Revisiting FISMA, HIPAA, and Zero Trust
By Gil Vidals, , HIPAA Blog, Resources

At HIPAA Vault, we’re sometimes asked how HIPAA Compliance relates to FISMA, a federal data security requirement. Here’s what you need to know:

In the world of compliance requirements, two types of business organizations are generally distinguished.

The first, known as the “private sector,” has to do with the for-profit, commercial industry, comprised of businesses (including healthcare) owned by private individuals or enterprises.  

The regulations that apply to these may include HIPAA (for protected health information), SOX (for financial reporting), GLB (pertaining to information sharing), and others.

The “public sector,” on the other hand, is the business of the US Federal Government and its agencies. These may include governing security controls as well as the requirements of FISMA.

So, what is FISMA?

FISMA, or the Federal Information Security Management Act (enacted in 2002 and modernized in 2014) requires all federal agencies to protect sensitive data, according to the relevant information security guidelines of the FIPS 199 & 200 publications and the technical configurations found in the NIST (National Information Security and Technology) 800 series, especially SP-800-53.

A cyber side-note: Continued targeting of global governments – including this month’s attack by the Russian group CLOP that affected several US agencies (including the Department of Energy) by exploiting a new flaw in the widely used file-transfer software known as MOVEit – has only reinforced the need to modernize FISMA and make cybersecurity a top priority.

While further updates to FISMA are expected, President Biden’s Executive Order on Improving the Nation’s Cybersecurity in May of 2021 was an important step toward promoting increased collaboration between the public and private sectors on cybersecurity issues and establishing new cybersecurity standards for federal contractors.

A Cyber Safety Review Board was also established by the order, as well as the implementation of a Zero Trust architecture for federal networks – a security model that supports many of the HIPAA technical safeguards.

As the Cybersecurity Infrastructure and Security Agency defines it in their Zero Trust Security Model publication, Zero Trust is:

“a cybersecurity strategy premised on the idea that no user or asset is to be implicitly trusted. It assumes that a breach has already occurred or will occur, and therefore, a user should not be granted access to sensitive information by a single verification done at the enterprise perimeter. Instead, each user, device, application, and transaction must be continually verified.

Zero Trust (an approach that HIPAA Vault employs), “presents a shift from a location-centric model to an identity, context, and data-centric approach with fine-grained security controls between users, systems, applications, data, and assets that change over time; for these reasons, adopting a ZTA is a non-trivial effort.”

So How Does FISMA Relate to HIPAA?

While FISMA and HIPAA requirements do share similarities in terms of required safeguards for sensitive information, the key difference is that agencies subject to FISMA may not necessarily deal with protected health information.

That said, employing strong FISMA safeguards essentially fulfills the safeguards required under HIPAA Compliance.

This does not hold true going in the opposite direction, however; HIPAA guidelines do not encompass all that is required for FISMA compliance. 

HIPAA was designed for covered entities (those who transmit or store protected health information, or PHI) to address the provisions required for the security and privacy of that patient data.

This may also apply to a subset of government agencies who do handle PHI; under FISMA, however, ALL government agencies must assess, develop, and document their particular data security requirements and associated information systems in order to meet FISMA/NIST standards. (Not all NIST 800-53 controls will apply to every agency, as requirements may differ).

In general, these standards include:

  • Planning for security, including risk assessment of information and systems to ensure the highest levels of security (See FIPS 199)

  • Ensuring that appropriate officials are assigned security responsibility

  • Periodically reviewing the security controls in their systems

  • Authorizing system processing prior to operations and, periodically, thereafter

You can read more about FISMA requirements and their implementation here

A Few Questions About FISMA

The question may arise, Are state agencies also required to meet FISMA, as well as HIPAA compliance? The answer is yes, for those state-level agencies that are covered entities and administer federal programs – such as Medicare and Medicaid, or veteran’s health programs, both would apply.

Other federal programs administered on the state level such as unemployment insurance and student loans would also require FISMA compliance. 

Another important question concerning FISMA is, What if private enterprises bid on and secure government contracts?

These companies – if they administer federal funds to healthcare or the life sciences, for example, or to various technology-related companies – will also be responsible to meet FISMA requirements. This requirement must not be overlooked, lest critical funding is withdrawn and the company is left in serious financial straits.

Companies preparing to compete for business with the federal government give themselves an advantage by maintaining FISMA compliance.     

Finally, there are certain instances – such as with the Federal Data Services Hub used for the Affordable Care Act – where a database contains both HIPAA and Federal Government information (e.g. income rates, employment status, health entitlements, criminal record, SSN, etc.) within the same environment.

In this instance, since medical information coexists along with federal data hosted in the same infrastructure, HIPAA Compliance and FISMA Requirements are both considered paramount, and technical considerations should be configured accordingly.  

If you have any questions about how your data can be secured to meet the appropriate compliance requirements, give us a call at 760-290-3460, or visit us at www.hipaavault.com

HIPAA Vault is a leading provider of HIPAA-compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Customers trust HIPAA Vault to mitigate risk, actively monitor and protect their infrastructure, and ensure that systems stay online at all times. In addition to providing a secure infrastructure for telehealth companies, HIPAA Vault provides secure email, HIPAA-compliant WordPress, and secure file-sharing solutions.