Beruflich Dokumente
Kultur Dokumente
Patients' Data on Stolen Laptop Identity Fraud Not Likely, NIH Says
By Ellen Nakashima and Rick Weiss Washington Post Staff Writers Monday, March 24, 2008; Page A01 A government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen in February, potentially exposing seven years' worth of clinical trial data, including names, medical diagnoses and details of the patients' heart scans. The information was not encrypted, in violation of the government's datasecurity policy.. . "The shocking part here is we now have personally identifiable information -- name and age -- linked to clinical data," said Leslie Harris, executive director of the Center for Democracy and Technology. "If somebody does not want to share the fact that they're in a clinical trial or the fact they've got a heart disease, this is very, very serious. The risk of identity theft and of revealing highly personal information about your health are closely linked here."
FISMA - ISAO/ODCIO 2
FISMA - ISAO/ODCIO
The Problem
External research community, grantees and contractors, perceives that FISMA information security requirements are being unevenly applied by and within Federal agencies. This perception was communicated to NIH Senior Management.
For example: Background Investigations Grant and Contract Information Security clauses
Whats Needed Provide current, consistent, accurate message to NIH staff involved in acquisitions.
FISMA Legislation
Federal Information Security Management Act (FISMA)
Each federal agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source
-- Federal Information Security Management Act of 2002
-- Title III of the e-Government Act of 2002
regardless of their location. (IT) equipment incidental to a Federal contract ** (Incidental IT equipment had been excluded under the Clinger-Cohen Act) Externally hosted web sites Clinical trials Services, e.g. consultants, programmers, maintenance
BPAs
Purchase Orders Credit Card Purchases, etc.
FISMA - ISAO/ODCIO
10
OMB Memoranda
NIST
11
FISMA - ISAO/ODCIO
12
IC Acquisition Team
Project Officer Administrative Staff
13
IC Project Officer
Categorizes data according to FIPS 199/NIST 800-60 Confidentiality, Availability, Integrity Assigns overall Information Security Level to project Determines Suitability Level (background investigation) for
contract staff working on project Communicates contract staff accessions & departures to Admin. Staff and ISSO Includes security requirements in acquisition Ensures that contract staff meets security-related training requirements Consults with IC ISSO on information security issues Conducts annual Risk Assessment -- FIPS 200/NIST 800-53 Conducts Privacy Impact Assessment
14
IC Administrative Staff
Ensure security measures are included in acquisition
package
Privacy Impact Assessment (confidentiality) System of Records Number (SORN), if applicable Disability Act requirements for web pages (availability) Employee ID Badge issue and return Consults with IC ISSO on information security issues
15
acquisition execution to ensure applicable information security requirements are being met Reports security-related incidents to NIH IRT.
16
IC Privacy Officer
Facilitates obtaining SORN if needed
Ensures Privacy requirements are met when PII is part
of the system Answers Privacy-related questions Must be notified when there is a breach or suspected breach of a system containing PII NIH Senior Official for Privacy is part of the NIH Breach Response Team
FISMA - ISAO/ODCIO
17
FISMA - ISAO/ODCIO
18
Security-related Decisions
Information Categorization Level of security needed for the acquisition
Security Plan, Continuity & Disaster Recovery Plan, System Test and Evaluation, (ST&E)
Security Plan, Annual System Security Assessment, Risk Assessment, Continuity Plan, other C&A documents
FISMA - ISAO/ODCIO
20
OMB Memoranda
FISMA - ISAO/ODCIO
21
IE-7 operating on XP or Vista Federal Desktop Core Configurations (FDCC) Standard installation, operation, maintenance, update, and/or patching of software shall not alter configurations settings from the approved FDCC configuration Applications (software systems) designed for normal end users shall run without elevated system administrator privileges Part 39 of the FAR will be revised to incorporate requirements when acquiring technology
22
23
OMB M-07-16
Subject: Safeguarding Against and Responding to the
Breach of Personally Identifiable Information Issued: May 22, 2007 Target Date: 120 days from Issue Date Affects: All Federal Information and Federal Information Systems (electronic or paper) Must notify NIH CISO within one hour of discovering suspected and/or confirmed breaches of PII data/information.
24
OMB M-06-16
Subject: Protection of Sensitive Agency Information Issued: June 23, 2006 Target Date: 45 days from issue date
Encrypt all data on mobile computers/devices which carry
agency data unless data is determined to be non-sensitive, in writing, by the Deputy Secretary or their designee. Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access.
FISMA - ISAO/ODCIO 25
devices, requiring user re-authentication after 30 minutes inactivity Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or that its use is still required
FISMA - ISAO/ODCIO
26
Acquisition Language
FISMA - ISAO/ODCIO
27
FISMA - ISAO/ODCIO
28
(3) Departing employees: Provide the name, position title, and security clearance level held by or pending for the individual. Perform and document the actions identified in the "Contractor Employee Separation Checklist", of this acquisition, when a contractor/subcontractor employee terminates work under this acquisition. All documentation shall be made available to the Project Officer and/or Contracting Officer upon request.
30
(PII) Notification of Data Breach The successful offeror shall be responsible for reporting all incidents involving the loss and/or disclosure of PII in electronic or physical form. Notification shall be made to the NIH CISO within one hour of discovering the incident by using one of the following two forms: NIH PII Spillage Report http://irm.cit.nih.gog/security/PII_SpillageReport.doc NIH Lost or Stolen Assets Report http://irm.cit.nih.gov/security/Lost_or_Stolen.doc The notification requirements do not distinguish between suspected and confirmed breaches.
32
All data at rest and in transit, unless the data is determined to be non-sensitive in writing by the NIH CIO or his/her designee, shall be encrypted using a FIPS 140-2 compliant product. Data at rest includes all HHS data regardless of where it is stored..
33
regs. Be consistent when applying security language Acquisition team communication is essential Keep abreast of new information security requirements Security decisions can affect acquisition cost If you dont know, ask, dont guess The only real constant is change Reasonableness test
35
FISMA In Acquisitions
Questions?
FISMA - ISAO/ODCIO
36
mitchell@mail.nih.gov
and
Raymond Dillon, OAMP dillonr@mail.nih.gov
37