On March 15, at HIMSS22 in Orlando, Fla., a session titled “Controlled Unclassified Information: What you need to know” focused on the requirements of the federal Controlled Unclassified Information (CUI) program and what it means for the exchange of electronic health information for private sector organizations. The two speakers were Johnathan Coleman, principal at Mount Pleasant, S.C.-based Security Risk Solutions, Inc. and Servio F. Medina, director, enterprise operations management (M63) at the U.S. Navy Bureau of Medicine & Surgery (BUMED).
To kick off the session, Medina explained for those in the audience what CUI is for those who were not familiar. He said, “CUI is information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies”
Coleman then said that “You can’t just say applicable law without explaining what those laws are.” The slides that were being presented laid out those laws:
- “Executive Order 13556 "Controlled Unclassified Information" was signed on November 04, 2010. It establishes a program for managing CUI across the Executive branch, designates the National Archives and Records Administration (NARA) as Executive Agent, and delegates responsibilities to the Information Security Oversight Office (ISOO).
- 32 CFR Part 2002 "Controlled Unclassified Information" was issued by the ISOOand became effective November 14, 2016. It established policy and oversight requirements for agencies, and affects all organizations that handle, possess, use, share, or receive CUI on behalf of an agency.”
Coleman then addressed the fact that not all health information is considered CUI. He said that “The DoD Instruction 5200.48, “Controlled Unclassified Information,” (March 2020) established CUI policy in the DoD -demonstrating early adoption of CUI Program requirements. Per the NARA CUI Registry, DoD considers health information to be a category of CUI. The CUI regulations direct federal agencies to incorporate requirements into contracts and agreements, which in turn apply to the private sector CUI recipients operating under those agreements. It is those contracts or agreements which specify whether CUI protection is applicable.”
Next, the speakers discussed what the best practices are if an individual is in a situation where CUI requirements apply. Medina commented, “Proper cyber hygiene and best practices are essential if you are in this situation. If you ask me personally, it is what helps to minimize and mitigate ignorance and misunderstanding, and to some extent, willful neglect.”
“My friend admitted he sent patient records to his personal Gmail account,” Medina added. “He said, ‘I can’t trust the VPN, it’s always dropping. I am saving lives!’ I asked if he had rallied his colleagues to go to IT and leadership to make sure IT is satisfying his needs. He said, ‘Did I tell you I was too busy and saving lives?’ And that’s the challenge we have—that was a judgment call, and these happen all the time.”
Coleman said that “CUI requirements fundamentally fall into two main categories: Safeguarding/Protecting the information and the appropriate marking/labeling of information.”
“NIST SP800-171 contains 110 controls across 14 control families,” Coleman added. “While this seems daunting, you might already be implementing many of the security controls in SP800-171. Organizations who are HIPAA Covered Entities (CEs) or business associates should consider mapping their implementation of the HIPAA Security Rule to the requirements of NIST800-171.”
He explained that about 80 percent of the controls would probably already be addressed by HIPAA organizations who are fully implementing a security program that meets HIPAA Security Rule requirements. Additionally, depending on an organization’s policies/procedures, the remaining approximate 30 percent of controls could be addressed through inheritance—meaning from the electronic health record (EHR) provider or health information exchange partners—or, of course, can be implemented on a local level.
Regarding labeling, Coleman adds that “Agencies have their own requirements for marking/labeling CUI, all of which align with NARA’s CUI Program requirements.”
The speakers then discussed that if an organization receives a healthcare record marked CUI, it is the CUI regulations that direct federal agencies to incorporate CUI requirements into contracts and agreements, then which in turn, apply to private sector CUI recipients. If the organization is receiving the CUI as part of a contract or agreement it will specific what additional protection is required to be in place (NIST SP800-171 controls). Even if the healthcare record does not have CUI markings, authorized CUI recipients can possibly still be required to handle the information in the appropriate manner. The Federal Register says that “The lack of a CUI marking on information that qualifies as CUI does not exempt the authorized holder from abiding by applicable handling requirements as described in the Order, this part, and the CUI Registry.”
Medina concluded that “Implementing a robust security risk management program will enable organizations to assess what is /is not in place today, and plan for enhancements commensurate with their risk and resources.”
