Continuous Monitoring and Reporting: The New “Reasonable and Appropriate” for Healthcare Compliance
Passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 and the enforcement and audit practices that have since emerged significantly elevate the importance for covered entities to achieve compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Far from prescriptive, the Security Rule requires implementing those measures and technologies that are deemed “reasonable and appropriate” to reduce the risk and vulnerabilities to the confidentiality, integrity, and availability of electronic protected healthcare information (ePHI).
A challenge in its own right, this “vagueness-intended-to-provide-flexibility” is taking on a new dimension as healthcare organizations are discovering that the Federal Information Security Management Act (FISMA) – the regulatory impetus for securing federal agencies – has bearing on their compliance efforts as well. As it turns out, FISMA is directly applicable to many healthcare organizations because of the interactions they have with certain federal agencies, such as the Centers for Medicare and Medicaid Services (CMS). For all others, the impact is indirect, but no less real. It stems from the fact that the underlying security standards used for FISMA – which also represent industry best practice – are steadily being revised to specify continuous monitoring and reporting as the new standard of due care necessary to ensure the ongoing effectiveness of implemented countermeasures.
This paper reveals how healthcare organizations can leverage Tenable solutions not only to automate and simplify compliance with the HIPAA Security Rule, but also to fully address the need for continuous monitoring and reporting capabilities and improve their overall security posture.