Secure Commonwealth Panel Health and Medical Subpanel

1. Secure Commonwealth Panel Health and Medical Subpanel Virginia Department of Health Cyber Security Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013

2. VDH’s Cyber Security Program • VDH defines Cyber Security as: measures taken to protect a computer or computer system against unauthorized access or attack • Cyber attacks are the primary cause for data loss and inappropriate access • Agencies are responsible for the overall security of data and information necessary to support the mission of the Agency. Infrastructure support is provided by the Virginia Information Technologies Agency

3. Data Repositories Within VDH • VDH is responsible for managing information that spans the agency’s public health mission • As a result VDH maintains systems containing a variety of data including: • Grant/Financial data • Regulatory reporting data: • Environmental quality, Restaurants, Epidemiological Reporting & Drinking water • Patient tracking and scheduling • Personally identifiable information (PII) for employees, patients, and volunteers • Protected Health Information (PHI) (including both healthcare and surveillance information) • Vital records information • Autopsy and investigation data on decedents for law enforcement and public health officials

4. Data Governance • VDH uses & maintains data & information in compliance with federal & state laws, regulations & requirements. These include:

5. VDH Information Security • Increasingly agencies rely on electronic records & the utilization of information technology to effectively deliver government services • VDH’s Information Security Program focuses on providing services that support the agency's mission through enhanced technology and is: • Managed to address both business and technological requirements; • Risk-based; • Aligned to the VDH and Commonwealth policies, priorities and standards; and • A balance between access to data and information security

6. VDH Information Security Program The Program requires collaboration between: • VDH Commissioner • Chief Information Officer • Information Security Officer • Privacy Officer • Business Owner • System Owner • Data Owner • System / Database Administrator • Users • Partners/Stakeholders

7. Protection of Business Functions & Systems • The VDH Information Security Program protects VDH’s critical business functions and systems through the following components:

8. Protection of Business Functions & Systems

9. Information Management Program • VDH utilizes the Security Life Cycle Approach to manage it’s Information Management Program which consists of:

10. Other Security Considerations • VDH has governance responsibility for statewide systems such as: • The Health Information Exchange and The All Payer Claims Database • The collaboration between DMV & DVR • The collaboration between Ancestry & Vital Records • VDH requires that vendor contracts contain specific language which upholds the vendor to VDH security standards • Contract language and other security documents are audited from both an internal and external perspective

11. Information Security Goals • Balance the need for information access with the mandate to maintain confidentiality and ensure integrity • Deliver the correct data in a secured environment when and where the information is needed • Involve key stakeholders in the Security Program whenever possible • Provide training and information to data owners so their role is understood