Carnegie Mellon University
Browse

Mapping of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to the Cyber Resilience Review (CRR)

Download (1.15 MB)
report
posted on 2020-08-21, 21:11 authored by Gregory PorterGregory Porter, Matthew TrevorsMatthew Trevors, Robert VrtisRobert Vrtis
This technical note provides a description of the methodology used and observations made while mapping the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to the practice questions found in the CERT® Cyber Resilience Review (CRR). The mapping that emerged allows health care and public health organizations to use CRR results not only to gauge their cyber resilience, but to examine their current baseline with respect to the HIPAA Security Rule and the NIST Cybersecurity Framework (CSF). Both the CRR and HIPAA Security Rule have been mapped to the NIST CSF. The authors used these mappings and their extensive experience with CRRs to propose the mapping found in this technical note. The mappings between the CRR practices and the HIPAA Security Rule are intended to be informative and do not imply or guarantee compliance with any laws or regulations. The proposed mapping shows that the CRR provides complete coverage of the HIPAA Security Rule. As a result, organizations that must adhere to the HIPAA Security Rule can use the CRR to indicate their compliance with the Security Rule.

History

Publisher Statement

This material is based upon work funded and supported by the Department of Homeland Security under Contract No. FA8702-15-D-0002 with Carnegie Mellon University for the operation of the Soft-ware Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense. The view, opinions, and/or findings contained in this material are those of the author(s) and should not be construed as an official Government position, policy, or decision, unless designated by other documentation. This report was prepared for the SEI Administrative Agent AFLCMC/AZS 5 Eglin Street Hanscom AFB, MA 01731-2100 NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

Date

2018-03-28

Copyright Statement

Copyright 2018 Carnegie Mellon University. All Rights Reserved.

Usage metrics

    Categories

    Keywords

    Cyber Risk and Resilience ManagementHIPAAsecurity requirementsCERTComputer System SecurityHealth Informatics

    Licence

    In Copyright

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC