1 / 30

Privacy and Security of Navy Medicine Information and Information Systems

FOR OFFICIAL USE ONLY. 2. Learning Objectives. Navy Medicine CIO/BUMED M6 OfficePrivacy and Security Scope and ApplicabilityInformation and Information SystemsSafeguarding Information (Data Sharing Agreements (DSAs)) and Information Systems

yvon
Télécharger la présentation

Privacy and Security of Navy Medicine Information and Information Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Privacy and Security of Navy Medicine Information and Information Systems CDR Rich Makarski, MSC, USN Director, BUMED-M62 IM/IT Privacy and Security

    2. FOR OFFICIAL USE ONLY 2 Learning Objectives Navy Medicine CIO/BUMED M6 Office Privacy and Security Scope and Applicability Information and Information Systems Safeguarding Information (Data Sharing Agreements (DSAs)) and Information Systems – (IA Review) Frequently Asked Questions Resources

    3. Navy Medicine CIO Mission Principal staff advisor for Navy Medicine Information Management (IM)/Information Technology (IT) services Develops and oversees IM/IT policy as authorized by law or regulations FOR OFFICIAL USE ONLY 3

    4. FOR OFFICIAL USE ONLY 4 BUMED M62 – IT Privacy and Security

    5. FOR OFFICIAL USE ONLY 5 BUMED M62 Key Functions M62 provides IA policy, oversight and compliance reporting for the enterprise Primary goal is to protect information and information systems from unauthorized use, disclosure, access, modification, disruption IA is defined as the measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation (DoDD 8500.1E) 

    6. Scope: Information 6 FOR OFFICIAL USE ONLY “PII Has No Shelf Life” DON CIO Privacy Team Lead CNSSI 4009: Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.  Reference: http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf  “PII Has No Shelf Life” DON CIO Privacy Team Lead CNSSI 4009: Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.  Reference: http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf 

    7. What is PII? Information which can be used to: Distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or When combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.  FOR OFFICIAL USE ONLY 7

    8. Scope: Information Non-Sensitive PII, releasable under FOIA/authorized DON use; “low risk” Badge number Job title Pay grade Office phone number Office address Office email address Full name FOR OFFICIAL USE ONLY 8

    9. Scope: Information Systems Networks Automated Information System applications Mobile computing devices (laptops, handhelds, personal digital assistants) Medical devices FOR OFFICIAL USE ONLY 9 Now that we have discussed information and information systems and what this means we will now discuss how we protect them. Now that we have discussed information and information systems and what this means we will now discuss how we protect them.

    10. FOR OFFICIAL USE ONLY 10 Protect: Information

    11. FOR OFFICIAL USE ONLY 11 Privacy Fundamentals Minimum Necessary Rule Limit the use, disclosure, or request of PII/ PHI to the minimum necessary to accomplish the intended purpose Need to Know Needs-to-know that information in order to perform lawful and authorized government functions. It not just based on security clearance eligibility Beware of Data Aggregation! Some data by itself may not be sensitive by itself but combined with other information may increase the sensitivity and lead to the information requiring classification. A general support office rolodex with a name, phone number, etc. would not likely be considered sensitive until it was aggregated with a database of patients at a clinic which treats contagious disease A general support office rolodex with a name, phone number, etc. would not likely be considered sensitive until it was aggregated with a database of patients at a clinic which treats contagious disease

    12. In the News 12 FOR OFFICIAL USE ONLY Other Examples: 1) Bank of America lost computer tapes containing personal information on up to 1.2 million federal employees, including some members of the U.S. Senate. – 2005 2) VA loss of Desktop containing data on 38,000 vets -- 2006 3) SAIC loss of beneficiary data (including Navy) from a server over 600,000 individuals affected – 2007 (Cost over $10 Million in SAIC response expense). 4) George Clooney / Britney Spears medical staff reviewing medical record without need to know. Other Examples: 1) Bank of America lost computer tapes containing personal information on up to 1.2 million federal employees, including some members of the U.S. Senate. – 2005 2) VA loss of Desktop containing data on 38,000 vets -- 2006 3) SAIC loss of beneficiary data (including Navy) from a server over 600,000 individuals affected – 2007 (Cost over $10 Million in SAIC response expense). 4) George Clooney / Britney Spears medical staff reviewing medical record without need to know.

    13. To Err is Human SSN is the most frequently lost, stolen or compromised PII data element – 68% (24% medical information, 5% financial, 3% Passport) Improperly disclosed by: Sending in an email or attachment Recall Rosters with SSN Posting names with SSN to web portals or shared drive * FOR OFFICIAL USE ONLY 13 Source: CHIPS, January - March 2011, page 17, DON CIOSource: CHIPS, January - March 2011, page 17, DON CIO

    14. Protecting Information and Information Systems Information Systems – Primary Focus Security Administrative Policies and Procedures e.g. Incident Reporting, Compliance Reporting, Role Based Access Technical Data Encryption, Digital Signatures and Passwords Physical Safeguards Identification Badges Combination Locks FOR OFFICIAL USE ONLY 14 M62’s responsible for the privacy of information and the security of information systems. Privacy and Security are two concepts that are very interdependent and several examples are provided in this slide. As you remember from the prior slide – M62-s primary goal is to protect information and information systems from unauthorized use, disclosure, access, modification, disruption. Lets now review one process for protecting information that you may encounter as an analyst - data sharing agreements.M62’s responsible for the privacy of information and the security of information systems. Privacy and Security are two concepts that are very interdependent and several examples are provided in this slide. As you remember from the prior slide – M62-s primary goal is to protect information and information systems from unauthorized use, disclosure, access, modification, disruption. Lets now review one process for protecting information that you may encounter as an analyst - data sharing agreements.

    15. In the News 15 FOR OFFICIAL USE ONLY Arai is a Director of a NIH programArai is a Director of a NIH program

    16. FOR OFFICIAL USE ONLY 16 Data Sharing Agreements (DSA) - Protecting Information Facilitate the review and endorsement or approval of Navy Medicine and TRICARE Management Activity (TMA) DSAs Required when there is a request to use and/or disclosure of MHS data owned and/or managed by Navy Medicine or TMA. Between Navy or TMA and a contractor, academic institution, other Service, Federal, Government or state agency Ensures uses and disclosures of Military Health System (MHS) data meet both Navy and DoD regulatory requirements Requires the contract to contain Business Associate Agreement clause Different from Memorandum of Understandings/Agreement which defines general areas of understanding and roles and responsibilities – not data focused. Contact M62 if you have any questions regarding DSAs In regards to protecting information systems, the area you may have the most questions is hat analytical tools are approved for your use and how to gain access to new ones. Contact M62 if you have any questions regarding DSAs In regards to protecting information systems, the area you may have the most questions is hat analytical tools are approved for your use and how to gain access to new ones.

    17. FOR OFFICIAL USE ONLY 17 Developing models, macros and other ways to enhance the way you work within DON Application and Database Management System (DADMS)-approved applications, e.g. Microsoft Office, Statistical Analysis Software (SAS), Oracle, Statistical Package for the Social Sciences (SPSS) It’s NOT OK to compile homegrown programs to create a new application or tool. e.g. using Visual Basic or C++ to create a patient scheduling system Ask your local IT department if the software application you are interested in is already approved in DADMS Approved Software Applications – Protecting Information Systems What can you do if want access to a new software tool that is not in DADMs? Governance is the formalized process to evaluate users requests for new products or systems in Navy Medicine.What can you do if want access to a new software tool that is not in DADMs? Governance is the formalized process to evaluate users requests for new products or systems in Navy Medicine.

    18. FOR OFFICIAL USE ONLY 18 Navy Medicine Frequently Asked Questions (FAQ) Data At Rest (DAR) Solution GuardianEdge – DAR encryption management solution Eventually apply to all laptops, desktops, and portable electronic devices to ensure controlled unclassified information such as PII is adequately protected. Interim solution WINZIP 9.0 or higher per DTG: 171952Z APR 07 Passwords should be at least 9 characters long and contain the following: an upper case letter, a lower case letter, a number and a special character

    19. FOR OFFICIAL USE ONLY 19 Navy Medicine FAQs Flash Drive Technologies / Removable Media Still prohibited on all Navy networks. (see GENADMIN COMFLTCYBERCOM DTG: 242316Z FEB 10) Specific software, hardware and processes must be in place before Navy Medicine users will be allowed to return to routine use of flash media Key – must be Government procured and owned device; mission essential requirement and DAA approval required prior to use for thumb drives, memory sticks, and memory cards

    20. FOR OFFICIAL USE ONLY 20 Navy Medicine FAQs Email DON-provided official email accounts mandatory for conducting official business  Commercial email (web-based or otherwise) for official business is restricted to mission essential use Only when a DON provided email account is unavailable Unapproved accounts, such as AOL, HOTMAIL or YAHOO, will not be used for official business  Auto-forwarding official email to a commercial email account (to include web-based email) is strictly prohibited Emails with PII/PHI must be digitally signed and encrypted

    21. FOR OFFICIAL USE ONLY 21 Navy Medicine IM/IT Governance Process Governance describes the mechanisms an organization uses to ensure that its constituents follow established processes and policies. It is the primary means of maintaining oversight and accountability in a loosely coupled organizational structure. A proper governance strategy implements processes to monitor and record what is going on, takes steps to ensure compliance with agreed policies, and provides for corrective action. Decision rights, processes, and framework to ensure Navy Medicine IM/IT strategic goals and objectives are achieved include: Navy Medicine IM/IT Governing Boards Review of IM/IT Capability Requests (new and enhancements) Annual and Interim Program/Project Reviews (IPRs) Portfolio Management (PfM) External Compliance (databases and reporting formats) Information Assurance Navy Medicine IM/IT Governing Boards Capabilities Management Working Group (CMWG) Management and Control Board (MCB) Corporate Executive Board (CEB) Annual and Interim Program/Project Reviews (IPRs) of: Cost (budget and execution), schedule, and performance Portfolio Management (PfM) Process is also used to provide oversight, prioritization, and funding decisions through a structures Portfolio Management (PfM) methodology. External Compliance (databases and reporting formats) DADMS DITPR DHP-SIRT IT53 Exhibit 300 Navy Medicine IM/IT Governing Boards Capabilities Management Working Group (CMWG) Management and Control Board (MCB) Corporate Executive Board (CEB) Annual and Interim Program/Project Reviews (IPRs) of: Cost (budget and execution), schedule, and performance Portfolio Management (PfM) Process is also used to provide oversight, prioritization, and funding decisions through a structures Portfolio Management (PfM) methodology. External Compliance (databases and reporting formats) DADMS DITPR DHP-SIRT IT53 Exhibit 300

    22. Governance Policy and Support 22 * Bold and Blue Highlighted are Information Assurance Related

    23. Navy Medicine IM/IT Governance Overview 23 FOR OFFICIAL USE ONLY

    24. IA Activities Within Each Governance Step Step 7 (Technical Evaluation and Project Analysis): IA Analysis & Cost Estimate Within Navy Medicine there are four different IA paths by which IT systems can obtain an Approval To Operate (ATO) on NAVMED networks. Full DIACAP Platform IT (PIT) Desktop Application (process still in development) Web-based System (process still in development) Each IA path has an associated cost for resources and management Step 7 provides the IA path forward and associated costs to Navy Medicine. Step 9 (Project Execution and Management) : IA Execution and Management Each of these paths has varying requirements that need to be fulfilled in order to successfully receive approval, with varying timelines and documentation requirements to execute. IA Activities are budgeted, prioritized, and executed against available funds and resources. 24 FOR OFFICIAL USE ONLY

    25. To Initiate Governance Process If the IM/IT Investment is already registered for Navy Medicine within DADMS (DON Application and Database Management System): If the Correct version is in DADMS Complete the Unique Identifying Code (UIC) Association Questionnaire and send to NAVMED-FAM_DADMS@med.navy.mil If a different version is being requested Complete the Version Upgrade Questionnaire and send to NAVMED-FAM_DADMS@med.navy.mil For new IM/IT capability request: Complete 2-pager (with all necessary signatures) and send to Governance@med.navy.mil All templates are available on the Governance SharePoint site: https://esportal.med.navy.mil/bumed/m6/governance/default.aspx * You will need to register to have access to this site 25 FOR OFFICIAL USE ONLY

    26. Governance Contact Information Rolando Estrada – M61, Director for Programs and Governance rolando.estrada1@med.navy.mil (202) 762-0385 Gary Stevens – M61, Deputy Director for Programs and Governance gary.stevens@med.navy.mil (202) 762-3319 Navy Medicine IM/IT Governance Team Governance@med.navy.mil Navy Medicine DADMS Team NAVMED-FAM_DADMS@med.navy.mil 26 FOR OFFICIAL USE ONLY

    27. FOR OFFICIAL USE ONLY 27 Navy Medicine CIO Resources BUMED-M62 IT Privacy and Security https://es.med.navy.mil/bumed/m6/m62/default.aspx Email: BUMED-M62@med.navy.mil BUMED-M61 IT Governance https://es.med.navy.mil/bumed/m6/governance/default.aspx Email: Governance@med.navy.mil

    28. FOR OFFICIAL USE ONLY 28 M62 Point of Contact CDR Rich "Ski" Makarski, MSC, USN, MS ITM, MBA BUMED-M62, Dir IT Security & Privacy Bldg 1, 2nd Deck, Room 1212 Navy Medicine CIO Office 2300 E Street NW, Washington, DC 20372 -------------------------------------- richard.makarski@med.navy.mil Navy Medicine Office: 202.762.0037 or 202.762.3180 Navy Cell (Blackberry): 202.431.8734 https://es.med.navy.mil/bumed/m6/m62/default.aspx -------------------------------------- Naval Postgraduate School 2002 Alumni

    29. Questions? “Good ideas are not adopted automatically. They must be driven into practice with courageous patience.” ~ Hyman Rickover

    30. FOR OFFICIAL USE ONLY 30 Resources RISOs – First Line of Assistance after local MTF ISO Collaborates with BUMED & NAVMISSA on all IA matters BUMED M62 Policy clarification, communication, creation Oversight, compliance reporting Web Source: https://es.med.navy.mil/bumed/m6/m62/default.aspx Email: BUMED-M62@med.navy.mil

    31. FOR OFFICIAL USE ONLY 31 Know Your Navy Medicine Policies NAVMED Policy 09-016, PII Incident Reporting NAVMED Policy 08-005, E-mailing PII and PHI BUMEDINST 5239.2, Protection of DAR SECNAVINST 5239.3B, IA Policy SECNAV M-5510.30, Personnel Security SECNAV M-5510.36, Information Security DON CIO Naval Message: DTG 201839Z NOV 08, Protecting PII on DON Shared Drives and Application Based Portals DTM 09-026, “Responsible and Effective Use of Internet-Based Capabilities.

More Related