Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health

Slides:



Advertisements
Similar presentations
SYSTEM OF EVALUATION AND MANAGEMENT CONTROL RESULTS-BASED BUDGETING THE CHILEAN EXPERIENCE Heidi Berner H Head of Management Control Division Budget Office,
Advertisements

<<Date>><<SDLC Phase>>
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
Data-Sharing and Governance Consultation ANALYSIS OF RESPONSES.
Security Controls – What Works
Information Security Policies and Standards
Office of Inspector General (OIG) Internal Audit
Project Initiation Meeting Presented By: > > Office of the Chief Information Officer >
April 2, 2013 Longitudinal Data system Governance: Status Report Alan Phillips Deputy Director, Fiscal Affairs, Budgeting and IT Illinois Board of Higher.
Internal Auditing and Outsourcing
Tackling the Policy Challenges of Health Information Exchange Carol Diamond, MD, MPH Managing Director, Markle Foundation.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Public Sector Case Studies: THE ESTABLISHMENT OF A PRIVACY OFFICE.
MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.
Chapter 3 Internal Controls.
Outline Validation Objectives Why an IA-CMM? Validation Results
WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ WHEN TITLE IS NOT A QUESTION N O ‘WE CAN’ Identity and Privacy: the.
Case Study: Five ways to energize your information security program By Jim Reiner, ISO, HIPAA Security Manager County of.
Strategic Planning for Statistics in Australia PARIS21/UNESCAP Forum on Strategic Planning for Statistics in South-East Asian Countries – Bangkok, June.
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.
1 Office of the Privacy Commissioner for Personal Data Hong Kong SAR Tony LAM Deputy Privacy Commissioner for Personal Data Asian Personal Data Privacy.
Sharing Data: Improving Outcomes Stuart MacDonald 
Connecting for Health: Common Framework. 2 What is Connecting for Health? Broad-based, public-private coalition More than 100 collaborators –Providers.
SAHPRA proposals Nov 2009 A GLIMPSE OF WHAT SAHPRA IS INTENDED TO BECOME KEY PROPOSALS FOR SAHPRA NOVEMBER 2009 DR NICHOLAS CRISP.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
United States Department of Justice Implementing Privacy Policy in Justice Information Sharing: A Technical Framework John Ruegg,
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Security is not just… 1 A Compliance Exercise Certification and Accreditation FISMA.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
1 National Audioconference Sponsored by the HIPAA Summit June 6, 2002 Chris Apgar, CISSP Data Security & HIPAA Compliance Officer Providence Health Plan.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
Project Kick-off Meeting Presented By: > > > > Office of the Chief Information Officer.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Public Works and Government Services Canada Travaux publics et Services gouvernementaux Canada Brenda Watkins Director Policy and Business Strategies Information.
Health Delivery Services May 29, Eastern Massachusetts Healthcare Initiative Policy Work Group Session 2 May 29, 2009.
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
1 PARCC Data Privacy & Security Policy December 2013.
©2002 by the National Committee for Quality Assurance NCQA: HIPAA Business Associate Presentation to the 6th National HIPAA Summit March 28, 2003 Patricia.
Configuring Electronic Health Records Privacy and Security in the US Lecture a This material (Comp11_Unit7a) was developed by Oregon Health & Science University.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Healthcare Security Professional Roundtable John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc.
1 The Privacy Impact Assessment Guidelines Guy Herriges Manager, Information and Privacy Office of the Corporate Chief Strategist, MBS November 2000.
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
Information Sharing & Corporate Governance Dave Parsons, Information Governance Manager, City of Cardiff Council.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Overview of Structure General Data Protection Regulation (GDPR)
Information Sharing for Integrated care A 5 Step Blueprint
Health Information Professionals
Auditing Cloud Services
Health Information Security and Privacy Collaborative (HISPC) Overview
Money Bills Amendment Procedure and Related Matters Bill [B 75–2008]
IT Development Initiative: Status and Next Steps
Move this to online module slides 11-56
Guidance notes for Project Manager
Why ISO 27001? Subtitle or presenter
Why ISO 27001? MARIANNE ENGELBRECHT
HIPAA Security Standards Final Rule
Presentation to Project Certification Committee, DoIT August 24, 2008
Appropriate Access InCommon Identity Assurance Profiles
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Good Spirit School Division
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Data Governance & Management Skills and Experience
Presentation transcript:

Incorporating Privacy Into Systems Development Methodology Phil Moleski Director Corporate Information Technology Branch Saskatchewan Health

Incorporating Privacy Into Systems Development Methodology Agenda Health sector background information Current systems methodology at Sask. Health Overlay on systems methodology Security assessment considerations Evolving privacy framework

 Saskatchewan Health “ Provincial Government Department responsible for the publicly funded health system in Saskatchewan” “ Roughly 1 million clients and $2.9 billion in forecast expenditures for 2005 –2006” Incorporating Privacy Into Systems Development Methodology

 Saskatchewan Health Sector Department 13 Regional Health Authorities Cancer Agency Independent Professionals (Doctors, etc.) Various smaller funded agencies Incorporating Privacy Into Systems Development Methodology

Major IT Organizations in the Health Sector  Corporate Information Technology Branch (CITB)  Health Information Solutions Centre (HISC)  Regional Health Authorities (RHA’s)  Cancer Agency Incorporating Privacy Into Systems Development Methodology

 Corporate Information Technology Branch Internally Department Focused IT infrastructure Systems Development Environment Claims and Health Registration Applications Incorporating Privacy Into Systems Development Methodology

 Health Information Solutions Centre (HISC) Health Sector network, help desk and & IT solutions to support service delivery Focus on Clinical Applications Electronic Health Record Lead Provincial IT/IM Planning, Architecture and Standards for Health Sector Information products and services

 Regional Health Authorities (RHAs) & others (Cancer Agency etc.) Internal IT focus on their organizations CIO Forum Incorporating Privacy Into Systems Development Methodology

 Privacy Framework within Provincial Government –Exec. Director, Access and Privacy Branch, Saskatchewan Justice – Privacy Policy Framework with Goals, Objectives, and Performance Measures Incorporating Privacy Into Systems Development Methodology

 Privacy Framework within Provincial Government Incorporating Privacy Into Systems Development Methodology -principles adapted for Saskatchewan from the CSA, Model Code for the Protection of Personal Information – Q , p. vii

 Privacy Framework within Provincial Government Incorporating Privacy Into Systems Development Methodology Accountability Purpose Limiting Consent Collection Use and Disclosure Retention Accuracy Safeguards Openness Access Compliance Eleven principles

 Privacy Framework within Saskatchewan Health –Deputy Minister –Privacy Officer –CIO Forum – Privacy Subcommittee Incorporating Privacy Into Systems Development Methodology

What Happens now?

While formally including privacy as part of the systems development methodology is a work in progress, Incorporating Privacy Into Systems Development Methodology “Protecting the privacy of information with appropriate security has always been and remains a top priority for Saskatchewan Health”

Incorporating Privacy Into Systems Development Methodology  CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations

Incorporating Privacy Into Systems Development Methodology  CITB Systems Development Methodology Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations Macro Plan Security Privacy Impact Interfaces Conceptual Architecture Phase 1 System Need Definition

Incorporating Privacy Into Systems Development Methodology  CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 6 & 7 Implementation Ongoing Operations Business/Data Flows Functionality Data elements Technology Security Privacy Project plan Phase 2 Conceptual Design

Incorporating Privacy Into Systems Development Methodology  CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations Phase 3 Application System Architecture Physical database Features Business /Data Flows Security Tables & Processes Project Plan

Incorporating Privacy Into Systems Development Methodology  CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations Phases 4&5 Application & Infrastructure Development Application system Acceptance Test Results Implementation Plan Operations Service Level Hardware/Network Plan

Incorporating Privacy Into Systems Development Methodology  CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations Phases 6 & 7 Implementation User Sign –off User Training Security Certificates System Governance Design/ Next Steps Support Procedures

Incorporating Privacy Into Systems Development Methodology  CITB Systems Development Methodology Phase 1 System Need Definition Phase 2 Conceptual Design Phase 3 Application System Architecture Phases 4&5 Application & Infrastructure Phases 6 & 7 Implementation Ongoing Operations Problem Logs Change Management Privacy Management

Incorporating Privacy Into Systems Development Methodology How does the systems development methodology and privacy fit together? - still learning - completed several projects with privacy built into the project plan - lots of work, start early

Incorporating Privacy Into Systems Development Methodology  CITB Systems Development Methodology Phase 1 System Need Definition (Requirements) Phase 2 Conceptual Design Phase 3 Application System Architecture (Detailed Design) Phases 4&5 Application & Infrastructure (Development) Phases 6 & 7 Implementation Ongoing Operations

Incorporating Privacy Into Systems Development Methodology Systems Development Methodology Requirements Design Detailed Design High Level Privacy Assessment Development Implementation Operations Legal & Policy Drafting Agreements Execute Agreements Detailed Privacy Assessment

Incorporating Privacy Into Systems Development Methodology Privacy Assessment High Level Privacy Impact Assessment -may identify changes needed to the business or existing law. High Level Privacy Assessment

Incorporating Privacy Into Systems Development Methodology Legal and Policy Is it good public policy? Will it stand up to Public Scrutiny? Will it stand up to Audit (good management practices)? Is it legal? What are the questions that need to be asked? Legal & Policy

Incorporating Privacy Into Systems Development Methodology Legal and Policy Making good public policy decisions includes addressing the Legal, Public Scrutiny, and Audit perspectives. In summary: Legal & Policy

Incorporating Privacy Into Systems Development Methodology Legal and Policy Creating and changing provincial law Legal & Policy

Incorporating Privacy Into Systems Development Methodology Privacy Assessment Detailed Privacy Impact Assessment -Final document for audit purposes -Addresses all of the principles in the privacy framework Detailed Privacy Assessment

Incorporating Privacy Into Systems Development Methodology Drafting Agreements Documents that outline the flow of information between one or more trustees of the information for a particular purpose including any conditions that apply. Drafting Agreements

Incorporating Privacy Into Systems Development Methodology Creating Policy Education Culture Drafting Agreements Drafting Agreements

Incorporating Privacy Into Systems Development Methodology Executing Agreements It’s (implementation?) time when the agreements are signed!! Execute Agreements

Incorporating Privacy Into Systems Development Methodology Systems Development Methodology Requirements Design Detailed Design High Level Privacy Assessment Development Implementation Operations Legal & Policy Drafting Agreements Execute Agreements Detailed Privacy Assessment ? ?

Incorporating Privacy Into Systems Development Methodology Staffing and Project Considerations Project Manager Business/Systems Analyst Policy/Legal Analyst

Incorporating Privacy Into Systems Development Methodology Project Structure Project Management Office Business Stream Technical Stream Policy and Legal Project Steering Committee

Summary thoughts Addressing privacy is good management and helps documenting the answers to the questions: Just because we can do something, “Should we?” What happens if something goes wrong? Incorporating Privacy Into Systems Development Methodology

Privacy Security

Security assessment considerations Incorporating Privacy Into Systems Development Methodology What is the appropriate security in response to the privacy requirements? Security Controls Environment Classification Information Classification

Security assessment considerations Incorporating Privacy Into Systems Development Methodology Security Controls Authentication Authorization Encryption Integrity Availability Accountability

Security assessment considerations Incorporating Privacy Into Systems Development Methodology Environment Classification Un-trusted Semi-Trusted Trusted

Security assessment considerations Incorporating Privacy Into Systems Development Methodology Information Classification Public Internal Confidential Restricted

Security Classification Matrix Incorporating Privacy Into Systems Development Methodology

Security Assessment Review - A document that outlines how well the proposed solution meets the requirements for privacy and security - Outlines the security factors, the unmitigated risks, and the mitigated risks of proceeding - Buy versus build - Companion document to the Privacy Impact Assessment

Incorporating Privacy Into Systems Development Methodology Documents Attached PIA Templates Security Cube Security Assessment Templates

Incorporating Privacy Into Systems Development Methodology Documents Attached Order of use - Determine business requirements - Fill in PIA - Use the Cube document based on the PIA - Fill in the SAR document based on the proposed technical solution

Incorporating Privacy Into Systems Development Methodology Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.