| HIPAA Security Rule NPRM Standard | ARC-AMPE Requirements |
| Patch Management |
- § 164.308(c)(1): Within 15 calendar days of identifying the need to patch, update, or upgrade the configuration of a relevant electronic information system to address a critical risk in accordance with this paragraph (a)(4)(ii)(C), where a patch, update, or upgrade is available; or, where a patch, update, or upgrade is not available, within 15 calendar days of a patch, update, or upgrade becoming available.
- § 164.308(c)(2) Within 30 calendar days of identifying the need to patch, update, or upgrade the configuration of a relevant electronic information system to address a high risk in accordance with this paragraph (a)(4)(ii)(C), where a patch, update, or upgrade is available; or, where a patch, update, or upgrade is not available, within 30 calendar days of a patch, update, or upgrade becoming available.
| - RA-05(d): Remediate legitimate vulnerabilities identified during vulnerability or scanning within the following timeframes: Critical severity within fifteen (15) calendar days, High severity within thirty (30) calendar days, Moderate severity within ninety (90) calendar days, and Low severity within one (1) year in accordance with the organization’s assessment of risk.
|
| Security Awareness and Training |
- §164.308(a)(11)(ii)(3)(B) A covered entity or business associate must provide security awareness training as follows:
- §164.308(a)(11)(ii)(3)(B) ( 1): As required by paragraph (a)(11)(ii)(A) of this section, to each member of its workforce by no later than the compliance date, and at least once every 12 months thereafter.
- §164.308(a)(11)(ii)(3)(B) ( 2): As required by paragraph (a)(11)(ii)(A) of this section, to each new member of its workforce within a reasonable period of time but no later than 30 days after the person first has access to the covered entity's or business associate's relevant electronic information systems.
| - AT-02(a): Provide security and privacy literacy training to system users (including managers, senior executives, and contractors): (1)As part of initial training for new users and within at least every one (1) year thereafter; and (2) 2. When required by system changes or following organization-defined events. Organization-defined events include assessment or audit findings; security or privacy incidents; and changes to applicable laws (to include privacy laws), Executive Orders, directives, regulations, policies, standards, and guidelines.
|
| Documentation Requirements |
- § 164.316(b)(3):Review and update documentation at least once every 12 months and within a reasonable and appropriate period of time after a security measure is modified.
| - PM-01 (b):Review and update the organization-wide information security program plan at least every one (1) year and following organization-defined events; and
- PM-01 (c): Protect the information security program plan from unauthorized disclosure and modification.
|
| Transmission Security |
- § 164.312(g):Deploy technical controls to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network; and review and test the effectiveness of such technical controls at least once every 12 months or in response to environmental or operational changes, whichever is more frequent, and modify as reasonable and appropriate.
| - SC-08: Protect the confidentiality and integrity of transmitted information.
- SC-08(01): Implement cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission.
- SC-08(01) (ARC-AMPE Supplemental Control Requirements & Guidance): Use the latest published FIPS 140-compliant encryption standards or protected distributed systems to protect Personally Identifiable Information (PII), ensuring the information's confidentiality and integrity during transmission.
- SC-08(02): Maintain the confidentiality and integrity of information during preparation for transmission and during reception.
|
| Multifactor Authentication |
- § 164.312(a)(ii)(A): Deploy multi-factor authentication to all technology assets in the covered entity's or business associate's relevant electronic information systems to verify that a person seeking access to the relevant electronic information system(s) is the user that the person claims to be.
- § 164.312(a)(ii)(B): Deploymulti-factor authentication for any action that would change a user's privileges to the covered entity's or business associate's relevant electronic information systems in a manner that would alter the user's ability to affect the confidentiality, integrity, or availability of electronic protected health information.
| - IA-02: Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
- IA-02 (ARC-AMPE Supplemental Control Requirement & Guidance): Employ effective identity proofing and authentication processes, compliant with the latest published NIST SP 800-63, Digital Identity Guidelines document suite, as amended.
- IA-02(01): Implement multi-factor authentication for access to privileged accounts.
- IA-02(02): Implement multi-factor authentication for access to non-privileged accounts.
|
| Penetration Testing |
- § 164.312(h)(iii)(B): Penetration testing must be performed at least once every 12 months or in accordance with the covered entity's or business associate's risk analysis required by § 164.308(a)(2), whichever is more frequent.
| - CA-08: Conduct penetration testing at least every one (1) year on organization-defined systems or system components as agreed with the penetration testers in the Rules of Engagement.
|