IFR comments on security and meaningful use of HIT

A lot of us are preparing questions and making recommendations for submission to DHHS during the IFR comment period, but we seem to be "going it alone" for the most part. I've prepared some questions for CMS as well as comments for our actual IFR submission. Here they are: Questions for CMS: 1. Is the intent to limit the Stage 1 measure to the implementation of technical security updates (controls)?2. Is it the intent to use NIST SP 800-53 as the baseline for security controls (updates) by which “as necessary” will be determined? If not, how will “as necessary” be determined?3. Is the intent to “certify” the implementation of security controls using an approach similar to that prescribed by NIST SP 800-37?4. Is the intent to document the security controls in a manner consistent with NIST SP 800-18 Rev. 1? 5. Is it the intent of DHHS to limit the application of stronger protections than that specified by meaningful use measures for a specific capability?6. How is “reasonable and appropriate” defined? Comment period IFR response: 1. We believe Table 2 (Page 1870) contains contradictory language. The “Care goals” speak to management, operational and technical controls as defined by NIST SP 800-53 but the Stage 1 objectives seem to limit the analysis and updates to technical controls. It is [OUR INSTITUTION]’s position that a complete set of management, operational and technical controls be implemented.2. [OUR INSTITUTION]’s position is that a recognized standard such as NIST SP 800-53 or the Health Information Trust (HITRUST) Alliance’s Common Security Framework (CSF) should be selected a priori by the health care institution and used as a baseline set of controls by which compliance can be measured.3. It is [OUR INSTITUTION]’s position that compliance with the HIPAA security rule through the application of appropriate management, operational and technical safeguards be determined according to a commonly accepted standard or set of best practices such as HITRUST CSF Assurance, NIST SP 800-37, NSA IAM & IEM, or ISO 27001/2.4. It is [OUR INSTITUTION]’s position that compliance with the HIPAA security rule through the application of appropriate management, operational and technical safeguards be formally documented according to a commonly accepted standard or set of best practices such as NIST SP 800-18 Rev. 1.5. It is [OUR INSTITUTION]’s position that stronger controls would be preferential given the constant change experienced in the threat environment and should therefore be allowed under any circumstance.6. It is [OUR INSTITUTION]’s position that a formal acceptance of risk by senior management for deviations from specified security standards (Table 2B, Page 2034), industry-accepted standards and “best practices”, and the implementation of alternative controls is an essential component of “reasonable and appropriate.” I hope you find this useful for your own purposes; however, we could all use input from the rest of the Club's health care community. Do you think the submission's appropriate? What would you change? Add?