Ask the Expert: InfoSec Requirements for Health Insurance Providers, Part 1
David Pearson, Co-Founder and CTO of Iceberg Networks sat down with us to discuss the concerns he’s hearing from insurance providers surrounding security configuration management. The following is an edited transcript of the conversation.
What is the biggest concern you’re hearing from insurance providers surrounding security configuration management?
We have to be clear that when we say insurance providers, we’re talking about insurance providers that are delivering health insurance that’s governed by the Medicare and Medicaid programs in the United States. The Center for the Medicare & Medicaid Services (CMS) is the overseeing body and they place fairly substantial information security requirements on their providers, so the providers need to implement information system security controls. CMS provides a library of controls that is based on the NIST SP 800-53 control library. The CMS requires their member organizations to report on their compliance with the information security requirements.
One of the big activities around this is what they refer to as “configuration management”, “security configuration management” and a number of other names. This has to do with setting the security settings on the various information systems to meet particular standards and guidelines. They talk about it as “you need to configure your systems to best practices” or to follow some sort of guidance. If you dig deeper into that, you will find that there are a number of agencies, including one called DISA that publishes documents on how to configure your systems securely. They get very technical, for example, it will be down to an Apache server on a Linux platform and this is how you’re supposed to configure it. There could be hundreds of settings for that server.
Circling back to the problem, the agencies overseen by the CMS need to prove that they are actually following this kind of guidance. To do so, they need to provide reporting twice a year (depending on which type of program they’re dealing with) back to CMS with gory detail around the fact that they’ve checked that the settings are set properly, the fact that they have brought those settings back to their system configuration processes, and they need to report back that all of these settings have actually been implemented. It goes back to CMS as a giant package of information where system by system, setting by setting, the fact that they have checked it and provided evidence that the check has been performed and the setting is correct.
Then it gets a bit worse on top of that. Anytime there’s a setting that isn’t right, they need to go into an analysis on it and either fix it as quickly as they can or provide some sort of business justification as to why the particular setting couldn’t be achieved. The whole process of gathering all of that information and reporting it back to CMS is an enormous undertaking. This is all under a single control, in the NIST SP 800-53 family out of 256 controls. This is only one. So, it’s a major job for these insurance providers to deliver their quarterly and semi-annual packages to CMS to prove that they’re compliant with the requirements.