Protect The Privacy & Security Of Your IT Systems, The Information In Those Systems, & Control Who Can Access It.
The purpose of the Minimum Acceptable Risk Standards Exchanges (MARS-E) is to provide a starting point for security guidance that Exchanges can use in implementing and operating their IT systems in support of the Affordable Care Act (ACA). The Minimum Acceptable Risk Standards for Exchanges – provides guidance to Exchanges and their contractors regarding the minimum level security controls that must be implemented to protect information and information systems for which CMS has oversight responsibility.
Each Exchange system owner is responsible for incorporating the security controls defined in MARS-e along with state-appropriate security and privacy requirements for protecting Personally Identifiable Information (PII) against anticipated threats or unlawful use.
Depending on the information processed, an Exchange’s IT system may be required to meet additional security control requirements as mandated by specific federal, state, legal, program, or accounting sources.
Exchanges must document such requirements and the control implementation details in their System Security Plans (SSP). Exchanges also are required to define system risks in Information Security (IS) Risk Assessment (RA). The guidance in the MARS-E neither relieves nor waives any other federal, state, or other applicable laws, guidance, policies, or standards.
Section 155.260 (a)(3) of the HHS Final Rule on ACA Exchanges requires each Exchange to establish and implement privacy and security standards consistent with the principles stated in §155.260 of the Rule.
There is no integrated, comprehensive approach to security and privacy that respects applicable federal requirements under FISMA, HIPAA, HITECH, ACA, the Privacy Act, Tax Information Safeguarding Requirements, and state and other federal regulations.
The laws and guidance provided by other federal agencies and the National Institute for Standards and Technology remain the authoritative source. Depending on the information processed, an Exchange’s IT system may be required to meet additional security control requirements as mandated by specific federal, state, legal, program, or accounting sources. For example, when Exchanges handle PHI, they are subject to HIPAA regulations and standards.
Annual Risk Assessment
Annual Penetration Testing
Application Development Security Review
Policy and Procedural Review
Quarterly Vulnerability Scanning
We Can Help Guide You On Your Compliance Journey, Contact Us & We Will Be In Touch With You Shortly.