1

Secure Commonwealth PanelHealth and Medical Subpanel

Debbie Condrey - Chief Information Officer Virginia Department of Health

December 16, 2013

Virginia Department of Health Cyber Security

2

VDH’s Cyber Security Program

• VDH defines Cyber Security as: measures taken to protect a computer or computer system against unauthorized access or attack

• Cyber attacks are the primary cause for data loss and inappropriate access

• Agencies are responsible for the overall security of data and information necessary to support the mission of the Agency. Infrastructure support is provided by the Virginia Information Technologies Agency

3

Data Repositories Within VDH• VDH is responsible for managing information that spans the

agency’s public health mission• As a result VDH maintains systems containing a variety of

data including: • Grant/Financial data• Regulatory reporting data:

• Environmental quality, Restaurants, Epidemiological Reporting & Drinking water

• Patient tracking and scheduling• Personally identifiable information (PII) for employees,

patients, and volunteers• Protected Health Information (PHI) (including both

healthcare and surveillance information) • Vital records information • Autopsy and investigation data on decedents for law

enforcement and public health officials

4

Data Governance• VDH uses & maintains data & information in

compliance with federal & state laws, regulations & requirements. These include:

Commonwealth Security Policies and Standards (Information Technology Resource Management

(ITRM))Health Information Portability and Accountability Act

(HIPAA)

Federal Educational Rights and Privacy Act (FERPA)

The Code of Virginia: Including Virginia’s FOIA and the Records Management Program

VDH Policies & Standards: Confidentiality & Information Security

5

VDH Information Security• Increasingly agencies rely on electronic records &

the utilization of information technology to effectively deliver government services

• VDH’s Information Security Program focuses on providing services that support the agency's mission through enhanced technology and is: • Managed to address both business and

technological requirements;• Risk-based; • Aligned to the VDH and Commonwealth policies,

priorities and standards; and• A balance between access to data and information

security

6

VDH Information Security Program

• VDH Commissioner• Chief Information

Officer• Information Security

Officer• Privacy Officer• Business Owner

• System Owner• Data Owner• System / Database

Administrator• Users

• Partners/Stakeholders

The Program requires collaboration between:

7

Protection of Business Functions & Systems

The VDH Information Security Program protects VDH’s critical business functions and systems through the following components:Risk

Management

IT Contingency Planning

IT Systems Security

Logical Access Control

Data Protection

Facilities Security

Personnel Security

Threat Manageme

nt

IT Asset Manageme

nt

8

Protection of Business Functions & Systems• Oracle based security:

• Advanced security includes encryption at rest and during transactions

• System/user monitoring and audit logs• Access controlled by user

authentication • Role based users tied to data and

access• Accessibility to authorized users

IT System

s Security

9

Information Management Program• VDH utilizes the Security Life

Cycle Approach to manage it’s Information Management Program which consists of:

Business Impact Analysis

IT System and Data Sensitivity

Classification

Risk Assessmen

t

IT Security Audits

IT Contingency

Planning

10

Other Security Considerations

• VDH has governance responsibility for statewide systems such as: • The Health Information Exchange and The All

Payer Claims Database• The collaboration between DMV & DVR• The collaboration between Ancestry & Vital

Records • VDH requires that vendor contracts contain

specific language which upholds the vendor to VDH security standards

• Contract language and other security documents are audited from both an internal and external perspective

11

Information Security Goals

• Balance the need for information access with the mandate to maintain confidentiality and ensure integrity

• Deliver the correct data in a secured environment when and where the information is needed

• Involve key stakeholders in the Security Program whenever possible

• Provide training and information to data owners so their role is understood