HL 7 Security and Privacy Data Protection Privacy

HL 7 Security and Privacy Data Protection, Privacy, Security, Access, Liquidity and Availability Series PART 1: CONTROLLED UNCLASSIFIED INFORMATION (CUI)

Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. CUI Specified is the subset of CUI in which the authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use that differ from those for CUI Basic. CUI does not include: Classified Information Non-executive branch entity information Uncontrolled Unclassified Information

Security Labels From: Mark Riddle <mark. riddle@nara. gov> Sent: Wednesday, May 01, 2019 3: 15 PM To: Xanthakos, Nicholas (OGC) nicholas. xanthakos@va. gov Subject: [EXTERNAL] Re: Question Regarding CUI Labeling - Specified vs. Basic Hi Nicholas, I apologize for the delay in responding. Health records should be indicated, marked, as CUI Specified. The banner would appear as CUI//SP-HLTH. Mark Riddle Principal for CUI Program Oversight Information Security Oversight Office National Archives and Records Administration 700 Pennsylvania Avenue, NW (Room 500) Washington, DC 20408 Phone: 202. 357. 6864 mark. riddle@nara. gov Full Marking Example: “CUI//SP-HLTH/PRVCY”

CUI Legal Agreements: When? /What? Agreements and arrangements are any vehicle that sets out specific CUI handling requirements for contractors and other information-sharing partners when the arrangement with the other party involves CUI. Agreements and arrangements include, but are not limited to contracts, grants, licenses, certificates, memoranda of agreement/arrangement or understanding, and information sharing agreements or arrangements. See 2002. 4 Definitions. (5) Agreements. Agencies should enter into agreements with any non-executive branch or foreign entity with which the agency shares or intends to share CUI, as follows (except as provided in paragraph (a)(7) of this section): At § 2002. 16 Accessing and disseminating. (i) Information-sharing agreements. When agencies intend to share CUI with a non-executive branch entity, they should enter into a formal agreement (see § 2004. 4(c) for more information on agreements), whenever feasible. Such an agreement may take any form the agency head approves, but when established, it must include a requirement to comply with Executive Order 13556, Controlled Unclassified Information, November 4, 2010 (3 CFR, 2011 Comp. , p. 267) or any successor order (the Order), this part, and the CUI Registry. (ii) Sharing CUI without a formal agreement. When an agency cannot enter into agreements under paragraph (a)(6)(i) of this section, but the agency's mission requires it to disseminate CUI to non-executive branch entities, the agency must communicate to the recipient that the Government strongly encourages the non-executive branch entity to protect CUI in accordance with the Order, this part, and the CUI Registry, and that such protections should accompany the CUI if the entity disseminates it further.

TEFCA Draft 2 Minimum Security Requirements The MRTCs Draft 2 requires that QHINs comply with the HIPAA Privacy and Security Rules as it pertains to EHI. Also, QHINs must: Evaluate their security program for the protection of Controlled Unclassified Information (CUI), and Develop and implement an action plan to comply with the security requirements of the most recently published version of the NIST Special Publication 800 -171 (Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations). In addition, as part of its ongoing security risk analysis and risk management program, QHINs shall review the most recently published version of the HIPAA Security Rule Crosswalk to the NIST Cybersecurity Framework.

HITAC CUI TEFCA Rebuttal HITAC Recommendation is Uninformed Ø Per NARA and 32 CFR 2002 federal agencies should establish legal agreements for exchange of CUI or modify existing ones which thereby conveys a burden on recipients to protect CUI designated information IAW EO 13556. For this purpose, a binding OP&P update has been created in Sequoia with no objection from members (See embedded Doc). Ø NIST SP 800 -171 provides 25 additional requirements that extend the Security Rule and provide needed enhancement/update to existing healthcare security and privacy controls in non-federal systems. Ø Contrary to HITAC, CUI controls flow down to federal partners. NIST SP 800 -171 A provides nonfederal organizations with assessment procedures and a methodology that can be employed by them to conduct their own assessments of the NIST SP 171 CUI security requirements.

HL 7

Summary CUI protects federal government information generally and is specific to healthcare law. CUI is concerned with protections for data at rest. CUI is just one component of a full data management approach to information sharing. Part II of this series will address “Sharing with Protections”, and “Security and Privacy Labeling” as the second component covering tools designed to eliminate restrictions on sharing, bottlenecks and gaps in information.

References NIST Special Publication 800 -171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations This publication provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI when such information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. SP 800 -171 A Assessing Security Requirements for Controlled Unclassified Information This publication provides federal and nonfederal organizations with assessment procedures and a methodology that can be employed to conduct assessments of the CUI security requirements in NIST Special Publication 800 -171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. HIMSS 19 Interoperability Showcase: “Controlled Unclassified Information”, Feb 11 -15, Orlando, FL 20190227_HIMSS_CUI_2019_WITH_NAVIGATION for Confluence. pptx Controlled Unclassified Information (CUI) Problem and Solutions Introduction to the CUI Business Problem for which HL 7 has developed a standards-based, interoperable solution for HL 7 product families.

END