls as implemented. Security control assessments are only as reliable as the assessors who perform them, and the methodologies, tools, and techniques the assessors use. Agencies can mitigate the risk of insufficiently rigorous assessments by requiring highly-experienced assessors with verified credentials and experience, and by ensuring that assessors are truly independent.

 

Our Innovative Solution

Cognosante’s approach to performing security assessments for state health IT systems is closely aligned with CMS guidance and expectations and incorporates established methodologies specifically designed for information systems in Federal and state government agencies. Our assessors have expertise developing system security plans and performing security assessments for many different state health IT systems, as well as for CMS and other Federal agency information systems. We recognize that imposing Federal security control requirements on new or existing state systems often raises questions or concerns about applicability. When working with state agencies and their system development teams, we emphasize the purpose and security objectives for different controls. This awareness drives the risk-based decision making about potential corrective actions, including implementing additional controls, or what gaps or deficiencies to accept without remediation. Cognosante has developed tools and templates to guide the assessment process, facilitate frequent communication between the assessment team and the system development team, and enable us to complete assessments accurately and expediently.

 

Tangible Result

Whether states undertake independent security assessments to satisfy Federally-imposed obligations or to improve the efficiency and effectiveness of their security practices, one important outcome for an assessment is to ensure that the appropriate security measures are implemented to protect state health IT systems and the sensitive data they hold. Where Federal approval is needed, it is essential that security documentation delivered to CMS is accurate, complete, and sufficiently detailed to justify the award of an authority to connect or authorization to operate. Assessment results also help states understand and prioritize opportunities for improving the security posture of their systems.

More than a dozen assessments completed by Cognosante since 2014 have resulted in system authority to operate or authority to connect to Federal systems, and have fully qualified state agencies for Federal matching funds.