In January 2019, Medecision launched a yearlong process to achieve MARS-E compliance. Here’s how we did it.
By Brenton McKinney, vice president of security, Medecision
In 2010, the Patient Protection and Affordable Care Act—often shortened to the Affordable Care Act (ACA)—was signed into law by President Obama. The enactment of the ACA created federal and state health insurance exchanges, essentially opening up online marketplaces where consumers could shop around for health insurance policies.
Naturally, there were security concerns, as consumers were inputting personal health data online. To address those issues, the ACA required the Department of Health and Human Services (HHS) to develop interoperable and secure standards to facilitate the online enrollment of individuals in the health exchanges marketplace.
The Centers for Medicare and Medicaid Services (CMS), a part of the HHS, was tasked with providing guidance and oversight for the federal and state exchanges, as well as defining security standards. The CMS established the Minimum Acceptable Risk Standards for Exchanges (MARS-E) to provide guidance for state and federal health exchanges that concerned protected health information, personally identifiable health information and federal tax information for all American citizens.
When creating the MARS-E guidelines, the CMS looked to NIST 800-53, a set of security and privacy controls for all U.S. federal information systems (except those related to national security). The MARS-E standards borrows all18 domains or families from NIST 800-53:
Access Control; Awareness and Training; Audit and Accountability; Security Assessment and Authorization; Configuration Management; Contingency Planning; Identification and Authentication; Incident Response; Maintenance; Media Protection; Physical and Environment Protection; Planning; Personnel Security; Risk Assessment; System and Services Acquisition; Systems and Communication Protection; and Systems, Information Integrity, and Program Management.
In 2015, an updated version of the MARS-E framework was released. In total, it includes 352 security controls to implement for federal and state health exchanges.
Medecision’s Journey to Compliance
CMS requires Health Exchanges to establish and implement privacy and security standards that comply with the MARS-E framework. In addition, States will require the same security controls “flow-down” to any entity that the state does business regarding PII. . Although Certification to the framework is granted by CMS to state exchanges, contractors and subcontractors—such as Medecision—therefore cannot be certified, however, they can obtain accreditation and attestation from a third-party auditor to prove their compliance.
Medecision partners with many health insurance companies that have contracts with states. Because of this, Medecision started its journey toward compliance in January 2019. Over the course of one year and a three-phased project, we were issued MARS-E compliance attestation by an independent 3rd party auditor at the end of 2019. Here’s how we did it.
In January 2019, Medecision partnered with CyberGuard Compliance, an independent third-party auditor, to evaluate our current state of security controls against the MARS-E framework. CyberGuard came highly recommended and had deep experience with the MARS-E guidelines, which was important. For four weeks, they performed a readiness assessment of Medecision and our security policies, procedures, and implemented controls.
After CyberGuard Compliance completed its initial assessment, we brought in another third-party vendor, Aliado Solutions, to help us develop a road map to address some of the more complex issues that we had. Not every issue was easy to fix, and oftentimes it was expensive. These were things we had not budgeted for, but we knew it was critical that we fix them. This process lasted from April until late October. As is typical with assessments, there are gasp. We focused on identifying solutions that could address multiple gaps and provide synergy with our long-term IT roadmap.
By early November, we felt confident that we had implemented the right solutions to begin the testing and validation phase. For the next four to six weeks, CyberGuard Compliance conducted interviews with almost two-thirds of the organization, collected evidence for every control in the MARS-E framework and, in some cases, literally needed eyes on computer screens to evaluate and take screenshots. This was a lengthy process. Once completed, CyberGuard Compliance began a quality control process. The end result? A 400-page document called the “System Security Plan” that lists all 352 controls of the MARS-E framework, with an explanation of how Medecision implements each control. CyberGuard Compliance also provided a document called a “Plan of Action and Milestones,” which is a list of all the controls we don’t/didn’t meet. It helps us track these goals and close the gaps.
In December 2019, Medecision received a signed attestation letter that stated the company had been evaluated and could confirm we meet the specified number of controls. Medecision was issued a three-year “Authority to Operate,” which means that our attestation is good until December 2022. We will also undergo annual interim assessments to demonstrate progress on any gaps.
It was important for us at Medecision to achieve MARS-E compliance. We hold ourselves to high standards, because maintaining our customer’s trust is our main priority. We’re proud to show through the comprehensive System Security Plan that we can point to and say, “This is how Medecision implements security and protects our customers.” This makes us a differentiator in the market!