Regulated Data: HIPAA and FISMA Compliance
Regulatory compliance is rapidly emerging as a major challenge for IT organizations with little or no prior experience with regulated data. Environments such as
CACR's expertise is derived from nearly a decade of experience tackling cyber compliance for the University Information Technology Services (UITS), IU's central IT organization. UITS began facing regulated data in 2007 as rising storage, analysis, and management needs began to force biomedical researchers toward central systems. Anticipating this appetite for capacity to escalate, IU made a decision to launch a significant effort to make its centrally provisioned research cyberinfrastructure HIPAA compliant. This early and unique exposure to regulatory issues outside healthcare IT played a key role in the development and implementation of a standards-based cybersecurity Risk Management Framework (RMF). CACR leverages this comprehensive, flexible, and reusable framework to tackle HIPAA and FISMA at IU.
Supporting Indiana University
IU has a substantial clinical footprint. Its Schools of Medicine, Optometry, Nursing, Public Health, and Speech and Hearing comprise over 5000
CACR provides HIPAA and FISMA resources nationally and has assisted numerous research and academic institutions such as the University of Kentucky, University of Chicago, Ball State University, NCSA, NCAR, and more. Other organizations that have leveraged CACR's HIPAA and FISMA expertise include the Coalition for Advanced Scientific Computation (CASC), where CACR played a key role in the formation of a Regulated Data Working Group to address the growing need for compliance, and the Central for Trustworthy Scientific Computing (CTSC), where CACR provides regulated data training to NSF-funded, large research facilities. CACR is also a regular presence at conferences such as Internet2 Technology Exchange and the American Medical Center Conference on Privacy and Security where it covers HIPAA and FISMA compliance.
CACR's Regulated Data Resources
CACR provides the following HIPAA and FISMA resources.
- Documentation Templates and Instructions
- To help document compliance (system, software, controls, and risk), CACR provides a collection of NIST/FISMA derived templates with in-line instructions and example text that can be used to address both HIPAA and FISMA simultaneously.
- Building a NIST Risk Management Framework for HIPAA and FISMA Compliance
- A Powerpoint presentation from a half-day tutorial at the 2016 NSF Cybersecurity Summit that covers the regulations, risk management, NIST RMF, and how to leverage it for compliance.
- HHS HIPAA Site - The main HIPAA site managed by the Dept. of Health and Human Services.
- DHS FISMA Site - The main FISMA site managed by the Dept. of Homeland Security.
- NIST Special Publications 800 Site - Including SP 800-53, 800-66, etc.
- NIST HIPAA Security Rule Toolkit -
Java basedtool which asks a thousand questions and exports a document with answers.
- HIPAA Security Risk Assessment Tool - Spreadsheets with questions pertaining to each HIPAA Security Rule that document risk and remediation from the Office of the National Coordinator for Health IT.
Please email firstname.lastname@example.org.