What we’ve seen is that there is a lot of commonality among the various federal [information security] regulations. It would be wonderful if the feds would start to consolidate their security requirements.
Theresa Masse, CISO, the state of Oregon
Federal information security managers could make life easier for their counterparts at state agencies by standardizing technical requirements for securing federal data, security specialists for the state of Oregon say. And federal IT managers are grappling with overlapping security concerns from multiple departments and laws.
State agencies must comply with a variety of federal security regulations when processing federal information, such as federal tax data. Security officials for the state of Oregon have implemented a collaborative cross-government compliance program to help the state’s agencies meet and keep up with the Internal Revenue Service’s challenging information security requirements. The Oregon initiative has caught the eye of security officials from other states who face the same IRS compliance hurdles.
But, federal tax information (FTI) isn’t the only data reported by the federal government that states agencies must manage electronically. States have to meet security requirements imposed by the federal government for other data they process — for example, information relating to the Health Insurance Portability and Accountability Act (HIPAA), which requires healthcare organizations to ensure they are protecting the privacy and security of patients' medical information. The federal Department of Health and Human Services issued a Final Rule adopting HIPAA standards for the security of electronic health information in 2003. About a half dozen Oregon state agencies receive HIPAA data from the federal government, according to Theresa Masse, the state’s chief information security officer, manager of the Enterprise Security Office and head of the state ‘s FTI Joint-Agency Security Committee.
Federal security requirements for FTI and HIPAA data are onerously duplicative, so it would ease the burden on state managers if security officials at agencies such as the IRS and HHS could get together and make those requirements as close to uniform as possible, she said.
“The federal government is huge and you have all these different departments, but what we’ve seen is that there is a lot of commonality among the various federal [information security] regulations,” she said. “It would be wonderful if the feds would start to consolidate their security requirements. Certainly you don’t want them to lower the bar. But just put the bar where it needs to be, and, if you’re compliant with it, then you know you’re going be OK for HIPAA, FTI and all these other things.”
But the notion of federal agencies collaborating to create standardized security requirements for state agencies is easier said than done, said David Stender, chief information security officer for the IRS.
“It’s possible,” Stender said in an interview with TechTarget. “But I don’t see that happening under the existing framework simply because IRS requirements are specifically covered in tax law. There are different requirements under HIPAA. … There isn’t a 100% match.”
Still, the question of standardizing security requirements is something that has to be “looked at” across the federal government, Stender said, especially with the advent of new laws such as the Patient Protection and Affordable Care Act, which will affect data security requirements for numerous agencies.
In fact, the IRS itself is grappling with the HIPAA issue as it prepares to support the Affordable Care Act, Stender said. “We have never dealt with privacy information from a HIPAA perspective; how do we roll that into our [information security requirements]?”
He concluded: “It’s going be a significant challenge because you have multiple federal government standards, all of which have a basis in things like [the Federal Information Security Management Act] or some other federal law, but don’t have a direct one-to-one translation,” he said.
However, Masse said the lesson from the Oregon experience for federal managers is that cross-government collaboration on data security requirements can be done.
“We’re talking about information security here, and we’ve got a common base of discussion,” she said. “If they could get together and hammer out something, I’m sure they would be able to get 90% of the way, instead of everybody referring to their own little song sheet. Really, we’re all trying to protect information and we can probably do a better job of working together on that. Certainly from a state perspective we would love to see the feds do that.”