The purpose of MARS-E is to provide a starting point for security guidance that Exchanges (State Health Insurance Exchanges) can use in implementing and operating their IT systems in support of the “Patient Protection and Affordable Care Act of 2010”, also known as ACA. The Exchanges handle Personally Identifiable Information (PII), Protected Health Information (PHI), or Federal Tax Information (FTI) of US Citizens. The secure handling of this information becomes very important.
ACA requires the US Department of Health and Human Services (HHS), to develop interoperable and secure standards and protocols that facilitate electronic enrolment of individuals in federal and state health and human services programs. (Reference Section 1561 of ACA). Hence, the Department of HHS, under its HHS Final Rule on ACA Exchanges, requires the Exchanges to establish and implement privacy and security standards consistent according to Section 155.260 of the HHS Final Rule. This is the origin of MARS-E [Minimum Acceptable Risk Standards for Exchanges ].
The purpose of this MARS-E is to provide a starting point for security guidance that Exchanges can use in implementing and operating their IT systems in support of the ACA. The MARS-E provides guidance to Exchanges and their contractors regarding the minimum level security controls that must be implemented to protect information and information systems for which CMS (US Centre for Medicare and Medicaid Services) has oversight responsibility. MARS-E has the approval of the CMS Deputy Chief Information Officer (DCIO) and the CMS Chief Information Security Officer (CISO).
To summarize, MARS-E provides minimum security control guidance for all Exchange IT information systems and if you are an organization which is an Exchange Contractor then you will have to observe the controls defined in the MARS-E.
MARS-E provides the Overview of Security Guidance and it is supported by “Catalog of Minimum Acceptable Risk Controls for Exchanges – Exchange Reference Architecture Supplement” (209 page document) which provides technical and operational details for these security controls.
The Security Control Families to be covered are: Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Security Assessment and Authorization (CA), Configuration Management (CM), Contingency Planning (CP), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Physical and Environment Protection (PE), Planning (PL), Personnel Security (PS), Risk Assessment (RA), System and Services Acquisition (SA), Systems and Communication Protection (SC), Systems and Information Integrity (SI). These are 17 security control families.
The “Catalog of Minimum Acceptable Risk Controls for Exchanges – Exchange Reference Architecture Supplement” is a very comprehensive document and provides methodology for determining the availability of security controls for all the above-mentioned security control families. For example, it describes under AC – Access Control Family – from AC1 (Access Control Policy Procedures) to AC20 (Use of External Information Systems) – i.e. 20 sub-families of Access Control. Further, within each sub-family of security control there is further description of sub-sub-family and possible variations and eventualities.
With respect to the procedure for ensuring MARS-E implementation, it requires determination through an Assessment that has to be based on NIST SP 800-53A, Guide for Assessing the Security Controls on Federal Information Systems.
How DQS India can help
DQS India can help you be compliant to MARS-E.