Introduction
Information security plays a significant role in the protection of the organization's assets. There is no single formula that guarantees 100% security. There is a need for a set of standards or benchmarks in order to attain an adequate level of safety, efficient usage of resources and the best practices. This paper consists of a detailed analysis of the security standards used by the Department of Health and Human Services. DHHS is the nation’s largest health insurer and also the biggest grant-making agency in the federal government. The standards are compared and contrasted with those of FIPS 200 and ISO 27002. ISO 27002 code of practice for information security that are common throughout the world as standards for information
…show more content…
Due to the diversity in the healthcare sector, the security rule is designed to be flexible and scalable in order to allow all covered entities to implement procedures, policies, and technologies. They are appropriate for a particular size of an object, risk to consumers and organizational structure. All the entities regulated by the security and privacy rules are required to comply with all the applicable requirements (Raggad, …show more content…
Organizations are required first to categorize their information system in accordance with FIPS in order for them to comply with the security standards. Appropriately tailored baseline security controls are then applied. NIST special publication 800-53 contains the baseline security guidelines. Listed below are the baseline control recommendations.
• Access control-they limits access to information systems by unauthorized users and to the type of functions and transactions that the authorized users are permitted to access.
• Accreditation, certification, and security assessment-The security controls of the firm should be developed, assessed, and plan of actions implemented periodically. The program of activities collects deficiencies and eliminates vulnerabilities.
• Risk assessment- the risk of individuals, assets and operations resulting from system operation and the associated storage processing or transmission of information, is periodically assessed.
Areas of