What is the Minimum Acceptable Risk Standards for Exchanges (MAR-E)?

Under the Affordable Care Act (ACA) of 2010, there are now online marketplaces to buy health insurance. These are essentially websites that allow consumers to shop around for an insurance...
Michael Buckbee
4 min read
Last updated June 9, 2023

Under the Affordable Care Act (ACA) of 2010, there are now online marketplaces to buy health insurance. These are essentially websites that allow consumers to shop around for an insurance policy by comparing plans from different private providers.

Result: US consumers can purchase health insurance using the same technology that allows them to buy books, gadgets, and artisanal coffees on the web.

I think we can agree that health data that’s collected on these web sites deserves some extra protections.

Get a Free Data Risk Assessment

The Origin of MARS

To address security issues of the exchanges, the ACA required the Department of Health and Human Services (HHS) to come up with data security standards.

Specifically, the Centers for Medicare & Medicaid Services (CMS), a part of HHS, was made responsible for providing guidance and oversight for the exchanges, including defining technical standards.

CMS then established the Minimum Acceptable Risk Standards for Exchanges (MARS-E), which defines a series of security controls. MARS-E is now in its second version, which was released in 2015.

Those familiar with NIST 800-53 — a security standard underlying other federal data laws such as FISMA — will immediately recognize the two-letter abbreviations used by MARS. They borrowed 17 control families from NIST 800-53, which for the record are:

Access Control (AC), Awareness and Training (AT), Audit and Accountability (AU), Security Assessment and Authorization (CA), Configuration Management (CM), Contingency Planning (CP), Identification and Authentication (IA), Incident Response (IR), Maintenance (MA), Media Protection (MP), Physical and Environment Protection (PE), Planning (PL), Personnel Security (PS), Risk Assessment (RA), System and Services Acquisition (SA), Systems and Communication Protection (SC), Systems and Information Integrity (SI).

The complete catalog of controls can be found here.

The controls provide only guidance — they are not meant to force specific security technologies on the exchanges!

HIPAA Confusion

You may ask whether HIPAA rules on privacy and security for protected health information (PHI) also apply to the health exchanges?

Great question!

Health exchanges are not covered entities under HIPAA.  So HIPAA’s Privacy and Security rules wouldn’t seem to apply.

But  … are they Business Associates (BAs) of the covered entity?

As you may recall, after the new rules that were published back in 2013 (the “HIPAA Omnibus Final Rule”) third-party contractors and their subcontractors who handle or process PHI would fall under HIPAA.

The short answer is that the exchanges can be BAs if they perform more than minimal data functions and have a deeper relationship with the insurer.

It’s really the same question that comes up with health wearables. HIPAA doesn’t apply to these gadgets, unless the gadget provider has a direct relationship with the insurer or health plan – for example, through a corporate wellness plan.

To get a little more insight into this confusing issue of health exchanges and HIPAA, read this article.

In the meantime, you can peruse the table below showing the mapping of relevant MARS-E controls to Varonis products.

 

 

MARS Control Family Requirement Varonis Solution
AC Access Control

 

AC-2 Account Management

 

a. Identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary);

b. Establishing conditions for group membership;

c. Identifying authorized users of the information system and specifying access privileges;

By combining user and group information taken directly from Active Directory, LDAP, NIS, or other directory services with a complete picture of the file system, Varonis DatAdvantage gives organizations a complete picture of their permissions structures. Both logical and physical permissions are displayed and organized highlighting and optionally aggregating NTFS and share permissions. Flag, tag and annotate your files and folders to track, analyze and report on users, groups and data. Varonis DatAdvantage also shows you every user and group that can access data as well as every folder that can be accessed by any user or group.
AC-6 Least Privilege

 

 

 

a. Employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) that are necessary to accomplish assigned tasks in accordance with Exchange missions and business functions

Varonis DataPrivilege helps organizations not only define the policies that govern who can access, and who can grant access to unstructured data, but it also enforces the workflow and the desired action to be taken (i.e. allow, deny, allow for a certain time period). This has a two-fold effect on the consistent and broad communication of the access policy: 1) it unites all of the parties responsible including data owners, auditors, data users and IT around the same set of information and 2) it allows organizations to continually monitor the access framework in order to make changes and optimize both for compliance and for continuous enforcement of warranted access.
AU Audit and Accountability

 

AU-2 Auditable Events

 

(a) … that the information system must be capable of auditing the list of auditable events specified in the Implementation Standards;

Implementation Standards

Generate audit records for the following events …

h. File creation,

i. File deletion

j. File modification,

m. use of administrator privileges

Varonis DatAdvantage helps organizations examine and audit the use of ordinary and privileged access accounts to detect and prevent abuse. With a continual audit record of all file, email, SharePoint, and Directory Services activity, DatAdvantage provides visibility into users’ actions. The log can be viewed interactively or via email reports. DatAdvantage can also identify when users have administrative rights they do not use or need and provides a way to safely remove excess privileges without impacting the business.

 

Through Varonis DataPrivilege, membership in administrative and other groups can be tightly controlled, audited and reviewed.

Varonis DatAlert can be configured to send real-time alerts on a number of actions including the granting of administrative rights to a user or group. This allows the organization to detect, in real-time, when privileged access has been granted erroneously and act before abuse occurs. Real-time alerts can also be triggered when administrative users access, modify, or delete business data.

AU-6 Audit Review, Analysis, and Reporting

 

a) Reviews and analyzes information system audit records regularly for indications of inappropriate or unusual activity, and reports findings to designated organizational officials …

Implementation standards

5. Use automated utilities to review audit records at least once every seven (7) days for unusual, unexpected, or suspicious behavior.

 

Varonis DatAlert provides real-time alerting based on file activity, Active Directory changes, permissions changes, and other events. Alert criteria and output are easily configurable so that the right people and systems can be notified about the right things, at the right times in the right ways. DatAlert improves your ability to detect possible security breaches, and misconfigurations. DatAlert can be configured to alert on changes made outside a particular time window.

 

Varonis DatAdvantage monitors every touch of every file on the file system, normalizes, processes, and stores them in a normalized database so that they are quickly sortable and searchable. Detailed information for every file event is provided; all data can be reported on and provided to data owners. Data collection does not require native object success auditing on Windows.

IR Incident Response

 

IR-6.1 Incident Reporting

The organization employs automated mechanisms to assist in the reporting of security incidents

 

 

Varonis DatAlert provides real-time alerting based on file activity, Active Directory changes, permissions changes, and other events. Alert criteria and output are easily configurable so that the right people and systems can be notified about the right things, at the right times in the right ways. DatAlert improves your ability to detect possible security breaches, and misconfigurations. DatAlert can be configured to alert on changes made outside a particular time window

 

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

new-updates-to-the-cis-critical-security-controls
New Updates to the CIS Critical Security Controls
If you haven’t already heard, the Top 20 Critical Security Controls has a new name. Last year, after the Center for Internet Security(CIS) integrated with the Council on Cybersecurity, the...
speed-data:-behind-the-scenes-of-cyber-insurance-recovery-with-scott-godes
Speed Data: Behind the Scenes of Cyber Insurance Recovery With Scott Godes
Scott Godes, Insurance Recovery Litigator for Barnes & Thornburg LLP, chats about the importance of cyber insurance, and how data privacy has evolved.
everything-you-need-to-know-about-cyber-liability-insurance
Everything You Need to Know About Cyber Liability Insurance
Cyber insurance is a necessary component of any IT or cybersecurity department responsible for protecting the assets, data, reputation, and bottom line of a company in the face of cybersecurity…
australian-prudential-regulation-authority-cps-234
Australian Prudential Regulation Authority CPS 234
The Australian Prudential Regulation Authority (APRA) regulates Australia’s financial services industry, including banks, insurance companies, and investments firms. In December 2018, they published the final version of its security framework,...