1 / 7

Security’s role

AAMC/ va workgroup security june 2011 Sarah Daly, cissp Office of Cyber Security Technical Management Services Policy- oi&t. Security’s role.

jalia
Download Presentation

Security’s role

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AAMC/va workgroup securityjune 2011Sarah Daly, cisspOffice of Cyber SecurityTechnical Management ServicesPolicy- oi&t

  2. Security’s role • Security’s responsibility – to protect the confidentiality/integrity/availability of VHA owned sensitive research data on IT systems – both within VA and external to VA. • At the AAMC Workgroup – worked closely with Gail Belles from VHA to ensure that security was identified and security requirements were addressed.

  3. KEY POINTs from workgroup • Upon signature of Informed Consent and HIPAA Authorization the data can be released to the VA affiliate - It is VA’s responsibility to provide them the data securely, but VA should not impose any additional security requirements. • The Data Use Agreement and the Security Checklist is required when there is no Informed Consent and HIPAA Authorization. • The affiliate completes the Security Checklist. • Based on the scoring (level of security implemented at the affiliate site) the Under Secretary for Health or designee would approve/disapprove the release of data.

  4. Security in the Data Use Agreement • How data will be transferred in a secure manner in accordance with VA policy • How data will be stored • How data will be accessed and accounted for (audited) • How long data will be retained • How data will be destroyed

  5. Security - addressed in DUA • VHA retains ownership of data. • Affiliate agrees to be responsible for administrative, technical and physical security of data. • Co-mingling is discouraged, but if required must destroy in accordance with VA (NIST) sanitization requirements. • Must store, transport, or transmit VA sensitive information using FIPS 140-2 validated encryption. • VHA and VA OIG authorized individuals are to be granted access to affiliate’s premises to ensure compliance with this agreement. • Security incidents must be reported within 1 hour of detection. • Security/privacy training required for those accessing VA data.

  6. Security Tool • Completed by affiliate (individuals responsible for security of systems at affiliate’s site). • First part of tool conforms to federal HIPAA Security mandates. • Second part outlines VA specific requirements. • Upon completion of tool, the score would be used to determine if appropriate security is in place at affiliate’s site. • Assists VHA Health Information Office and the Under Secretary for Health determine whether to provide the information to the affiliate.

More Related