Transcript Slide 1
Secure Commonwealth Panel Health and Medical Subpanel Virginia Department of Health Cyber Security Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 1 VDH’s Cyber Security Program • VDH defines Cyber Security as: measures taken to protect a computer or computer system against unauthorized access or attack • Cyber attacks are the primary cause for data loss and inappropriate access • Agencies are responsible for the overall security of data and information necessary to support the mission of the Agency. Infrastructure support is provided by the Virginia Information Technologies Agency 2 Data Repositories Within VDH • VDH is responsible for managing information that spans the agency’s public health mission • As a result VDH maintains systems containing a variety of data including: • Grant/Financial data • Regulatory reporting data: • Environmental quality, Restaurants, Epidemiological Reporting & Drinking water • Patient tracking and scheduling • Personally identifiable information (PII) for employees, patients, and volunteers • Protected Health Information (PHI) (including both healthcare and surveillance information) • Vital records information • Autopsy and investigation data on decedents for law enforcement and public health officials 3 Data Governance • VDH uses & maintains data & information in compliance with federal & state laws, regulations & requirements. These include: Commonwealth Security Policies and Standards (Information Technology Resource Management (ITRM)) Health Information Portability and Accountability Act (HIPAA) Federal Educational Rights and Privacy Act (FERPA) The Code of Virginia: Including Virginia’s FOIA and the Records Management Program VDH Policies & Standards: Confidentiality & Information Security 4 VDH Information Security • Increasingly agencies rely on electronic records & the utilization of information technology to effectively deliver government services • VDH’s Information Security Program focuses on providing services that support the agency's mission through enhanced technology and is: • Managed to address both business and technological requirements; • Risk-based; • Aligned to the VDH and Commonwealth policies, priorities and standards; and • A balance between access to data and information security 5 VDH Information Security Program The Program requires collaboration between: • VDH Commissioner • Chief Information Officer • Information Security Officer • Privacy Officer • Business Owner • System Owner • Data Owner • System / Database Administrator • Users • Partners/Stakeholders 6 Protection of Business Functions & Systems The VDH Information Security Program protects VDH’s critical business functions and systems through the following components: 7 Risk Management IT Contingency Planning IT Systems Security Logical Access Control Data Protection Facilities Security Personnel Security Threat Management IT Asset Management Protection of Business Functions & Systems • Oracle based security: IT Systems Security 8 • Advanced security includes encryption at rest and during transactions • System/user monitoring and audit logs • Access controlled by user authentication • Role based users tied to data and access • Accessibility to authorized users Information Management Program • VDH utilizes the Security Life Cycle Approach to manage it’s Information Management Program which consists of: Business Impact Analysis 9 IT System and Data Sensitivity Classification Risk Assessment IT Security Audits IT Contingency Planning Other Security Considerations • VDH has governance responsibility for statewide systems such as: • The Health Information Exchange and The All Payer Claims Database • The collaboration between DMV & DVR • The collaboration between Ancestry & Vital Records • VDH requires that vendor contracts contain specific language which upholds the vendor to VDH security standards • Contract language and other security documents are audited from both an internal and external perspective 10 Information Security Goals • Balance the need for information access with the mandate to maintain confidentiality and ensure integrity • Deliver the correct data in a secured environment when and where the information is needed • Involve key stakeholders in the Security Program whenever possible • Provide training and information to data owners so their role is understood 11