The Patient Protection and Affordable Care Act of 2010 (ACA) requires each state to have a health insurance Exchange, a marketplace where consumers can easily shop around for health insurance and find the best option for them by comparing price, benefits, services, and quality. In order to obtain Health Insurance Exchange (HIX) compliance, Section 1561 requires that certain security standards and protocols be met by these Exchanges in order to make every effort to protect and ensure the confidentiality, integrity, and availability of the system and its users.
These Minimum Acceptable Risk Standards for Exchanges (MARS-E) are separated into three different classes: technical, operational, and management. These classes consist of nineteen various control families, handling everything from Personally Identifiable Information (PII) to Protected Health Information (PHI), and Federal Tax Information (FTI).
TECHNICAL
Access Control (AC) – limit access to unauthorized users, and to the types of transactions and functions that authorized users are permitted to exercise. Incorporate processes acting on behalf of authorized users, and devices.
Audit and Accountability (AU) – create, protect, and retain IT system audit records and ensure that the actions of individual users can be uniquely traced in order to hold them accountable for their actions.
Identification and Authentication (IA) – as a prerequisite to users gaining access, authentication of the identities of the users, devices, and processes acting on behalf of users must be determined.
System and Communications Protection (SC) – monitor, control, and protect communications, while employing architectural designs, software development techniques, and systems engineering principles that promote effective information security (IS) within Exchange.
OPERATIONAL
Awareness and Training (AT) – ensure that managers and users are aware of the security risks involved, and that personnel are adequately trained to carry out their assigned IS-related duties and responsibilities
Configuration Management (CM) –establish and maintain baseline configurations and inventory throughout system development life cycles, and how to establish and enforce security configuration settings IT technology products employed in the Exchange system.
Contingency Planning (CP) –establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery to ensure the availability of critical information resources and continuity of operations in emergency situations.
Incident Response (IR) – establish an operational incident handling capability that includes adequate preparation, detection, analysis, containment, recovery, and user response activities, with a process to track, document, and report incidents to appropriate officials and/or authorities.
Maintenance (MA) – perform periodic and timely maintenance on organizational information systems, while providing effective controls on the tools, techniques, mechanisms, and personnel used to conduct the maintenance.
Media Protection (MP) – protect IT system media, limit access of information to authorized users only, and sanitize or destroy media before disposal or release for reuse.
Physical and Environmental Protection (PE) – limit physical access to systems, equipment, and the respective operating environments to authorized individuals. Protect the physical plant and support infrastructure for system, while providing support utilities, protecting against environmental hazards, and providing appropriate environmental controls in facilities containing the system.
Personnel Security (PS) – ensure individuals occupying positions of responsibility are trustworthy and meet established security criteria for those positions. Ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers. Employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
System and Information Integrity (SI) – identify, report, and correct information and system flaws in a timely manner, while providing protection from malicious code, and monitoring system security alerts and advisories.
.png){kind=logo}
