The 3 Classes of MARS-E for ACA Compliance

The Patient Protection and Affordable Care Act of 2010 (ACA) requires each state to have a health insurance Exchange, a marketplace where consumers can easily shop around for health insurance and find the best option for them by comparing price, benefits, services, and quality. In order to obtain Health Insurance Exchange (HIX) compliance, Section 1561 requires that certain security standards and protocols be met by these Exchanges in order to make every effort to protect and ensure the confidentiality, integrity, and availability of the system and its users.

These Minimum Acceptable Risk Standards for Exchanges (MARS-E) are separated into three different classes: technical, operational, and management. These classes consist of nineteen various control families, handling everything from Personally Identifiable Information (PII) to Protected Health Information (PHI), and Federal Tax Information (FTI).

TECHNICAL

• Access Control (AC) – limit access to unauthorized users, and to the types of transactions and functions that authorized users are permitted to exercise. Incorporate processes acting on behalf of authorized users, and devices.
• Audit and Accountability (AU) – create, protect, and retain IT system audit records and ensure that the actions of individual users can be uniquely traced in order to hold them accountable for their actions.
• Identification and Authentication (IA) – as a prerequisite to users gaining access, authentication of the identities of the users, devices, and processes acting on behalf of users must be determined.
• System and Communications Protection (SC) – monitor, control, and protect communications, while employing architectural designs, software development techniques, and systems engineering principles that promote effective information security (IS) within Exchange.

OPERATIONAL

• Awareness and Training (AT) – ensure that managers and users are aware of the security risks involved, and that personnel are adequately trained to carry out their assigned IS-related duties and responsibilities
• Configuration Management (CM) –establish and maintain baseline configurations and inventory throughout system development life cycles, and how to establish and enforce security configuration settings IT technology products employed in the Exchange system.
• Contingency Planning (CP) –establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery to ensure the availability of critical information resources and continuity of operations in emergency situations.
• Incident Response (IR) – establish an operational incident handling capability that includes adequate preparation, detection, analysis, containment, recovery, and user response activities, with a process to track, document, and report incidents to appropriate officials and/or authorities.
• Maintenance (MA) – perform periodic and timely maintenance on organizational information systems, while providing effective controls on the tools, techniques, mechanisms, and personnel used to conduct the maintenance.
• Media Protection (MP) – protect IT system media, limit access of information to authorized users only, and sanitize or destroy media before disposal or release for reuse.
• Physical and Environmental Protection (PE) – limit physical access to systems, equipment, and the respective operating environments to authorized individuals. Protect the physical plant and support infrastructure for system, while providing support utilities, protecting against environmental hazards, and providing appropriate environmental controls in facilities containing the system.
• Personnel Security (PS) – ensure individuals occupying positions of responsibility are trustworthy and meet established security criteria for those positions. Ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers. Employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
• System and Information Integrity (SI) – identify, report, and correct information and system flaws in a timely manner, while providing protection from malicious code, and monitoring system security alerts and advisories.

MANAGEMENT

• Security Assessment and Authorization (AU) – periodically assess the security controls, develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities, authorize the operation of the Exchange system and any associated IT system connections, and monitor the system’s security controls on an ongoing basis to ensure the continued effectiveness of the controls.
• Planning (PL) – develop, document, periodically update, and implement security plans for the Exchange system that describe the security controls in place or planned for the system and the rules of behavior for individuals accessing the system.
• Risk Assessment (RA) – periodically assess the risk of the Exchange operations, assets, and individuals, resulting from the operation of the system and the associated processing, storage, or transmission of the information.
• System and Services Acquisition (SA) – allocate sufficient resources to adequately protect the system, employ system development life cycle processes that incorporate IS considerations, employ software use and installation restrictions, and ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization.
• Program Management (PM) – an overall focus on the organization-wide information security requirements that are essential for managing information security programs.

There is one last control family that is not a part of one of the three classes, and that is FTI Safeguards, the additional controls required by the IRS Publication 1075, which puts in place safeguards for protecting Federal Tax Returns and Return Information.

THINGS TO CONSIDER

When launching a MARS-E or HIX compliance program the first step you should take is getting to know the federal and state requirements. Then you go on to assess your levels of compliance within your company, and identify areas that are at risk or could be improved. You will also want to establish your system to monitor ongoing compliance, so that you can ensure compliancy at all times.