70 likes | 183 Views
AAMC/ va workgroup security june 2011 Sarah Daly, cissp Office of Cyber Security Technical Management Services Policy- oi&t. Security’s role.
E N D
AAMC/va workgroup securityjune 2011Sarah Daly, cisspOffice of Cyber SecurityTechnical Management ServicesPolicy- oi&t
Security’s role • Security’s responsibility – to protect the confidentiality/integrity/availability of VHA owned sensitive research data on IT systems – both within VA and external to VA. • At the AAMC Workgroup – worked closely with Gail Belles from VHA to ensure that security was identified and security requirements were addressed.
KEY POINTs from workgroup • Upon signature of Informed Consent and HIPAA Authorization the data can be released to the VA affiliate - It is VA’s responsibility to provide them the data securely, but VA should not impose any additional security requirements. • The Data Use Agreement and the Security Checklist is required when there is no Informed Consent and HIPAA Authorization. • The affiliate completes the Security Checklist. • Based on the scoring (level of security implemented at the affiliate site) the Under Secretary for Health or designee would approve/disapprove the release of data.
Security in the Data Use Agreement • How data will be transferred in a secure manner in accordance with VA policy • How data will be stored • How data will be accessed and accounted for (audited) • How long data will be retained • How data will be destroyed
Security - addressed in DUA • VHA retains ownership of data. • Affiliate agrees to be responsible for administrative, technical and physical security of data. • Co-mingling is discouraged, but if required must destroy in accordance with VA (NIST) sanitization requirements. • Must store, transport, or transmit VA sensitive information using FIPS 140-2 validated encryption. • VHA and VA OIG authorized individuals are to be granted access to affiliate’s premises to ensure compliance with this agreement. • Security incidents must be reported within 1 hour of detection. • Security/privacy training required for those accessing VA data.
Security Tool • Completed by affiliate (individuals responsible for security of systems at affiliate’s site). • First part of tool conforms to federal HIPAA Security mandates. • Second part outlines VA specific requirements. • Upon completion of tool, the score would be used to determine if appropriate security is in place at affiliate’s site. • Assists VHA Health Information Office and the Under Secretary for Health determine whether to provide the information to the affiliate.