HealtheVet Key Aspects


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

HealtheVet Key Aspects

  1. 1. 1<br />VA Office of Information and Technology<br />Matt Canavan – VA Director of Client Services -<br />Enterprise Infrastructure Engineering<br />October 23, 2008<br />
  2. 2. 2<br />10/23/2008<br />Achieving the Gold Standard In Data Security<br />Agenda<br /><ul><li>Balance of Information Protection
  3. 3. VA Proactive Measures
  4. 4. Technical Controls
  5. 5. Integrated Technical Solutions
  6. 6. Removable Media and Storage
  7. 7. Mobile Devices
  8. 8. Network Transmissions
  9. 9. Remote Access
  10. 10. Email and Document s/Digital Rights Management
  11. 11. Conclusion</li></li></ul><li>3<br />10/23/2008 <br />Information Security Tipping Point<br />Finding the Right Balance!<br /><ul><li>Federal law
  12. 12. Congress
  13. 13. OMB
  14. 14. Veterans groups
  15. 15. Public distrust
  16. 16. Litigation
  17. 17. Clinical Care
  18. 18. Research collaborations
  19. 19. Training Programs
  20. 20. Quality improvement</li></ul>Info Access<br />Info Restriction<br />
  21. 21. 4<br />10/23/2008<br />VA Proactive Measures for Information Protection and Privacy Protection<br /><ul><li>Policy
  22. 22. Directives
  23. 23. Memoranda
  24. 24. Governance
  25. 25. EA Integration</li></ul>Management Controls<br /><ul><li>Removable Media & Storage
  26. 26. Mobile Devices
  27. 27. Network Transmissions
  28. 28. Secure Remote Access
  29. 29. Email and Documents
  30. 30. Digital Rights Management
  31. 31. Laptop Encryption</li></ul>Technical Controls<br /><ul><li>NSOC
  32. 32. Training
  33. 33. Human Resources
  34. 34. Standard Operating Procedures</li></ul>Operational Controls<br />Operational Controls<br />Enforcement & Continuous Monitoring<br />
  35. 35. 5<br />10/23/2008<br />Technical Controls – A few Highlights<br /><ul><li>Encrypted most VA laptops (some cannot be encrypted)
  36. 36. Issued approximately 12,000 encrypted thumb drives across the Department
  37. 37. Issued approximately 143,000 PKI certificates
  38. 38. Secure and encrypted file and email software being deployed
  39. 39. Mobile device standardization in progress
  40. 40. Minimum device requirements will enable devices to support VA security policies – content protection, scanning, and patching
  41. 41. Encrypted network transmissions and port security software being deployed
  42. 42. Iron Port Appliance - June 1, 2007 through September 30, 2008, the Iron Port email appliances have stopped 72,206 emails that included a Social Security Number pattern – 99.9% Accuracy Rate
  43. 43. Future – Provide encrypted email for all veterans - encrypt the email messages prior to sending.
  44. 44. Can include other filters – HIPAA… etc.</li></ul>Layered Approach to Comprehensive Information Protection of VA Sensitive Data <br />
  45. 45. 6<br />10/23/2008<br />Removable Media and Storage<br />Removable Media and<br /> Storage <br />(CD, thumb drives) <br />Strategy<br />Only VA authorized removable storage media <br />Restrict the transfer of information to removable storage media<br />Thwart introduction of malicious code via removable storage media<br />Management of <br />Removable Media <br />and Storage<br />VA Handbook 6500 requires encrypted USB Thumb Drives <br />Only FIPS 140-2 certified permitted<br />Current Status<br />Actively Deploying technology – Enterprise, Standards, and create Policy<br />6<br />
  46. 46. 7<br />10/23/2008<br />Mobile Devices<br />Mobile Device<br />Strategy<br />Encryption of data/password protection<br />Converge Blackberry and Smart Phone Operations and Support<br />Only government owned devices permitted<br />Management of <br />Mobile Devices<br /> Establish minimum device requirements<br /> Only FIPS 140-2 certified permitted<br /> Security parameters established by VA Directive 6500<br />Current Status<br />Blackberry encryption implemented<br /> Standardize Operational and Support components and refreshing older devices<br />7<br />
  47. 47. 8<br />10/23/2008<br />Network Transmissions<br />Network Transmissions<br /> Strategy<br />Prevent User ID, passwords and data from being transmitted in clear text<br />Help VA meet HIPAA, FISMA compliance<br />Resolving telnet and secure file transfer issue.<br />Stop transmission of SSNs outside VA network<br />Management of<br />Network Transmissions<br />Only FIPS 140-2 Certified Permitted<br />Supports PKI infrastructure and smartcard devices for HSPD-12<br />Standardize on dominant application software<br />Current Status<br />Standardize terminal emulator for the Department<br />Eliminate Transmission in clear text<br />Enterprise deployment is September 2008<br />8<br />
  48. 48. 9<br />10/23/2008<br />Remote Access<br />Remote Access <br />Strategy<br />RESCUE* project will scan all systems connecting via VPN – currently in test<br />Reduce VPN connections through Outlook web access and other secure access methods <br />Handbook 6500<br />VPN access restricted to valid users and systems<br />Restrict access to limited number of system – especially contract staff<br />Management <br />of Remote Access<br />Current Status<br />RESCUE GFE – full deployment by July 2008<br />Additional technology being analyzed to control remote access restrictions<br />RESCUE OE – full deployment by July 2008<br />* Remote Enterprise Security Compliance Update Environment (RESCUE)<br />9<br />*Government Furnish Equipment (GFE)<br />*Other Equipment (OE)<br />
  49. 49. 10<br />10/23/2008<br />Digital Rights Management<br />Email and Documents <br />Strategy<br />Encrypt sensitive content (PKI and RMS*)<br />Protect inside and outside the trusted network<br />Protect emails and documents during and after delivery<br />Flexibility– RMS more flexible, compliments PKI<br />Management of<br />Email and Documents<br />Restrict document and email distribution, storage capabilities and printing capabilities<br />Allows organizations to track the information<br />Supports smartcard authentication<br />Iron Port Appliance – Stops 99.9 % of SSNs in email from leaving the VA network<br />Deployment Microsoft RMS* complete – 150K+ clients<br />Blackberry Protection<br />Installing redundant/contingency hardware<br />Public Key Infrastructure – approx. 143,000 certs issued<br />Current Status<br />10<br />*Rights Management Services (RMS)<br />
  50. 50. 11<br />10/23/2008<br />Conclusion<br />VA is thoroughly examining every aspect of our information protection program to ensure that sensitive information, primarily Personally Identifiable Information (PII) and Personal Health Information (PHI), is neither mismanaged nor used for any unauthorized purpose. <br />“Sensitive Information must be in a protective environment at all times or it must be encrypted” <br />VA Handbook 6500<br />
  51. 51. 12<br />“Using Technology to Protect Privacy”<br />Presentation of Ned Goldberg<br />Chief Information Security Officer and Associate Director <br />FDIC Division of Information Technology<br />October 23, 2008<br />
  52. 52. Agenda<br />Background<br />Privacy/Security Protection Efforts<br />Privacy Protecting Technologies<br />Protecting sensitive data in transit – electronic and paper<br />Data loss prevention (DLP) technologies<br />
  53. 53. FDIC is an independent agency created by Congress that maintains the stability and public confidence in the nation’s financial system by insuring deposits, examining and supervising financial institutions, and managing receiverships. <br />Throughout the FDIC’s 75-year history, no one has ever lost a penny of insured deposits as a result of a bank failure.<br />Background<br />
  54. 54. Background continued<br />FDIC maintains millions of sensitive paper and electronic records on bank customers and employees, due to:<br /><ul><li>Examination and Supervisory activities: FDIC monitors over 5,000 banks – more than half of the institutions in the banking system – for safety and soundness. (VISION, SOURCE, SIMS)
  55. 55. Bank Closings and Receiverships: FDIC performs numerous pre-closing, closing, and post-closing activities that include claims processing, asset marketing, and deploying teams of FDIC staff and IT resources to closing sites. Fifteen banks closed in 2008. (4C, RLS, CAS)
  56. 56. HR/Personnel activities: FDIC has nearly 4,700 employees located in Washington DC and 6 regional offices across the country and is headed by a Board of Directors. (CHRIS HR, NFE)</li></ul>Indymac Bank closing alone involved nearly<br />20 terabytes of data!<br />
  57. 57. Background continued<br />New web-based effort helps insured depositors know if they’re protected:<br />
  58. 58. Background continued<br />Key drivers behind FDIC’s privacy and security protection efforts:<br /><ul><li>Compliance requirements stemming from range of Federal privacy and security laws, regulations and related OMB guidance.
  59. 59. Internal and external audit (OIG, GAO) recommendations.
  60. 60. Goal of meeting/exceeding banking sector </li></ul> standards/best practices.<br /><ul><li>Needs of a highly mobile examination </li></ul> and bank closing work force, who depend on <br /> laptops and instant access to large amounts of sensitive data.<br /><ul><li>Significant electronic and paper data stores and sharing = ongoing concern about potential for data loss and identify theft.</li></ul>Public expects FDIC to be a<br />responsible steward of their data.<br />Insured depositors can’t opt-out!<br />
  61. 61. Privacy/Security Protection Efforts<br />FDIC’s risk-based strategy for protecting sensitive data includes array of management, technical and operational controls:<br /><ul><li>FDIC Directives aimed at protecting sensitive information in paper or electronic form.
  62. 62. Comprehensive security and privacy management programs and guiding frameworks.
  63. 63. Continuous monitoring of threats to network and sensitive data.
  64. 64. Incident management and response plan.
  65. 65. Privacy/security requirements baked into system development lifecycle (SDLC) process and contracting process.
  66. 66. Continuous assessment of new and existing agency programs and IT systems and applications for privacy/security risks.
  67. 67. Use of rights management (Windows Active Directory).
  68. 68. Mandatory awareness training for all employees and contractors.</li></ul>2008 Privacy Awareness Week <br />
  69. 69. Privacy/Security Protection Efforts continued<br />Protecting sensitive electronic data in transit:<br /><ul><li>FDIC is a small agency with significant electronic data stores:</li></ul>By one estimate, over 10 times the electronic data than all the printed books and documents in the Library of Congress.<br /><ul><li>Engaged in continuous sharing of sensitive data between FDIC regional and headquarter offices; between FDIC and insured banks; and between FDIC and other federal financial regulators and state banking authorities.
  70. 70. Highly mobile workforce requires instant access to sensitive data both electronic and paper form: </li></ul>nearly 1,400 bank examiners in the field; bank closing teams.<br />
  71. 71. Privacy Protecting Technologies<br />Protecting sensitive electronic data in transit:<br />Encryption<br />Secure Email <br />Communication Links<br />Secure web sites<br />Secure remote access<br />100% of FDIC laptops<br />encrypted (Pointsec) <br />End to end and local data<br />encryption enabled on <br />all Blackberries<br />Encryption of portable storage<br />media (USB, CD/DVD) <br />available from all FDIC<br />desktops and laptops<br />(Pointsec/Roxio)<br />Entrust PKI encryption<br />software available for email<br />and data files<br />PKZIP software available for<br />encrypting data files to be<br />shared external to FDIC<br />Established with most<br />federal regulatory and <br />state banking authorities <br />that FDIC communicates <br />with on a regular<br />basis.  Current methods<br />include:<br /><ul><li>Transport Layer Security (TLS/ZixCorp)
  72. 72. Encrypted dedicated lines
  73. 73. VPN
  74. 74. RCN via FDIC’s Extranet</li></ul>Provides a secure <br />method for accessing the <br />FDIC network from<br />remote sites. Requires <br />use of token (generates <br />one-time password) and<br />PIN number.<br /><ul><li>VPN
  75. 75. Citrix</li></ul>FDICconnect: secure<br />website for conducting <br />e-commerce with FDIC<br /><ul><li>Soft token</li></ul>Extranet: allows B2B<br />communicationsbetween FDIC and authorized business partners or individuals<br /><ul><li>Encryption
  76. 76. Authentication
  77. 77. User certificates</li></li></ul><li>Privacy Protecting Technologies cont.<br />Protecting sensitive paper data in transit and in store:<br /><ul><li>FDIC has significant stores and shipments of paper records containing sensitive information/PII: </li></ul>For example, FDIC records at Iron Mountain take up 2.4 million cubic square feet of space, making the agency one of its biggest customers. Additionally, thousands of paper records are stored at FDIC facilities across the country.<br />Extensive shipment of paper records each month due to examination, bank closing and other mission critical activities (4,000 shipments each month).<br /><ul><li>FDIC UPS Quantum View: Due to experience with small number of lost boxes containing sensitive bank data, identified and deployed new system that provides automated, web based tracking of express mail shipments containing sensitive data. System sends alerts when a package is lost or damaged during shipment.
  78. 78. Privacy walk-throughs – on-going self assessment program that involves unannounced visits by privacy staff at all headquarter and regional offices to identify potential issues with protecting sensitive paper and electronic records stored in file cabinets and on electronic media (e.g., CD-roms). </li></li></ul><li>Privacy Protecting Technologies cont.<br />Protecting against sensitive data leakages: DLP <br /><ul><li>Data loss prevention (DLP): new wave of technologies and tools designed to detect and prevent the unauthorized transmission of sensitive information.
  79. 79. Software monitors the flow of sensitive information across the corporate network, including data in motion to internal and external sources, and both structured and unstructured data at rest. </li></ul>Identifies potential security concerns with transmitting PII and business sensitive information.<br />Involves a rules based engine that can identify, flag, notify sender or stop transmission. <br /><ul><li>FDIC acquired a DLP solution in 2007 in response to OMB M-06-16 and M-07-16. Requires agencies to take concrete steps to identify and protect sensitive data.
  80. 80. Selected Vontu after review of top 3 DLP vendors in market based on Gartner. Decision based on price, flexibility, fit with our infrastructure, scalability.
  81. 81. Steps involved: Architect; purchase solution; configure and build solution; deploy solution; and transition to operational status.</li></li></ul><li>Privacy Protecting Technologies cont.<br />FDIC’s DLP program currently is focused on:<br /><ul><li>Social Security Numbers: finding and responding to any instances of unauthorized exposure and transmission of Social Security Numbers (SSNs) that could result in harm to an individual, FDIC employee, or the Corporation.</li></ul>Performing baseline scanning of network for any unencrypted outbound email/web traffic that contains SSNs (ability to scan for 27 other “policy families” including GLBA, HIPAA).<br />Scanning of Windows Servers to find any instances of SSNs sitting on a file share that is open to any FDIC user.<br /><ul><li>Alerting FDIC employees about potential data leakages.
  82. 82. Managing incidents, including reporting to CSIRT and US CERT.
  83. 83. Developing awareness campaign in preparation for full implementation.</li></li></ul><li>Privacy Protecting Technologies cont.<br />Full deployment of DLP will enable FDIC to:<br /><ul><li>Initiate “active blocking”: provides ability to move beyond detection and monitoring and actually preventunauthorized transmissions of sensitive data, including SSNs/PII, that can occur through outbound email traffic or web browsing.
  84. 84. Send automated email notifications to employees, alerting them of potential policy violation -- thereby reducing remediation overhead requirements and risk.
  85. 85. User release optional; forced encryption optional.
  86. 86. Ability to automatically hold messages and only release them when approved by the user or a manager.</li></li></ul><li>Privacy Protecting Technologies cont.<br />Additional DLP solution on the horizon to protect structured data:<br /><ul><li>OMB M-06-16 (bullet 4) requires agencies to monitor extractions from enterprise databases.
  87. 87. Requirement is to provide transparency and accountability by monitoring the user request for PII information at the database level in a multi-tiered application (web server, business logic, and data repository).
  88. 88. FDIC has selected the Guardium technology that has both an agent resident with the database and a network observation appliance that permits the product to link the user requests to the database fields.
  89. 89. The product also provides integration into and auditing of PeopleSoft, Oracle, and SAP.</li></li></ul><li>Privacy Protecting Technologies cont.<br />9 things to consider when launching DLP tools:<br />1. Cost of appliances and services.<br />2. Technical staff and time to configure and operate system.<br />3. Determining information to flag (SSNs, other sensitive data) and threshold levels.<br />4. Identifying and training “data monitors” on how to use the tools.<br />5. Staff and process for handling increased number of incidents.<br />6. Performing policy and privacy reviews:<br />Acceptable Use Policy and computer log-in consent.<br />Privacy Threshold Analysis, Privacy Impact Assessment and Privacy Act System of Records.<br />7. Performing notifications/awareness:<br />Legal/HR/Union/Senior Management<br />Awareness campaign<br />8. Integrating with incident response processes (FDIC Privacy Incident Response Team and CSIRT).<br />9. The same tools can’t go backwards – can’t be used for forensics.<br />
  90. 90. Privacy Protecting Technologies cont.<br />Final thoughts about DLP…<br /><ul><li>Can have the best policies, procedures, and technologies in place – people will still make mistakes.
  91. 91. DLP can help protect people fromaccidentally leaking sensitive data that couldpose the risk of identify theft and serious disciplinary actions.
  92. 92. Based on research (e.g., The Hartford) and own experience to date, once people know that the tools are out there, see an immediate impact/drop in issues (even at the result of a phone call!).DLP increases awareness among employees, who don’t realize they’re doing something wrong (e.g., attempting to send unencrypted emails with sensitive agency information).
  93. 93. In the event of worse case scenario, the incident is known almost immediately, so that appropriate reporting and breach management can occur.</li></li></ul><li><br /><br /><br /> Merging Heritage & Horizon at the Social Security Administration<br />Steve Kautsch<br />Associate Commissioner for <br />Systems Electronic Services,<br />Office of Systems<br /><br />eServices: Navigating Disclosure Issues <br />Presented to the Federal Privacy Summit<br />October 23, 2008<br />0101010101010101010101010101010101010<br />
  94. 94. eService Timeline<br />First online eService<br />Personal Earnings and Benefit Estimate Statement(mailed PEBES)<br />800# interactive voice response<br />iRIB retirement application<br />SocialSecurity.Gov<br /> is launched<br />PEBES Taken Down<br />1 millionth email inquiry<br />VA laptop stolen<br />1994<br />1995<br />1996<br />1997<br />1998<br />1999<br />2000<br />2001<br />2002<br />2003<br />2004<br />2005<br />2007<br />2006<br />Online wage reporting<br />1 millionth online retirement claim<br />From it’s inception, Privacy considerations have shaped the program<br />We provide 18 Internet and automated 800# eServices for the<br />
  95. 95. Key Privacy Principles<br />Right of individuals to easily access their records that are held by others, and <br />Obligation of record holders to protect personal information from unauthorized and improper disclosure<br />
  96. 96. SSA’s eServicesProgram Objectives<br />Fulfill the rapidly growing expectation for convenient, effective and secure electronic service delivery options for the public and our business partners; and<br />Provide better service to all our clients by offsetting projected workload growth as the baby boomers reach their retirement and disability prone years.<br />
  97. 97. The Silver Tsunami<br />Source: Social Security Office of the Actuary<br />
  98. 98. Challenges We Face<br />80 million Boomers will reach their disability prone years and retirement age, over the next two decades; about 10 thousand per day <br />Retirement claims will increase by 40% and disability claims by 10% over the next decade<br />Disability claims are SSA’s largest operational workload<br />40% SSA employees will be retirement eligible by 2010<br />
  99. 99. Baby Boomers Online<br />The number of Internet users age 55+ is roughly the same as those who are aged 18 to 34.<br />There are 78 million baby boomers—roughly three times the number of teenagers—and most of them are Internet users who learned computer skills in the workplace (NY Times, 9/12/07).<br />34<br />
  100. 100. Security Threats<br />Software<br />Malware: Worms, Trojans, Rootkits, Logic bomb, Persistent-Bots, spyware, etc. <br />Spoofing and Masquerade<br />Spamming<br />Missing security patches<br />Web application security exploits i.e. SQL injection <br />Key-logging<br />
  101. 101. Security Threats<br />Hardware<br />Key-logging<br />USB thumb drives<br />Web-Architecture<br />Lost laptops/Blackberries<br />Physical<br />Shoulder surfing<br />Insider attacks (employees)<br />Social Engineering<br />
  102. 102. Architectural Safeguards <br />Robust Internet Architecture: DMZ/Firewalls<br />State of the art Application Authentication and Authorization (ACU)<br />Communication over SSL/TLS<br />Data from US-CERT (United States Computer Emergency Readiness Team)<br />National Vulnerabilities Database (NVD) – <br /> 15,000 vulnerabilities catalogued <br />Penetration testing<br />Intrusion detection<br />
  103. 103. Internet Project Life Cycle<br />Business Risk Assessment<br />Project-specific Risk Assessment<br />Security Risk Assessment<br />Authentication Risk Assessment<br />Privacy Impact Assessment<br />
  104. 104. Authentication<br />To securely move work online, we must be able to remotely determine the user really is who they claim to be.<br />E-Authentication consists of 3 steps:<br />Registration with identitiy proofing<br />Issuing of credentials<br />Authenticating the credential<br />OMB/NIST Guidance:<br />Level 1: Little or no authentication required<br />Level 2: Some assurance required<br />Level 3: High level of assurance required<br />Level 4: Absolute certainty required<br />
  105. 105. Authentication Challenges<br />Level 2:<br />Knowledge-Based Authentication<br />PIN/Password<br />Federated model: E-Authentication Pilot<br />Level 3:<br />Two-Factor Authentication<br />Risk Mitigation Features<br />
  106. 106. Risk Mitigation Strategies<br />Privacy Expert Consultations<br />External Stakeholder Involvement<br />Congressional Briefings<br />Social Security Advisory Board<br />National Academies of Sciences Report <br />
  107. 107. Closing Thought<br />“…even though SSA came under criticism for making personal information available on the Internet, the agency was attempting to uphold one of the most important privacy principles - the right of individuals to get access to their own records held by others, to ensure that the information is accurate and complete, and to make corrections if necessary. In the area of Social Security contributions, this is particularly important for American taxpayers. Privacy laws are not just about restricting access to personal information. They also require that organizations in possession of personal information make sure that the individuals to whom the information relates are able to get access to their data easily and cheaply. If SSA is to be faulted, it should not be for their effort to make the PEBES more readily available.”<br />Marc Rotenberg, Executive Director, Electronic Privacy Information Center, Testimony before the House Committee on Ways and Means, Subcommittee on Social Security, 1997<br />