The Minimum Acceptable Risk Standards for Exchanges (MARS-E) is a framework specifically developed to safeguard health insurance exchanges (HIEs) established under the Affordable Care Act (ACA). The security of these exchanges is vital because they handle sensitive personal and financial data, making them prime targets for cyberattacks. Have you ever stopped to think about what the state and federal health insurance exchanges are required to do to ensure the security of that information?
MARS-E was created by the Centers for Medicare & Medicaid Services (CMS) to address these concerns by setting rigorous security and privacy standards.
Key Aspects of MARS-E
- Framework and Compliance: MARS-E sets a baseline of security requirements to protect the confidentiality, integrity, and availability of data on exchanges. It mandates adherence to the National Institute of Standards and Technology (NIST) standards, especially those related to the protection of personally identifiable information (PII) and health information.
- Risk Management and Continuous Monitoring: MARS-E enforces a continuous risk management strategy, encouraging HIEs to constantly monitor and address emerging risks. Exchanges are required to have real-time monitoring and response mechanisms to detect and address potential vulnerabilities quickly. This includes logging, intrusion detection, and proactive security testing. Incident response plans are a required component, ensuring that exchanges can respond swiftly to security incidents, minimize damage, and restore services as quickly as possible.
- Security Controls: The MARS-E framework includes over 300 controls based on NIST SP 800-53, covering areas such as access control, incident response, contingency planning, and change management. Those familiar with the Federal Information Security Management Act (FISMA) and the challenges of compliance will recognize NIST SP 800-53.
Key Documentation Requirements
A health insurance exchange would be required to incorporate the security controls defined in the Catalog with other state-appropriate security and privacy requirements, and document the control implementation details. In order to operate, health insurance exchanges seek an “Authorization to Operate” from the CMS. Prior to granting the ATO, CMS would then inspect the exchange’s compliance evidence for completeness. Such compliance evidence would include the following:
- System Security Plan (SSP) (and all associated attachments)
- SSP Workbook (and all associated attachments)
- Information Security Risk Assessment (IS RA) (and all associated attachments)
- Contingency Plan (CP) (and all associated attachments)
- CP Test Plan
- CP Test After Action Report
- Security Control Assessment Plan (SCA Test Plan)
- Security Control Assessment Report (SCA Report)
- Plan of Action and Milestones (POA&M) Report
- Privacy Impact Assessment (PIA) (signed by the CMS Privacy Officer)
- Certification Cover Memo (hard copy, soft copy in CFACTS)
- Security Certification Form (hard copy, soft copy in CFACTS)
The SSP alone is a significant documentation effort. For example, the SSP template for GSA FEDRAMP compliance, which is based on FISMA, is approximately 350 pages in length. It was written in accordance with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Revision 1, Guide for Developing Security Plans for Information Technology Systems.
Steps to Achieve MARS-E Compliance
- Implementing NIST Standards: By adopting these standards, exchanges establish a robust security baseline covering access controls, authentication, encryption, and data protection. You could also obtain a FedRAMP certification which goes above and beyond the standard NIST Special Publication 800-53 to include the unique challenges faced in cloud environments, it ensures that all federal information is kept secure in cloud environments.
- Conducting Regular Risk Assessments: MARS-E requires exchanges to perform regular risk assessments to identify and evaluate potential vulnerabilities and threats. These assessments guide the development of mitigation strategies, helping exchanges proactively address security weaknesses.
- Ensuring Data Protection and Privacy Controls: MARS-E mandates specific protections for personally identifiable information (PII) and protected health information (PHI), including encryption, secure data storage, and controlled access. Privacy controls are also required to ensure data is only used for its intended purposes and shared appropriately within authorized boundaries.
- Establishing Incident Response and Continuous Monitoring: Exchanges must implement continuous monitoring systems to detect and respond to security incidents in real time, in line with MARS-E requirements. Incident response plans are essential for managing breaches effectively, minimizing their impact, and restoring services efficiently.
- Audit and Documentation Requirements: MARS-E compliance requires ongoing audits and documentation of security practices, policies, and incidents to ensure accountability. Exchanges must be able to provide evidence of their security posture and adherence to standards, both for internal reviews and external CMS audits.
- Employee Training and Awareness: Ensuring that all personnel are aware of security policies and trained in best practices is a core aspect of MARS-E. Security awareness programs help mitigate risks related to human error and insider threats.
Benefits of MARS-E Compliance
Compliance with MARS-E helps exchanges safeguard user data, mitigate cybersecurity risks, and meet federal requirements. It reassures users that their personal and health information is handled securely, promoting confidence in the exchange system. Additionally, by meeting MARS-E standards, exchanges protect themselves against potential legal and financial repercussions of non-compliance or data breaches.
Ultimately, MARS-E compliance fosters a secure and trustworthy environment for the operation of health insurance exchanges, supporting the mission of the ACA to provide safe, accessible health coverage.
Key Takeaways on MARS-E Security Framework
In summary, MARS-E imposes FISMA, HIPAA, and a number of other requirements on health insurance exchanges and requires that the exchanges meet stringent standards. By providing a clear set of minimum security requirements, MARS-E helps ensure that health insurance exchanges are adequately protected against cyber threats. This framework not only enhances user trust but also supports the overall goal of the ACA, which is to make health insurance accessible and secure for all Americans.
For more information regarding MARS-E and IT security compliance, review our security assessment services or reach out to Linford & Company directly with your questions. We specialize in helping organizations achieve and maintain their compliance requirements across multiple frameworks including MARS-E, FISMA, and NIST standards.
This article was originally published on 4/7/2015 and was updated on 11/13/2024.
Umar has over 15 years of experience in internal control-based audit, project management, cybersecurity consulting, attestation, and assurance services; 7 of those years were with the “Big Four” accounting firm, KPMG. He has overseen numerous SOC 1 and SOC 2 audits and other IT Compliance audits, including NIST 800-53. He has vast experience implementing comprehensive IT compliance frameworks for clients both in the public and private sectors. Umar is a certified information systems auditor (CISA) and received his Bachelor of Science degree in Business Information Technology from Virginia Tech.