1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer...
Transcript of 1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer...
1
Secure Commonwealth PanelHealth and Medical Subpanel
Debbie Condrey - Chief Information Officer Virginia Department of Health
December 16, 2013
Virginia Department of Health Cyber Security
2
VDH’s Cyber Security Program
• VDH defines Cyber Security as: measures taken to protect a computer or computer system against unauthorized access or attack
• Cyber attacks are the primary cause for data loss and inappropriate access
• Agencies are responsible for the overall security of data and information necessary to support the mission of the Agency. Infrastructure support is provided by the Virginia Information Technologies Agency
3
Data Repositories Within VDH• VDH is responsible for managing information that spans the
agency’s public health mission• As a result VDH maintains systems containing a variety of
data including: • Grant/Financial data• Regulatory reporting data:
• Environmental quality, Restaurants, Epidemiological Reporting & Drinking water
• Patient tracking and scheduling• Personally identifiable information (PII) for employees,
patients, and volunteers• Protected Health Information (PHI) (including both
healthcare and surveillance information) • Vital records information • Autopsy and investigation data on decedents for law
enforcement and public health officials
4
Data Governance• VDH uses & maintains data & information in
compliance with federal & state laws, regulations & requirements. These include:
Commonwealth Security Policies and Standards (Information Technology Resource Management
(ITRM))Health Information Portability and Accountability Act
(HIPAA)
Federal Educational Rights and Privacy Act (FERPA)
The Code of Virginia: Including Virginia’s FOIA and the Records Management Program
VDH Policies & Standards: Confidentiality & Information Security
5
VDH Information Security• Increasingly agencies rely on electronic records &
the utilization of information technology to effectively deliver government services
• VDH’s Information Security Program focuses on providing services that support the agency's mission through enhanced technology and is: • Managed to address both business and
technological requirements;• Risk-based; • Aligned to the VDH and Commonwealth policies,
priorities and standards; and• A balance between access to data and information
security
6
VDH Information Security Program
• VDH Commissioner• Chief Information
Officer• Information Security
Officer• Privacy Officer• Business Owner
• System Owner• Data Owner• System / Database
Administrator• Users
• Partners/Stakeholders
The Program requires collaboration between:
7
Protection of Business Functions & Systems
The VDH Information Security Program protects VDH’s critical business functions and systems through the following components:Risk
Management
IT Contingency Planning
IT Systems Security
Logical Access Control
Data Protection
Facilities Security
Personnel Security
Threat Manageme
nt
IT Asset Manageme
nt
8
Protection of Business Functions & Systems• Oracle based security:
• Advanced security includes encryption at rest and during transactions
• System/user monitoring and audit logs• Access controlled by user
authentication • Role based users tied to data and
access• Accessibility to authorized users
IT System
s Security
9
Information Management Program• VDH utilizes the Security Life
Cycle Approach to manage it’s Information Management Program which consists of:
Business Impact Analysis
IT System and Data Sensitivity
Classification
Risk Assessmen
t
IT Security Audits
IT Contingency
Planning
10
Other Security Considerations
• VDH has governance responsibility for statewide systems such as: • The Health Information Exchange and The All
Payer Claims Database• The collaboration between DMV & DVR• The collaboration between Ancestry & Vital
Records • VDH requires that vendor contracts contain
specific language which upholds the vendor to VDH security standards
• Contract language and other security documents are audited from both an internal and external perspective
11
Information Security Goals
• Balance the need for information access with the mandate to maintain confidentiality and ensure integrity
• Deliver the correct data in a secured environment when and where the information is needed
• Involve key stakeholders in the Security Program whenever possible
• Provide training and information to data owners so their role is understood