Transcript Slide 1

Secure Commonwealth Panel
Health and Medical Subpanel
Virginia Department of Health
Cyber Security
Debbie Condrey - Chief Information Officer
Virginia Department of Health
December 16, 2013
1
VDH’s Cyber Security Program
• VDH defines Cyber Security as: measures taken to
protect a computer or computer system against
unauthorized access or attack
• Cyber attacks are the primary cause for data loss and
inappropriate access
• Agencies are responsible for the overall security of data
and information necessary to support the mission of the
Agency. Infrastructure support is provided by the
Virginia Information Technologies Agency
2
Data Repositories Within VDH
• VDH is responsible for managing information that spans the
agency’s public health mission
• As a result VDH maintains systems containing a variety of data
including:
• Grant/Financial data
• Regulatory reporting data:
• Environmental quality, Restaurants, Epidemiological Reporting & Drinking
water
• Patient tracking and scheduling
• Personally identifiable information (PII) for employees,
patients, and volunteers
• Protected Health Information (PHI) (including both healthcare
and surveillance information)
• Vital records information
• Autopsy and investigation data on decedents for law
enforcement and public health officials
3
Data Governance
• VDH uses & maintains data & information in
compliance with federal & state laws, regulations &
requirements. These include:
Commonwealth Security Policies and Standards
(Information Technology Resource Management (ITRM))
Health Information Portability and Accountability Act
(HIPAA)
Federal Educational Rights and Privacy Act (FERPA)
The Code of Virginia: Including Virginia’s FOIA and the
Records Management Program
VDH Policies & Standards: Confidentiality & Information Security
4
VDH Information Security
• Increasingly agencies rely on electronic records & the
utilization of information technology to effectively
deliver government services
• VDH’s Information Security Program focuses on
providing services that support the agency's mission
through enhanced technology and is:
• Managed to address both business and technological
requirements;
• Risk-based;
• Aligned to the VDH and Commonwealth policies, priorities
and standards; and
• A balance between access to data and information
security
5
VDH Information Security Program
The Program requires collaboration between:
• VDH Commissioner
• Chief Information Officer
• Information Security
Officer
• Privacy Officer
• Business Owner
• System Owner
• Data Owner
• System / Database
Administrator
• Users
• Partners/Stakeholders
6
Protection of Business Functions &
Systems
The VDH Information Security Program protects VDH’s critical
business functions and systems through the following components:
7
Risk
Management
IT
Contingency
Planning
IT Systems
Security
Logical
Access
Control
Data
Protection
Facilities
Security
Personnel
Security
Threat
Management
IT Asset
Management
Protection of Business Functions &
Systems
• Oracle based security:
IT
Systems
Security
8
• Advanced security includes
encryption at rest and
during transactions
• System/user monitoring
and audit logs
• Access controlled by user
authentication
• Role based users tied to
data and access
• Accessibility to
authorized users
Information Management Program
• VDH utilizes the Security Life Cycle
Approach to manage it’s
Information Management Program
which consists of:
Business
Impact
Analysis
9
IT System
and Data
Sensitivity
Classification
Risk
Assessment
IT
Security
Audits
IT
Contingency
Planning
Other Security Considerations
• VDH has governance responsibility for statewide
systems such as:
• The Health Information Exchange and The All Payer
Claims Database
• The collaboration between DMV & DVR
• The collaboration between Ancestry & Vital Records
• VDH requires that vendor contracts contain specific
language which upholds the vendor to VDH security
standards
• Contract language and other security documents are
audited from both an internal and external perspective
10
Information Security Goals
• Balance the need for information access with the
mandate to maintain confidentiality and ensure
integrity
• Deliver the correct data in a secured environment when
and where the information is needed
• Involve key stakeholders in the Security Program
whenever possible
• Provide training and information to data owners so
their role is understood
11