HealtheVet Key Aspects

1

VA Office of Information and Technology

Matt Canavan – VA Director of Client Services -Enterprise Infrastructure Engineering

October 23, 2008

210/23/2008

Balance of Information Protection VA Proactive Measures Technical Controls Integrated Technical Solutions Removable Media and Storage Mobile Devices Network Transmissions Remote Access Email and Document s/Digital Rights Management Conclusion

Agenda

Achieving the Gold Standard In Data Security

310/23/2008

Info Access Info Restriction

Clinical Care Research collaborations Training Programs Quality improvement

Federal law Congress OMB Veterans groups Public distrust Litigation

Information Security Tipping Point

Finding the Right Balance!

410/23/2008

VA Proactive Measures for Information Protection and Privacy Protection

NSOC Training Human Resources Standard Operating

Procedures

Policy Directives Memoranda Governance EA Integration

Removable Media & Storage Mobile Devices Network Transmissions Secure Remote Access Email and Documents Digital Rights Management Laptop Encryption

Management Controls

Operational Controls

Technical Controls

Operational Controls

Enforcement & Continuous Monitoring

510/23/2008

Technical Controls – A few Highlights

Encrypted most VA laptops (some cannot be encrypted) Issued approximately 12,000 encrypted thumb drives across the

Department Issued approximately 143,000 PKI certificates Secure and encrypted file and email software being deployed Mobile device standardization in progress

Minimum device requirements will enable devices to support VA security policies – content protection, scanning, and patching

Encrypted network transmissions and port security software being deployed

Iron Port Appliance - June 1, 2007 through September 30, 2008, the Iron Port email appliances have stopped 72,206 emails that included a Social Security Number pattern – 99.9% Accuracy Rate Future – Provide encrypted email for all veterans - encrypt the

email messages prior to sending. Can include other filters – HIPAA… etc.

Layered Approach to Comprehensive Information Protection of VA Sensitive Data

610/23/2008 6

Removable Media and Storage

Actively Deploying technology – Enterprise, Standards, and create Policy

Only VA authorized removable storage media Restrict the transfer of information to removable storage mediaThwart introduction of malicious code via removable storage media

VA Handbook 6500 requires encrypted USB Thumb Drives Only FIPS 140-2 certified permitted

Current Status

Management of Removable Media

and Storage

Removable Media and Storage

(CD, thumb drives) Strategy

710/23/2008 7

Mobile Devices

Blackberry encryption implemented Standardize Operational and Support components and refreshing older devices

Encryption of data/password protectionConverge Blackberry and Smart Phone Operations and SupportOnly government owned devices permitted

Establish minimum device requirements Only FIPS 140-2 certified permitted Security parameters established by VA Directive 6500

Current Status

Management of Mobile Devices

Mobile DeviceStrategy

810/23/2008 8

Network Transmissions

Standardize terminal emulator for the DepartmentEliminate Transmission in clear textEnterprise deployment is September 2008

Prevent User ID, passwords and data from being transmitted in clear textHelp VA meet HIPAA, FISMA complianceResolving telnet and secure file transfer issue.Stop transmission of SSNs outside VA network

Only FIPS 140-2 Certified PermittedSupports PKI infrastructure and smartcard devices for HSPD-12Standardize on dominant application software

Network Transmissions Strategy

Management ofNetwork Transmissions

Current Status

910/23/2008 9

Remote Access

RESCUE GFE – full deployment by July 2008Additional technology being analyzed to control remote access restrictionsRESCUE OE – full deployment by July 2008

Remote Access Strategy

Management of Remote Access

Current Status

RESCUE* project will scan all systems connecting via VPN – currently in testReduce VPN connections through Outlook web access and other secure access methods

* Remote Enterprise Security Compliance Update Environment (RESCUE)

Handbook 6500VPN access restricted to valid users and systemsRestrict access to limited number of system – especially contract staff

*Government Furnish Equipment (GFE)*Other Equipment (OE)

1010/23/2008 10

Deployment Microsoft RMS* complete – 150K+ clientsBlackberry ProtectionInstalling redundant/contingency hardwarePublic Key Infrastructure – approx. 143,000 certs issued

Encrypt sensitive content (PKI and RMS*)Protect inside and outside the trusted networkProtect emails and documents during and after deliveryFlexibility– RMS more flexible, compliments PKIRestrict document and email distribution,

storage capabilities and printing capabilitiesAllows organizations to track the informationSupports smartcard authenticationIron Port Appliance – Stops 99.9 % of SSNs in email from leaving the VA network

Digital Rights Management

Email and Documents Strategy

Management ofEmail and Documents

Current Status

*Rights Management Services (RMS)

1110/23/2008

VA is thoroughly examining every aspect of our information protection program to ensure that sensitive information, primarily Personally Identifiable Information (PII) and Personal Health Information (PHI), is neither mismanaged nor used for any unauthorized purpose.

“Sensitive Information must be in a protective environment at all times or it must be encrypted”

VA Handbook 6500

Conclusion

12

“Using Technology to Protect Privacy”

Presentation of Ned GoldbergChief Information Security Officer and Associate Director

FDIC Division of Information TechnologyOctober 23, 2008

Agenda

Background Privacy/Security Protection Efforts Privacy Protecting Technologies

Protecting sensitive data in transit – electronic and paper

Data loss prevention (DLP) technologies

FDIC is an independent agency created by Congress that maintains the stability and public confidence in the nation’s

financial system by insuring deposits, examining and supervising financial institutions, and managing receiverships.

Throughout the FDIC’s 75-year history, no one has ever lost a penny of insured deposits as a result of a bank failure.

Background

Background continued

FDIC maintains millions of sensitive paper and electronic records on bank customers and employees, due to:

Examination and Supervisory activities: FDIC monitors over 5,000 banks – more than half of the institutions in the banking system – for safety and soundness. (VISION, SOURCE, SIMS)

Bank Closings and Receiverships: FDIC performs numerous pre-closing, closing, and post-closing activities that include claims processing, asset marketing, and deploying teams of FDIC staff and IT resources to closing sites. Fifteen banks closed in 2008. (4C, RLS, CAS)

HR/Personnel activities: FDIC has nearly 4,700 employees located in Washington DC and 6 regional offices across the country and is headed by a Board of Directors. (CHRIS HR, NFE)

Indymac Bank closing alone involved nearly

20 terabytes of data!


New web-based effort helps insured depositors know if they’re protected:


Key drivers behind FDIC’s privacy and security protection efforts:

Compliance requirements stemming from range of Federal privacy and security laws, regulations and related OMB guidance.

Internal and external audit (OIG, GAO) recommendations. Goal of meeting/exceeding banking sector

standards/best practices. Needs of a highly mobile examination

and bank closing work force, who depend on laptops and instant access to large amounts of sensitive data.

Significant electronic and paper data stores and sharing = ongoing concern about potential for data loss and identify theft.

Public expects FDIC to be aresponsible steward of their data.Insured depositors can’t opt-out!

Privacy/Security Protection Efforts

FDIC’s risk-based strategy for protecting sensitive data includes array of management, technical and operational controls:

FDIC Directives aimed at protecting sensitive information in paper or electronic form.

Comprehensive security and privacy management programs and guiding frameworks.

Continuous monitoring of threats to network and sensitive data.

Incident management and response plan. Privacy/security requirements baked into system development

lifecycle (SDLC) process and contracting process. Continuous assessment of new and existing agency programs

and IT systems and applications for privacy/security risks. Use of rights management (Windows Active Directory). Mandatory awareness training for all employees and

contractors.– 2008 Privacy Awareness Week

Privacy/Security Protection Efforts continued

Protecting sensitive electronic data in transit: FDIC is a small agency with significant electronic

data stores:• By one estimate, over 10 times the electronic data than

all the printed books and documents in the Library of Congress.

Engaged in continuous sharing of sensitive data between FDIC regional and headquarter offices; between FDIC and insured banks; and between FDIC and other federal financial regulators and state banking authorities.

Highly mobile workforce requires instant access to sensitive data both electronic and paper form:

• nearly 1,400 bank examiners in the field; bank closing teams.

Privacy Protecting Technologies

100% of FDIC laptopsencrypted (Pointsec)

End to end and local dataencryption enabled on all Blackberries

Encryption of portable storagemedia (USB, CD/DVD) available from all FDICdesktops and laptops(Pointsec/Roxio)

Entrust PKI encryptionsoftware available for emailand data files

PKZIP software available forencrypting data files to beshared external to FDIC

Established with mostfederal regulatory and state banking authorities that FDIC communicates with on a regularbasis. Current methodsinclude:

Transport Layer Security (TLS/ZixCorp)

Encrypted dedicated lines

VPN

RCN via FDIC’s Extranet

FDICconnect: securewebsite for conducting e-commerce with FDIC

Soft token

Extranet: allows B2Bcommunications between

FDIC and authorized business partners or individuals

Encryption

Authentication

User certificates

Provides a secure method for accessing the FDIC network fromremote sites. Requires use of token (generates one-time password) andPIN number.

VPN Citrix

Encryption Secure Email

Communication Links

Secure web sites Secure remote access

Protecting sensitive electronic data in transit:

Privacy Protecting Technologies cont.

Protecting sensitive paper data in transit and in store:

FDIC has significant stores and shipments of paper records containing sensitive information/PII:

• For example, FDIC records at Iron Mountain take up 2.4 million cubic square feet of space, making the agency one of its biggest customers. Additionally, thousands of paper records are stored at FDIC facilities across the country.

• Extensive shipment of paper records each month due to examination, bank closing and other mission critical activities (4,000 shipments each month).

FDIC UPS Quantum View: Due to experience with small number of lost boxes containing sensitive bank data, identified and deployed new system that provides automated, web based tracking of express mail shipments containing sensitive data. System sends alerts when a package is lost or damaged during shipment.

Privacy walk-throughs – on-going self assessment program that involves unannounced visits by privacy staff at all headquarter and regional offices to identify potential issues with protecting sensitive paper and electronic records stored in file cabinets and on electronic media (e.g., CD-roms).


Protecting against sensitive data leakages: DLP Data loss prevention (DLP): new wave of technologies and tools

designed to detect and prevent the unauthorized transmission of sensitive information.

Software monitors the flow of sensitive information across the corporate network, including data in motion to internal and external sources, and both structured and unstructured data at rest.

• Identifies potential security concerns with transmitting PII and business sensitive information.

• Involves a rules based engine that can identify, flag, notify sender or stop transmission.

FDIC acquired a DLP solution in 2007 in response to OMB M-06-16 and M-07-16. Requires agencies to take concrete steps to identify and protect sensitive data.

Selected Vontu after review of top 3 DLP vendors in market based on Gartner. Decision based on price, flexibility, fit with our infrastructure, scalability.

Steps involved: Architect; purchase solution; configure and build solution; deploy solution; and transition to operational status.


FDIC’s DLP program currently is focused on:

Social Security Numbers: finding and responding to any instances of unauthorized exposure and transmission of Social Security Numbers (SSNs) that could result in harm to an individual, FDIC employee, or the Corporation.

• Performing baseline scanning of network for any unencrypted outbound email/web traffic that contains SSNs (ability to scan for 27 other “policy families” including GLBA, HIPAA).

• Scanning of Windows Servers to find any instances of SSNs sitting on a file share that is open to any FDIC user.

Alerting FDIC employees about potential data leakages. Managing incidents, including reporting to CSIRT and US

CERT. Developing awareness campaign in preparation for full

implementation.


Full deployment of DLP will enable FDIC to:

Initiate “active blocking”: provides ability to move beyond detection and monitoring and actually prevent unauthorized transmissions of sensitive data, including SSNs/PII, that can occur through outbound email traffic or web browsing.

Send automated email notifications to employees, alerting them of potential policy violation -- thereby reducing remediation overhead requirements and risk.

User release optional; forced encryption optional.

Ability to automatically hold messages and only release them when approved by the user or a manager.


Additional DLP solution on the horizon to protect structured data:

OMB M-06-16 (bullet 4) requires agencies to monitor extractions from enterprise databases.

Requirement is to provide transparency and accountability by monitoring the user request for PII information at the database level in a multi-tiered application (web server, business logic, and data repository).

FDIC has selected the Guardium technology that has both an agent resident with the database and a network observation appliance that permits the product to link the user requests to the database fields.

The product also provides integration into and auditing of PeopleSoft, Oracle, and SAP.


9 things to consider when launching DLP tools:

1. Cost of appliances and services.2. Technical staff and time to configure

and operate system.3. Determining information to flag

(SSNs, other sensitive data) and threshold levels.

4. Identifying and training “data monitors” on how to use the tools.

5. Staff and process for handling increased number of incidents.

6. Performing policy and privacy reviews:

• Acceptable Use Policy and computer log-in consent.• Privacy Threshold Analysis, Privacy Impact Assessment and

Privacy Act System of Records.

7. Performing notifications/awareness:• Legal/HR/Union/Senior Management• Awareness campaign

8. Integrating with incident response processes (FDIC Privacy Incident Response Team and CSIRT).

9. The same tools can’t go backwards – can’t be used for forensics.


Final thoughts about DLP… Can have the best policies, procedures, and technologies in

place – people will still make mistakes. DLP can help protect people from accidentally leaking

sensitive data that could pose the risk of identify theft and serious disciplinary actions.

Based on research (e.g., The Hartford) and own experience to date, once people know that the tools are out there, see an immediate impact/drop in issues (even at the result of a phone call!). DLP increases awareness among employees, who don’t realize they’re doing something wrong (e.g., attempting to send unencrypted emails with sensitive agency information).

In the event of worse case scenario, the incident is known almost immediately, so that appropriate reporting and breach management can occur.

eServices: Navigating Disclosure Issues

Presented to the Federal Privacy SummitOctober 23, 2008

Merging Heritage & Horizon at the Social Security Administration

Steve KautschAssociate Commissioner for Systems Electronic Services,Office of Systems

0101010101010101010101010101010101010

eService Timeline

SocialSecurity.Gov

is la

unched

First online eServicePersonal Earnings and Benefit Estimate Statement(mailed PEBES)

iRIB

retirement

applicatio

n

Online wage reporting

800# interactiv

e

voice response

From it’s inception, Privacy considerations have shaped the programWe provide 18 Internet and automated 800# eServices for the

1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 20072006

1 milli

onth

email inquiry

1 millionth online retirement claim

VA laptop stolen

PEBES

Taken

Down

Key Privacy Principles

• Right of individuals to easily access their records that are held by others, and

• Obligation of record holders to protect personal information from unauthorized and improper disclosure

SSA’s eServices Program Objectives

1) Fulfill the rapidly growing expectation for convenient, effective and secure electronic service delivery options for the public and our business partners; and

2) Provide better service to all our clients by offsetting projected workload growth as the baby boomers reach their retirement and disability prone years.

2000

2001

2002

2003

2004

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

2017

2018

2019

2020

2021

2022

2023

2024

2025

2026

2027

2028

2029

2030

0

500

1,000

1,500

2,000

2,500

3,000

3,500

4,000

Insured Individuals (Non-Disabled) Reaching Age 63 (Average Retired Worker Entitlement Age) in 2000

Through 2030

Th

ou

san

ds o

f In

div

idu

als

Born 1946-- Start of Baby Boom

Born 1965-- End of

Baby Boom

The Silver Tsunami

Source: Social Security Office of the Actuary

Challenges We Face

• 80 million Boomers will reach their disability prone years and retirement age, over the next two decades; about 10 thousand per day

• Retirement claims will increase by 40% and disability claims by 10% over the next decade

• Disability claims are SSA’s largest operational workload

• 40% SSA employees will be retirement eligible by 2010

34

Baby Boomers OnlineThe number of Internet users age 55+ is roughly the same as those who are aged 18 to 34.

There are 78 million baby boomers—roughly three times the number of teenagers—and most of them are Internet users who learned computer skills in the workplace (NY Times, 9/12/07).

Security ThreatsSoftware• Malware: Worms, Trojans, Rootkits, Logic

bomb, Persistent-Bots, spyware, etc. • Spoofing and Masquerade• Spamming• Missing security patches• Web application security exploits i.e.

SQL injection • Key-logging

Security ThreatsHardware• Key-logging• USB thumb drives• Web-Architecture• Lost laptops/BlackberriesPhysical• Shoulder surfing• Insider attacks (employees)• Social Engineering

Architectural Safeguards

• Robust Internet Architecture: DMZ/Firewalls

• State of the art Application Authentication and Authorization (ACU)

• Communication over SSL/TLS• Data from US-CERT (United States

Computer Emergency Readiness Team)• National Vulnerabilities Database (NVD) –

15,000 vulnerabilities catalogued • Penetration testing• Intrusion detection

Internet Project Life Cycle

• Business Risk Assessment• Project-specific Risk Assessment• Security Risk Assessment• Authentication Risk Assessment• Privacy Impact Assessment

AuthenticationTo securely move work online, we must be

able to remotely determine the user really is who they claim to be.

E-Authentication consists of 3 steps:– Registration with identitiy proofing– Issuing of credentials– Authenticating the credential

OMB/NIST Guidance:– Level 1: Little or no authentication required– Level 2: Some assurance required– Level 3: High level of assurance required– Level 4: Absolute certainty required

Authentication Challenges

Level 2:• Knowledge-Based Authentication• PIN/Password• Federated model: E-Authentication

Pilot

Level 3:• Two-Factor Authentication

Risk Mitigation Features

Risk Mitigation Strategies

• Privacy Expert Consultations• External Stakeholder Involvement• Congressional Briefings• Social Security Advisory Board• National Academies of Sciences

Report

Closing Thought

“…even though SSA came under criticism for making personal information available on the Internet, the agency was attempting to uphold one of the most important privacy principles - the right of individuals to get access to their own records held by others, to ensure that the information is accurate and complete, and to make corrections if necessary. In the area of Social Security contributions, this is particularly important for American taxpayers. Privacy laws are not just about restricting access to personal information. They also require that organizations in possession of personal information make sure that the individuals to whom the information relates are able to get access to their data easily and cheaply. If SSA is to be faulted, it should not be for their effort to make the PEBES more readily available.”

Marc Rotenberg, Executive Director, Electronic Privacy Information Center, Testimony before the House Committee on Ways and Means, Subcommittee on Social Security, 1997