Securing VHAs Healthcare Systems Environment

1
Securing VHAs Healthcare Systems Environment

• VA National CIO Conference
• February 25 March 1, 2002

2
Panel Members

• Gail Belles, ACIO for Customer Support
• Mark Cecil, Chief, Technology Mgt., Boise VAMC
• Frank Marino, Director, Health Information
  Security Service
• Ray Sullivan, CIO, VISN 20
• John White, ISO, VISN 20

3
RAS/Firewalls/VPNs

• Most network traffic is local to VISN WAN
• National Access Points could potentially isolate
  a VISN WAN from remote sites stability and
  redundancy will be critical
• Keeping traffic local potentially limits impact
  of attacks and vulnerabilities however, lack of
  strong certification process and IDS increases
  vulnerabilities to entire VA network
• Locally managed systems provide for rapid
  response to VISN needs Centralized management
  could limit tailoring to VISN/site needs
• Need VPN encryption of sensitive information
• Need strong enforcement of port/protocol policy
• We need strong active monitoring

4
PKI and IDS

• Common strategy
• One PKI solution for agency
• Interoperability with the common operating
  environment (COE)
• Input from Administrations
• PKI management issues registration, revocation,
  management of certificates
• Supportable/maintainable/reasonable
• Token form factors soft or hard tokens. Soft
  tokens - include hard disk or floppy diskette or
  hard tokens - Smart Cards with PIN protection
• IDS needs to be common and consistent from top to
  bottom and accessible from site and VISN levels

5
Medical Devices

• Vendor systems need our patient data
• Remote access lower cost contracts
• Implementations vary widely
• Non-networked DOS to networked Windows
• Security agreements w/vendors
• Interface security

6
VistA Systems

• Common security strategy
• Single sign-on
• Password management
• Role-based Access Controls
• Protection of data veteran trust
• HIPAA
• Auditing

7
GISRA Remediation(Government Information
Security Reform Act)

• Requires a strategy to correct security
  weaknesses
• VA GISRA database developed to monitor and track
  compliance
• Each ISO, IRM Chief and System Manager will have
  access
• Database contains 247 questions, each with 6
  levels for every system identified
• HISS is working with sites and OCS staff to meet
  current requirements and identify remaining
  vulnerabilities

8
Certification Accreditation

• Applies to all systems including
• New systems existing systems major system
  modifications decommissioned systems
• Process VA Information Technology Security
  Certification and Accreditation Program (ITSCAP)
• Vehicle VA 6214 Policy and Handbook
• Roles and responsibilities for CA of VHA systems
  must be clearly defined

9
Wrap-up/QA