Why You Should Follow FIPS 199? - Pabrai on HIPAA/HITECH Compliance
Health IT and Electronic Health Activate your FREE membership today |  Log-in
Home > IT Blogs > Pabrai on HIPAA/HITECH Compliance > Why You Should Follow FIPS 199?
>>VIEW ALL POSTS  

Pabrai on HIPAA/HITECH Compliance

« Have You Completed a BIA?
Getting to Know FIPS 200 »
Jun 15 2010   4:06PM GMT


Why You Should Follow FIPS 199?



Posted by: pabrai

FIPS 199 published by the NIST is a FISMA mandate. Just because it may not be called out by other regulations, this is an important work that security professionals and management must be aware of and familiar with. So what is so special about FIPS 199? The FIPS 199 publication establishes security categories for both information and information systems. Compliance mandates require organizations to meet requirements such as contingency planning and conducting a Business Impact Analysis (BIA). The application of FIPS 199 categorization - is required by the FISMA regulation - and one that I would highly encourage healthcare organizations - covered entities as well as business associates - to conduct on a regular schedule.

The security categories defined within FIPS 199 are based on the potential impact on an organization should certain events occur which jeopardize the information and information systems needed by the organization to accomplish its assigned mission, protect its assets, fulfill its legal responsibilities, maintain its day-to-day functions, and protect individuals. Security categories are to be used in conjunction with vulnerability and threat information in assessing the risk to an organization.

FIPS 199 defines three levels of potential impact on organizations or individuals should there be a breach of security (i.e., a loss of confidentiality, integrity, or availability).  

  1. The potential impact is LOW if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
  2. The potential impact is MODERATE if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals
  3. The potential impact is HIGH if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

The generalized format for expressing the security category, SC, of an information  type is:

SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}, where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE

So get familiar with FIPS 199 - if you are not already - and apply it to categorize assets within your organization.

AddThis Social Bookmark Button     Comment     RSS Feed     Email a friend

Comment on this Post


You must be logged-in to post a comment. Log-in/Register