The notion of "Criticality Analysis" is NOT foreign to the HIPAA Security Rule ("SR"). The SR addresses (in part) this requirement as part of the implementation specifications for the Contingency Standard in the Administrative Safeguards: 164-308(a)(7)(ii)(E); which states "Assess the relative criticality of specific applications and data in support of other contingency plan components.
http://www.hipaasurvivalguide.com/hipaa-regulations/164-308.php#a-7-ii-e
However, what NIST is recommending (currently in draft form) is much broader than just "Applications." Its model discusses (paraphrasing): systems, sub-systems, systems of systems, supply chains, etc. etc. and appears to introduce a concept long missing from the SR which is addressing "single points of failure." The SR "gets at" this concept in a roundabout way but not directly. NIST continues to be a super valuable resource and is a good example of your tax dollars at work!
Comments