No point in asking private entities to comply with FISMA

In what has become a consistent theme out of the Office of the National Coordinator for Health IT, it seems the idea is still under consideration to try to require private-sector organizations to comply with the Federal Information Security Management Act (FISMA) in order to participate in health information exchanges with federal agencies. As currently in force, there are a couple of real problems with this approach, at least if the goal is to make sure the systems in question are protected with at least a consensus minimum set of measures. Based on a subjective security categorization, FISMA does mandate a minimum set of control types that must be put in place via the control framework in Special Publication 800-53. The biggest problem is that the determination of how each of the required security controls is implemented is subjective, and there is currently no federal standard for evaluating controls to determine their effectiveness. The accreditation of information systems in federal agencies is also to a subjective decision, based not only on what controls are put in place but also on what level of risk the organization is willing to accept. Risk tolerance isn’t consistent among federal agencies (which is why, for example, you find a security policy from the Centers for Medicare and Medicaid Services that forbids its contractors to send personally identifiable information via the Internet, regardless of the encryption, VPN, or other protective measures that might be applied). It seems safe to assume that risk tolerance would be even more variable among the many types of private entities that might have a role in nationwide health information exchange. Applying FISMA would tell a private enterprise that they need to decide that their own implementation of security controls is “secure enough” to be put in production, but doesn’t require any entity to consider the security needs or preferences of its information exchange partners. Once the private entity says “yes” to that, under FISMA they’re good to go. Oh, and there isn’t any mechanism for an auditor or other overseer to follow up and see if they agree with the entity’s own assessment.

So now we might have a slew of private enterprises, all producing lots of system security documentation as federal agencies do now, self-proclaiming the sufficiency of their security, and moving happily into production with health information exchange. What happens when something goes wrong, like a breach or inappropriate disclosure of information? Under FISMA, the answer is “nothing.” The Office of Management and Budget, it its capacity as the receiver of FISMA report information from federal agencies, assesses agency information security programs as a whole, but does not as a general rule delve into the details of individual information systems. For really high profile systems, the Government Accountability Office might do its own assessment and produce a report, as is often the case when a member of Congress asks for a review of an important system that supports a key program. No one has yet suggested that OMB, ONC, or any NHIN-specific governance body would be staffed and tasked with the responsibility of evaluating exchange participants’ security, at least not beyond the time of initial “enrollment” or joining the NHIN. There is no penalty, civil or criminal, for failing to comply with FISMA, or for suffering an incident, even if it was due to an agency’s failure to properly implement a required security control. It is unclear how asking private entities to operate under these requirements would have any meaningful impact on securing information exchanges, aside from the huge increase in work for these entities to document their existing security mechanisms.