1. 1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia Department of Health Cyber Security

2. 2 VDH’s Cyber Security Program VDH defines Cyber Security as: measures taken to protect a computer or computer system against unauthorized access or attack Cyber attacks are the primary cause for data loss and inappropriate access Agencies are responsible for the overall security of data and information necessary to support the mission of the Agency. Infrastructure support is provided by the Virginia Information Technologies Agency

3. 3 Data Repositories Within VDH VDH is responsible for managing information that spans the agency’s public health mission As a result VDH maintains systems containing a variety of data including: Grant/Financial data Regulatory reporting data: Environmental quality, Restaurants, Epidemiological Reporting & Drinking water Patient tracking and scheduling Personally identifiable information (PII) for employees, patients, and volunteers Protected Health Information (PHI) (including both healthcare and surveillance information) Vital records information Autopsy and investigation data on decedents for law enforcement and public health officials

4. 4 Data Governance VDH uses & maintains data & information in compliance with federal & state laws, regulations & requirements. These include: Commonwealth Security Policies and Standards (Information Technology Resource Management (ITRM)) Health Information Portability and Accountability Act (HIPAA) Federal Educational Rights and Privacy Act (FERPA) The Code of Virginia: Including Virginia’s FOIA and the Records Management Program VDH Policies & Standards: Confidentiality & Information Security

5. 5 VDH Information Security Increasingly agencies rely on electronic records & the utilization of information technology to effectively deliver government services VDH’s Information Security Program focuses on providing services that support the agency's mission through enhanced technology and is: Managed to address both business and technological requirements; Risk-based; Aligned to the VDH and Commonwealth policies, priorities and standards; and A balance between access to data and information security

6. 6 VDH Information Security Program VDH Commissioner Chief Information Officer Information Security Officer Privacy Officer Business Owner System Owner Data Owner System / Database Administrator Users Partners/Stakeholders The Program requires collaboration between:

7. 7 Protection of Business Functions & Systems The VDH Information Security Program protects VDH’s critical business functions and systems through the following components: Risk Management IT Contingency Planning IT Systems Security Logical Access Control Data Protection Facilities Security Personnel Security Threat Management IT Asset Management

8. 8 Protection of Business Functions & Systems Oracle based security: Advanced security includes encryption at rest and during transactions System/user monitoring and audit logs Access controlled by user authentication Role based users tied to data and access Accessibility to authorized users IT Systems Security

9. 9 Information Management Program VDH utilizes the Security Life Cycle Approach to manage it’s Information Management Program which consists of: Business Impact Analysis IT System and Data Sensitivity Classification Risk Assessment IT Security Audits IT Contingency Planning

10. 10 Other Security Considerations VDH has governance responsibility for statewide systems such as: The Health Information Exchange and The All Payer Claims Database The collaboration between DMV & DVR The collaboration between Ancestry & Vital Records VDH requires that vendor contracts contain specific language which upholds the vendor to VDH security standards Contract language and other security documents are audited from both an internal and external perspective

11. 11 Information Security Goals Balance the need for information access with the mandate to maintain confidentiality and ensure integrity Deliver the correct data in a secured environment when and where the information is needed Involve key stakeholders in the Security Program whenever possible Provide training and information to data owners so their role is understood