• No results found

VA Data Breach Follow-Up. Adair Martinez, Deputy Assistant Secretary for Information Protection and Risk Management Department of Veterans Affairs

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "VA Data Breach Follow-Up. Adair Martinez, Deputy Assistant Secretary for Information Protection and Risk Management Department of Veterans Affairs"

Copied!
23
0
0

Loading.... (view fulltext now)

Download now ( 23 Page )

Full text

(1)

VA Data Breach Follow-Up

Adair Martinez, Deputy Assistant Secretary

for Information Protection and Risk Management

(2)

2

Incidents In The News - VA Is Not Alone

“Foreign hackers seek to

steal Americans’ health

records”

- Government Health IT, Jan. 17, 2008

“HMO health data stolen –

Laptop had Medicare

information covering

30,000”

- telegram.com, Jan. 25, 2008

“Report: Hacker Attacks

Against Healthcare

Organizations up 85

Percent”

- SC Magazine, Feb. 14, 2008

“Data Leak in Britain

Affects 25 Million”

- New York Times, Nov. 22, 2007

“Data breaches probed at

New Jersey Blue Cross,

Georgetown –

Stolen laptop had

personal data on 300,000…swiped disk

had data on 38,000

(3)

Incident Response In The

Department Of Veterans Affairs

VA has unique factors that impact the number and

severity of security and privacy incidents

Size of the organization

• Over 235,000 federal employees

• Over 100,000 students and contractors

• Over 1,300 facilities including Medical Centers,

Benefits Regional Offices, National Cemeteries,

Outpatient Clinics, Vet Centers, Data Centers,

and Consolidate Mail Outpatient Pharmacies

VA’s major healthcare IT application – VA’s

Computerized Patient Record System (CPRS) –

(4)

4

Incident Response

Where we have

been

Where we are

now

Trends and

metrics

Where we are

going

Tools of the

trade

Lessons learned

(5)

Incident Response

Where We Have Been - The Laptop

May 3, 2006

VA focused efforts

on encrypting all

data taken off site

and tightening

policy to address

this

Laptop and hard

drive were found

(6)

6

Incident Response

Where We Have Been - Unisys

August 3, 2006

VA’s attention

drawn to our

contractor’s level of

security controls

Desktop pc was

recovered

(7)

Incident Response

Where We Have Been - Birmingham

January 22, 2007

Research data

security becomes a

focus within VA

Hard drive has not

(8)

8

Incident Response

Where We Have Been – PL 109-461

Veterans Benefits,

Healthcare and

Information

Technology Act of

2006

VA is the only agency

with its own law

governing

information security

and privacy breaches

It defines how we

report to Congress

Title IX: Information Security

Matters - Department of

Veterans Affairs Information

Security Enhancement Act of

2006

- (Sec. 902) Directs the Secretary to establish and maintain a VA-wide information security program (program) to provide for the development and maintenance of cost-effective security controls needed to protect VA information, in any media or format, and VA information systems. Outlines program elements and requirements, including compliance with information security requirements promulgated by the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB). Outlines program responsibilities of the Secretary, the Assistant Secretary for Information and Technology, the Associate Deputy Assistant Secretary for Cyber and Information Security, and other VA officials. Requires the program to: (1) ensure that information security protections are commensurate with the risk and potential harm from unauthorized access, use, disclosure, disruption, modification, or destruction; and (2) include a plan and milestones of actions being taken to correct any security compliance failure or policy violation.

Directs the Secretary to ensure that, in the event of a data breach with respect to sensitive personal information (SPI) maintained by the VA, a non-VA entity or the VA's Office of Inspector General conducts an independent risk analysis of potential misuse of SPI involved in the breach. Requires the Secretary, if a potential misuse is determined, to provide to affected individuals credit protection services, fraud alerts, and credit monitoring through credit reporting agencies. Requires a report from the Secretary to the veterans' committees after each SPI data breach.

Provides confidentiality requirements for VA contractors who perform any function that requires access to SPI.

Requires: (1) quarterly reports from the Secretary to the veterans' committees on any SPI data breaches; and (2) immediate notification of such committees in the event of a significant SPI data breach.

(9)

Incident Response

Where We Are Now – Reporting Incidents

Trained ISO’s and PO’s

in the field are the first

responders

All security incidents

are reported up

through the VA-NSOC

VA-NSOC and the

Incident Resolution

Team work together to

investigate and bring

closure to incidents

(10)

10

Incident Response – Where We Are Now

Incident

Resolution

Core Team

(IRCT)

Incident

Resolution

Team

(IRT)

(11)

Incident Response

Where We Are Now

OI&T

Information

Protection

Daily Brief

Weekly

Summary of

Major Incidents

Quarterly

Reports to

Congress

(12)

12

VA Information Security Incidents

370

449

413

451

320

342

450

388

427

469

0

50

100

150

200

250

300

350

400

450

500

Jul-07

Aug-07

Sep-07

Oct-07

Nov-07

Dec-07

Jan-08

Feb-08

Mar-08

Apr-08

N

um

be

r of

Ti

c

k

e

ts

(13)

Average Number of Days from a Data Breach to

Mailing of Notification Letters - As of 05/29/08

28 25 24 28 42 43 54 46 40 0 20 40 60 Av e ra g e Nu m b e r o f Da y s

Goal of 30 Days

(14)

14

Education – The Key To Culture Change In The

Information Protection Community

Role-based training

InfoSec conference

ISO Intern program

CISSP certification

program

Annual Cyber Security

Awareness training

Instructor led and

computer based training

The VA Cyber Security

Practitioner program

(15)

Incident Response

Where We Are Going

Handbook 6500.2 – Management of

Security and Privacy Incidents

Addresses roles and responsibilities of the

NSOC, IRCT, ISOs, POs and CIOs in the

incident response process

Implements the policies regarding Incident

Response set forth in Directive and

Handbook 6500

Is in accordance with NIST Special

Publication 800-61

(16)

16

Handbook 6500.2 – Covering The Four

Phases Of An Incident

1.

Preparation

2.

Detection,

Reporting, and

Analysis

3.

Containment,

Eradication and

Recovery

4.

Post–Incident

Activity

(17)

Handbook 6500.2 – The Primary Goals

Of Managing Data Breaches

Providing prompt and accurate

notification and remediation to

those whose PII or PHI have been

compromised

Ensuring continued public trust in

(18)

18

Handbook 6500.2 – Establishing Processes

For Managing Data Breach Incidents

Assessing risk

Establishing a central management

focal point

Implementing appropriate policies and

procedures

Promoting awareness

Monitoring and evaluating policy and

(19)

Handbook 6500.2

Appendix G: Letter Templates

HIPAA Notification Letter

Next-of-Kin Notification Letter

General Notification Letter

Credit Protection Letter

(20)

20

Incident Response

Where We Are Going

VIRTS – VA

Incident Response

Tracking System

Continually

improving the

incident resolution

process

Continually

improving the

incident risk

assessment tool

(21)

The Tools Of The Trade

Credit Protection

Services

Data Breach

Analysis

Independent Risk

Analysis

(22)

22

Incident Response – Lessons Learned

It will happen to you

Be prepared

Have contracts in place

Promote a culture of

awareness and reporting

Education of all staff is

key

An ounce of prevention is

worth a pound of cure

(23)

References

Download now ( PDF - 23 Page - 1.60 MB )

Related documents

DESIGN (Part Ia,Page 1 100)

Lincoln Arc Welding Foundation was created by The Lincoln Electric Company to help advance the progress in welded design and construction.. Through its award

How To Manage Safety

Laboratory quality management system, laboratory quality, laboratory quality systems, laboratory information management, laboratory information system, laboratory documents

ASCO SERIES 185 Power Transfer Switches

ASCO S eries 185P Standby Transfer Load Center Generator Line Power Inlet Box Utility Line Typical Backup Power Circuits Sump Pump Freezer Water Heater Heating System Air

Provided as a courtesy by CPA Trendlines (

In 2012, 92 percent of recruiters used or plan to use social networks/social media in their recurring efforts.. What does this mean for you, as

SPLIT-DOLLAR LIFE INSURANCE AGREEMENT (COLLATERAL ASSIGNMENT, EQUITY, TERM LOAN)

Unless the parties to this agreement specifically notify the (name of) Life Insurance Company to the contrary in writing, all riders shall inure to the exclusive benefit of

Department of Veterans Affairs VA Handbook Information Security Program

Computer Security Plan Development Acquisition Implementation Operation/ Maintenance Determine Security Requirements (including risk assessments) Incorporate Security

VA Office of Inspector General

Recommendation 1: We recommend the Assistant Secretary for Information and Technology identify VA networks transmitting unprotected sensitive data over public Internet

SUMMARY S. XXXX. The Veterans Access to Care through Choice, Accountability, and Transparency Act of 2014

This section would also require the Secretary to ensure non-VA providers submit to the Department any medical record information related to the care and