Tag Archives: compliance

NIST 800-171: Definition and Tips for Compliance

security cameras on a white wall

Do you or does a company you work with deal with the Federal Government? The National Institute of Standards and Technology (NIST) has some important information regarding your important information.

NIST 800-171, interchangeably referred to as NIST SP 800-171, went into full effect December 31, 2017: even if you don’t fall under the jurisdiction of NIST SP 800-171, the core competencies are still good data security guidelines.

What is NIST 800-171?

NIST itself is a non-regulatory Federal agency responsible for establishing guidelines that apply to Federal agencies on many topics – including cybersecurity. NIST 800-171, a companion document to NIST 800-53, dictates how contractors and sub-contractors of Federal agencies should manage Controlled Unclassified Information (CUI) – it’s designed specifically for non-federal information systems and organizations.

NIST SP 800-171 began its life as Executive Order 13556 signed by President Obama in 2010, directing all Federal agencies to safeguard their CUI and establishing a unified policy for all agencies to follow for data sharing and transparency.

After a few data breaches in Federal agencies, – USPS, NOAA, and OPM – NIST and the Federal government started to focus more on cybersecurity: in 2014 Congress passed FISMA, NIST followed up with NIST 800-53, and later, NIST 800-171.

what is nist 800 171

What’s the Purpose of NIST 800-171?

NIST 800-171 standardizes how federal agencies define CUI: data that is private and sensitive but not classified per federal law. We aren’t talking about the list of BlackOps operating in enemy territories – different laws govern national security stuff – but data that is covered by SOX or HIPAA, for example. Each agency is responsible for providing the details of what kind of data is CUI to the National Archives and Records Administration, the agency charged with enforcement of EO 13556.

NIST SP 800-171 controls apply to federal government contractors and sub-contractors. If you or another company you work with has a contract with a federal agency, you must be compliant with this policy. Federal agencies may include specific requirements in their contracts, however, if you don’t have those clauses in your contract, that won’t stop NIST 800-171 from applying to your agreements.

Here are a few agencies or organizations that need to comply with NIST 800-171.

  • Contractors for Department of Defense (DoD)
  • Contractors for General Services Administration (GSA)
  • Contractors for National Aeronautics and Space Administration (NASA)
  • Universities and research institutions supported by federal grants
  • Consulting companies with federal contracts
  • Service providers for federal agencies
  • Manufacturing companies supplying goods to federal agencies

Like NIST 800-53, NIST 800-171 provides a list of controls that explain the compliance requirements.

  1. Access Control (Who has access and are they supposed to?)
  2. Awareness and Training (Did you train your staff about CUI?)
  3. Audit and Accountability (Do you know who is accessing CUI?)
  4. Configuration Management (Are you following the RMF guidelines to maintain secure configurations and manage change?)
  5. Identification and Authentication (Are you managing and auditing access to CUI?)
  6. Incident Response (What happens when there is a data breach?)
  7. Maintenance (See #4)
  8. Media Protection (How are backups, external drives, and retired equipment handled?)
  9. Physical Protection (Who can access the place where your CUI lives?)
  10. Personnel Security (Is your staff trained to identify insider threats?)
  11. Risk Assessment (Have you done a risk assessment? Do you have scheduled pentesting exercises?)
  12. Security Assessment (How do you verify the security procedures are in place?)
  13. System and Communications Protection (Are your communications channels secure?)
  14. System and Information Integrity (Is the process to address new vulnerabilities or system down situations defined?)

Benefits of NIST 800-171

Some of the benefits of implementing the NIST 800-171 controls include:

Varonis helps maintain compliance with NIST 800-171: the Data Classification Engine is the first step to identify and classify your CUI across your core data stores (including email). DatAdvantage helps map folders and permissions, with full reporting and auditing on who can (and who should access that data), while DataPrivilege enables data owners to manage and audit access to their data. Automation Engine streamlines the process to remove Global Access Groups, and Data Transport Engine can quarantine, migrate, or delete unsecured CUI.

NIST 800-171 Compliance Best Practices

Not only is it important to be compliant, but you need to be able to demonstrate compliance to avoid having contracts revoked or fines levied. Follow these steps to get started:

nist 800 171 compliance best practices

  1. Define what CUI you have to manage. You might have guidance from the agency you work with, but you might also have to figure out what applies to you on your own. Even if you have no guidance, you should identify and classify all possible PII so you can secure and protect sensitive data from data breaches. Examples of CUISocial security numbers, bank routing numbers or account numbers, credit card numbers, permanent resident status
  2. Map your folders and permissions and implement a least privilege model for your data. NIST requires that you manage who can access CUI: implement a least privilege model to get there, and make sure you can report on who can – and who does – access CUI data.
  3. Audit and alert on changes made to your CUI. NIST requires that you monitor CUI and respond to security incidents. Make sure you can audit all activity on your CUI data, and alert on abnormal activity.
  1. Get in touch with our Federal Team to see how Varonis maps to NIST in your environment – and how Varonis helps you get to (and maintain) NIST compliance.

NIST 800-53: Definition and Tips for Compliance

nist 800-53

NIST sets the security standards for agencies and contractors – and given the evolving threat landscape, NIST is influencing data security in the private sector as well. It’s structured as a set of security guidelines, designed to prevent major security issues that are making the headlines nearly every day.

NIST SP 800-53 Defined

The National Institute of Standards and Technology – NIST for short – is a non-regulatory agency of the U.S. Commerce Department, tasked with researching and establishing standards across all federal agencies. NIST SP 800-53 defines the standards and guidelines for federal agencies to architect and manage their information security systems. It was established to provide guidance for the protection of agency’s and citizen’s private data.

nist 800 53 definition

Federal agencies must follow these standards, and the private sector should follow the same guidelines.

NIST SP 800-53 breaks the guidelines up into 3 Minimum Security Controls spread across 18 different control families.

Minimum Security Controls:

  • High-Impact Baseline
  • Medium-Impact Baseline
  • Low-Impact Baseline

Control Families:

What’s The Purpose of NIST SP 800-53

NIST SP 800-53 sets basic standards for information security policies for federal agencies – it was created to heighten the security (and security policy) of information systems used in the federal government.

The overall idea is that federal organizations first determine the security category of their information system based on FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems — essentially deciding whether the security objective is confidentiality, integrity, or availability.

NIST SP 800-53 then helps explain which standards apply to each goal – and provides guidance on how to implement them. NIST SP 800-53 does not define any required security applications or software packages, instead leaving those decisions up to the individual agency.

NIST has iterated on the standards since their original draft to keep up with the changing world of information security, and the SP 800-53 is now in its 4th revision dated January 22, 2015. The 5th revision is currently up for comments – stay tuned for updates.

Benefits of NIST SP 800-53

NIST SP 800-53 is an excellent roadmap to covering all the basics for a good data security plan. If you establish policies and procedures and applications to cover all 18 of the areas, you will be in excellent shape.

Once you have the baseline achieved, you can further improve and secure your system by adding additional software, more stringent requirements, and enhanced monitoring.

Data security, like NIST SP 800-53, is evolving rapidly. A data security team needs to constantly look for more ways to reduce the risk of a data breach and to protect their data from insider threats and malware. The Varonis Data Security Platform maps to many of the basic requirements for NIST, and reduces your overall risk profile throughout the implementation process and into the future.

NIST 800-53 Compliance Best Practices

nist 800 53 compliance best practices

Implement these basic principles to data security to work towards NIST 800-53 compliance:

  • Discover and Classify Sensitive Data
    Locate and secure all sensitive data
    Classify data based on business policy
  • Map Data and Permissions
    Identify users, groups, folder and file permissions
    Determine who has access to what data
  • Manage Access Control
    Identify and deactivate stale users
    Manage user and group memberships
    Remove Global Access Groups
    Implement a least privilege model
  • Monitor Data, File Activity, and User Behavior
    Audit and report on file and event activity
    Monitor for insider threats, malware, misconfigurations and security breaches
    Detect security vulnerabilities and remediate

Compliance with NIST 800 53 is a perfect starting point for any data security strategy. The new GDPR regulations coming in May 2018 shine a spotlight on data security compliance guidelines in Europe, and changes are already coming to state legislation in the US that will implement additional requirements on top of NIST 800 53. As new legislation rolls out, achieving and maintaining compliance with the current baseline will make much easier to meet updated requirements.

NIST sets the security standards for internal agencies – building blocks for common sense security standards. Want to learn more? See how Varonis maps to NIST 800 53 and can help meet NIST standards.

HIPAA Security Rule Explained

hipaa security rule

The HIPAA Journal estimates that a large data breach ( > 50k records) can cost the organization around $6 million – and that’s before the Office of Civil Rights (OCR) drops their own hammer. Over the last few years, we’ve seen more reports of breaches, an increase of HIPAA investigations, and higher fines across the board – all stemming from violations of the HIPAA security rule.

hipaa security rule statistic

What is The HIPAA Security Rule?

The HIPAA Security Rule sets the minimum standards required for Covered Entities (CE) to manage electronic PHI (ePHI). To be considered HIPAA compliant, CEs need to address 3 key security zones: administrative, physical, and technical.

How Does the HIPAA Security Rule Protect Your Data?

hipaa security rule safeguards

Administrative Safeguards 

HIPAA rules require CEs to adhere to certain processes to ensure and verify their compliance with the HIPAA Security Rule:

  • Security Management Process: CEs must establish policies and procedures to prevent, detect, contain and correct security violations. Part of this process is to follow the procedures in the Risk Management Framework to assess overall risk in your current processes or when you implement new policies.
  • Assigned Security Responsibility: One designated security official must be responsible for the development and implementation of the HIPAA Security Rule.
  • Workforce Security: CEs must identify which employees require access to ePHI and make efforts to provide control over that access. To achieve this, implement a least privilege model and automatically enforce and manage permissions.
  • Information Access Management: Restrict access to ePHI via permissions after you have identified the who should have access in the step above.
  • Security Awareness and Training: In order to enforce these rules and security policies, organizations need to train their users on what the rules are and how to abide by them.
  • Security Incident Procedures: This standard provides guidance on how to create a policy to address data breaches: it’s good practice regardless – report breaches and security violations, and set up alerts and security analytics so that you can prevent breaches in the first place.
  • Contingency Plan: This is the “what happens next” standard. Create and follow a data backup plan, disaster recovery plan, and have an emergency mode operation plan in place, just in case things go sideways and you get breached. There’s also guidance in this standard for testing and revising these plans, as well as managing critical applications that store, maintain or transmit ePHI.
  • Evaluation: Establish a process to review and maintain the policies and procedures to stay up to date and current with the HIPAA Security Rule.
  • Business Associate Contracts and other Arrangements: While it’s ok to use other businesses to implement your overall HIPAA Security strategy, as with any 3rd party contractor, you must get assurances from them that they understand HIPAA and they won’t leak your ePHI.

Physical Safeguards 

This section of the HIPAA Security Rule sets standards for physical security: the “lock your doors” and “batten down the hatches” kind of guidance – along with what to do in case of natural disasters, naturally.

  • Facility Access Controls: Limit and audit physical access to the computers that store and process ePHI. Pro tip – put a lock on the server room door.
  • Workstation Use: Manage and secure computers (desktop, laptop, and tablets) that are used to access ePHI. Every computer with access to a CEs ePHI must adhere to this policy, including systems that are offsite (and offline).
  • Workstation Security: Implement physical safeguards for all computers that access ePHI: restrict access to computers that access ePHI, install remote wipe safeguards on laptops that grow legs.
  • Device and Media Controls: Once computers are covered, you still need safeguards on all the rest: devices and media like USB drives, tape backups, or removable storage. Establish a policy to inventory, allow the use of, and reuse or dispose of these devices as needed.

Technical Safeguards

Technical safeguards as the technology and procedures that CEs use to protect ePHI. The HIPAA Security Rule does not define what technology to use, but demands that CEs adhere to the standard and adequately protect ePHI from data breaches.

  • Access Control: Authenticate users as necessary to access ePHI, establish and maintain a least privilege model, and have appropriate procedures in place to audit access control lists (ACL) on a regular schedule.
  • Audit Controls: Audit your ePHI to record and analyze activity in case of a data breach. CE’s need to be able to show the OCR exactly how a data breach occurred with a complete audit trail and reporting.
  • Integrity: To be HIPAA compliant, CEs needs to be able to prove that the ePHI they manage is protected from threats both inside and out, intentional or not. Whether the new intern deletes a record accidentally, or a nefarious hacker deletes it intentionally, you should be able to recover and restore that record.
  • Person or Entity Authentication: CEs must provide assurances that the person accessing ePHI is, in fact, who they say they are. These assurances can be a password, two-factor authentication, or retinal scan – whatever works as long as you have something implemented.
  • Transmission Security: When sending data to other business partners, you need to be able to prove that only authorized individuals accessed the ePHI. You can use encrypted email with a private key, HTTPS file transfer, or a VPN – as long as only the people that are authorized to use the ePHI, HIPPA doesn’t care how you set it up.

Ensuring Compliance: HIPAA Security Rule

HIPAA doesn’t spell out what specific software to install or how to implement the requirements in the HIPAA Security Rule.
Varonis provides a 30-day free risk assessment to help get started: we’ll outline problem areas, potential violations, and a plan on how to fix them – we’ve got a proven track record of thousands of customers, many of whom deal with ePHI and HIPAA regulations on a daily basis.

Check out our US Data Protection Compliance and Guidance – or get in touch to discuss how we can help you reach HIPAA compliance and improve your current compliance strategies.


HIPAA Privacy Rule Explained

hipaa privacy rule hero

It’s an unfortunate (but inevitable) fact of life: Laptops get stolen, and the consequences can be devastating. If those laptops have electronic protected health information (ePHI) on them, they fall under HIPAA regulations and the theft must be reported.

Even if the thief doesn’t look at the data, the company can’t prove it: everyone should take precautions to protect themselves against not just fallout from lost data, but from the potential fines that can accrue: install remote wipe capabilities, encrypt your drives, and don’t store ePHI on your local drive.

Hopefully, the next time a laptop grows legs, you will be better prepared to mitigate the damage.

What is The HIPAA Privacy Rule?

hipaa privacy rule explained

The HIPAA privacy rule explains how to use, manage, and protect personal health information (PHI or ePHI). Congress wrote the HIPAA Privacy Rule to protect patient data, and those rules apply to covered entities: the people that that transmit, store, manage, and access personal health information.

What Information Does the Privacy Rule Protect?

The HIPAA Privacy Rule defines PHI as individually “identifiable health information” stored or transmitted by a covered entity or their business associates, in any form or media (electronic, paper, or oral).

The law further defines “individually identifiable health information” as an individual’s past, present, and future health conditions, the details of the health care provided to an individual, and the payments or arrangement of payments made by an individual.
In the simplest terms: any and all data having to do with all doctor visits, ever, including (but not limited to):

  • Names
  • Birth, death or treatment dates, and any other dates relating to a patient’s illness or care
  • Contact information: telephone numbers, addresses, and more
  • Social Security numbers
  • Medical records numbers
  • Photographs
  • Finger and voice prints
  • Any other unique identifying number or account number

To Whom Does the HIPAA Privacy Rule Apply?

The HIPAA Privacy Rule protects individual PHI by governing the practices of the covered entities.

Covered entities are the people and organizations that hold and process PHI data for their customers – the ones required to report HIPAA violations and who are responsible to pay fines imposed by the Office of Civil Rights if and when a HIPAA violation occurs.

These organizations are considered Covered Entities under HIPAA:

Health Care Providers

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing homes
  • Pharmacies

Health Plan 

  • Health insurance companies
  • HMO’s
  • Company health plans
  • Government provided health care plans

Health Care Clearinghouse

  • These entities process healthcare data from another entity into a standard form.

What Happens if a HIPAA Data Breach Occurs?

According to the HIPAA breach notification rules, a covered entity is supposed to report data breaches to each individual affected within 60 days of discovery.

If the breach affects over 500 individuals, the covered entity must also report the breach to the Department of Health and Human Services within 60 days, which in turn opens an investigation with the Office of Civil Rights. On top of that, if the breach falls within that over 500 club, the covered entity is required by HIPPA rules to issue a press release to media outlets local to the affected individuals.

Not only is a PHI data breach potentially bad for the bottom line, but it’s also government mandated bad press.

HIPAA compliance isn’t just the law, it’s good business practice. Protecting an individual’s personal data and preventing data breaches affects both the bottom line (no fines) and company image (no bad press).

The Varonis Data Security Platform provides the foundation for a HIPAA compliant data security strategy – sign up for a free email course on HIPAA compliance, or get started with a demo to see the state of your HIPAA security.

HIPAA Compliance: Guide and Checklist

running track

There are currently 14,930,463 individual records in the United States with an open HIPAA data breach investigation. That’s up to 14 million humans that have had their Protected Health Information (PHI) exposed by hacking, IT incident, theft, loss, or unauthorized access/disclosure.

hipaa compliant visualization

That’s just the unresolved case list. If we add the numbers from the resolved breach notifications, we end up with 162,599,642 records – over half of the current US population.

And that’s why we need HIPAA in the first place.

What is HIPAA Compliance?

The US Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to set standards for how US citizens’ PHI records are stored, secured, and used. Nowadays – along with the Health Information Technology for Economic and Clinical Health Act (HITECH) – this legislation governs how anyone with access to your PHI needs to manage and protect that data.

HIPAA doesn’t explicitly define PHI other than information that can “reasonably” be linked to an individual – it could include anything from your birth date to social security number to medical ID or more.

What is the HIPAA Enforcement Rule?

The HIPAA Enforcement Rule explains how companies need to handle HIPAA violations – and the process isn’t just a slap on the wrist.

Individuals or companies report HIPAA violations to the Office for Civil Rights (OCR), and the OCR is responsible for investigating and reviewing those violations. If the OCR finds the violators negligent, the violators must fix what caused the breach in the first place and deal with the affected individuals data to the satisfaction of the OCR. If the OCR does not find their response satisfactory or if they find the data breach egregious, the OCR will fine the violators based on the number of records involved.

In 2018 alone there have already been two different settlements costing the violators $3.5 million and $100,000, the latter of which came after the business had already shut down due to HIPAA violations. You can read all about these settlements and more – it’s public record!

What is The HIPAA Privacy Rule?

The HIPAA Privacy Rule is the nuts and bolts of the legislation: it explains how and when healthcare professionals, lawyers, or anyone who accesses your PHI can or can not use that data.

For example: If I want to allow my PHI to be available to my girlfriend, the law requires a signed HIPAA PHI Release form in order for the Doctor’s office to share my information with her. Those are the kinds of scenarios covered in the Privacy Rule.

What is The HIPAA Security Rule?

The HIPAA Security Rule sets the standards on the how Covered Entities (the humans who are governed by HIPAA) must protect PHI data. These standards include things like ‘lock the door to the server room’ and ‘only allow access to read PHI data to people who need to see it.’

That makes it paramount to protect person information that qualifies as PHI – whether online, on paper, or verbally.

What is The HIPAA Breach Notification Rule?

The HIPAA Breach Notification Rule says you have 60 days to notify an individual of improper access to their PHI. It’s important to remember that even if ePHI is encrypted by a ransomware attack, it’s considered a breach – and therefore falls under the HIPAA breach notification rule.

If there are more than 500 PHI records impacted, you must notify the Department of Health and Human Services (which in turn gets the OCR involved) – and you’re required to issue a press release about the breach.

If you are in the unfortunate (but not uncommon) situation of reporting a HIPAA violation, here is the information you must initially provide OCR:

  • What PHI was available and how that data was made available? What personal identifiers were available during the breach?
  • Who was the unauthorized person who saw or had access to the data?
  • Did anyone actually view or acquire the ePHI?
  • What have you done to fix the issue or mitigate the damage?

There is good news: if you don’t break that 500 record limit in a single event, you can report all of your smaller violations to HHS in a single batch once per year per the Breach Notification Rules.

HIPAA Standard Transactions

A HIPAA Standard Transaction is an exchange of PHI data between two entities. For example, your doctor sends your prescription to the pharmacy, which in turn requests coverage verification from the insurance company.
HIPAA governs all of these PHI transactions, including:

  • Claims and encounter information
  • Payment and remittance advice
  • Claims status
  • Eligibility status
  • Enrollment and disenrollment
  • Referrals and authorizations
  • Coordination of benefits
  • Premium payment

How to Become HIPAA Compliant

Becoming HIPAA compliant isn’t all that different from any of your other basic 21st-century data security plans. In fact, setting up a solid data security plan will help maintain HIPAA compliance.

Here is a HIPAA Compliance Checklist to get you started:

hipaa compliance checklist with icons

  1. Map your data and discover where your HIPAA protected files live on your network (including cloud storage)
  2. Determine who has access to HIPAA data, who should have access to HIPAA data, and implement a least privilege model.
  3. Monitor all file access to your data.
  4. Set up alerts to notify you if someone accesses HIPAA data, or if someone creates new HIPAA data in a non-compliant repository. Use data security analytics to differentiate between normal behaviors and potential HIPAA violations.
  5. Protect the perimeter with firewalls, endpoint security, locks on server rooms, two-factor authentication, strong passwords, and session timeouts.
  6. Monitor activity on the perimeter and add threat models to your data security analytics.

HIPAA compliance isn’t just the law – it will protect your customer’s data and ensure that your business prospers in the age of digital medical records.

Varonis has been working with our customers on HIPAA compliance since before the HITECH Act in 2009. The Varonis Data Security Platform provides the foundation for a HIPAA compliant data security strategy.

Get started with a free email course on HIPAA compliance or sign up for a demo to talk directly with our data security experts.