/
Department of Health and Human Service Department of Health and Human Service

Department of Health and Human Service - PowerPoint Presentation

thegagn
thegagn . @thegagn
Follow
343 views
Uploaded On 2020-08-28

Department of Health and Human Service - PPT Presentation

Office of Information Security Dr Kevin Charest Department of Health and Human Services Chief Information Security Officer Agenda Department of Health and Human Services Office of Information Security ID: 807838

privacy hhs security health hhs privacy health security information amp cloud ciso administration services governance response secretary agency policy

Share:

Link:

Embed:

Download Presentation from below link

Download The PPT/PDF document "Department of Health and Human Service" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Department of Health and Human Service Office of Information Security

Dr. Kevin

Charest

Department of Health and Human Services

Chief Information Security Officer

Slide2

AgendaDepartment of Health and Human Services Office of Information SecurityEstablishment of a Governance Body - The HHS CISO CouncilBuilding in Governance - The HHS Privacy ProgramApplying

the Governance Model

to Enable Cloud Security

2

Slide3

HHS consists of the Office of the Secretary (OS) and 10 decentralized Operating Divisions (OpDivs)

ACF

Administration for

Children &

Families

ACL

Administration

for Community Living

AHRQ

Agency for Healthcare Research & Quality

CDCCenters for Disease Control & Prevention

CMSCenters for Medicare & Medicaid Services

FDAFood & Drug Administration

HRSAHealth Resources & Services Administration

IHSIndian Health Service

HHS Operating Divisions

NIHNational Institutes of Health

SAMHSASubstance Abuse & Mental Health Services Administration

Office of the Secretary

ASA

Assistant Secretary for Administration

DABDepartmental Appeals Board

ASFRAssistant Secretary for Financial Resources and Technology

OGAOffice of Global Affairs

ASHAssistant Secretary for Health

OIGOffice of Inspector General

ASLAssistant Secretary for Legislation

OMHAOffice of Medicare Hearings and Appeals

ASPEAssistant Secretary for Planning and Evaluation

ONCOffice of the National Coordinator for Health IT

ASPRAssistant Secretary for Preparedness and Response

CFBNPCenter for Faith Based and Neighborhood Partnerships

ASPAAssistant Secretary for Public Affairs

OGCOffice of the General Counsel

The

HHS Office of Information Security (OIS) is

under the purview of the Assistant Secretary for

Administration

OCROffice for Civil Rights

IEAIntergovernmental and External Affairs

3

Slide4

Each Operating Division has a unique culture based on various missions, which drives their views on security and privacy

OpDiv

NAME

MISSION

Administration for Children & Families

ACF is responsible for 60+ programs that promote the economic and social well-being of children, families and communities,

including TANF, Head Start, etc.

Administration for Community Living

AC

L serves to maximize the independence, well-being, and health of older adults, people with disabilities across the lifespan, and their families and caregivers.

AHRQ

Agency for Healthcare Research & Quality

AHRQ supports research on health care systems, health care quality and cost issues, access to health care, and effectiveness of medical treatments

CDC

Centers for Disease Control & Prevention

CDC provides a system of health surveillance to monitor and prevent disease outbreaks (including bioterrorism), implement disease prevention strategies, and maintain national health statistics

CMS

Centers for Medicare & Medicaid Services

CMS administers the Medicare and Medicaid programs, which provide health care to almost one in every three Americans

4

Slide5

OpDiv

NAME

MISSION

FDA

Food & Drug Administration

FDA assures the safety of foods and cosmetics, and the safety and efficacy of pharmaceuticals, biological products, and medical devices

HRSA

Health Resources & Services Administration

HRSA provides access to essential health care services for people who are low-income, uninsured or who live in neighborhoods where health care is scarce

IHS

Indian Health Service

Working with tribes, IHS provides health services to 1.8 million American Indians and Alaska Natives of more than 560 federally recognized tribes

NIH

National Institutes of Health

NIH includes

27 separate health institutes and centers

,

supporting over 38,000 research projects nationwide Established: 1887, as the Hygienic Laboratory, Staten Island, N.Y. Headquarters: Bethesda, Md.

SAMHSA

Substance Abuse & Mental Health

Services Administration

SAMHSA works to improve the quality and availability of substance abuse prevention, addiction treatment and mental health services

5

Each Operating Division has a unique culture based on various

missions, which drives their views on security and

privacy

Slide6

The HHS Office of Information Security (OIS) oversees a decentralized information security environment

6

Slide7

Establishment of a Governance Body7

Slide8

Establishment of a Governance Body - The HHS CISO Council

8

The

HHS CISO Council provides a foundation for implementing information security governance under the current HHS operating

model.

The CISO Council also:

Addresses and evaluates information security needs of the Department;

Establishes strategic vision and recommends operational actions that minimize the documentation of effort; ensure interoperability and transparency;

Serve as a forum for reviewing risk-based decisions to improve the overall information security posture of HHS.

Slide9

CISO Council Policy Collaboration ProcessThe policy collaboration processes was developed to support the information security Governance approach.

Goal: Use the CISO Council as a forum to build consensus and accelerate the policy review and approval process.

How the process works?

Intended Outcome: Policies are released into review that have already been vetted by authorized representatives of each OpDiv.

9

Slide10

Building Governance into the Program 10

Slide11

The HHS Privacy Program has consistently aligned with the maturity of federal law and guidance to date

11

HHS creates privacy workstream in response to E-Government Act and OMB M-03-22.

HHS Privacy Program

HHS CIO creates the HHS PIRT to respond to incidents involving PII.

HHS develops the Information Security and Privacy Policy and Handbook, implementing CIO Council best practices.

HHS is in the process of conducting a compliance gap analysis and updating HHS policy to reflect Appendix J.

OMB releases M-06-22 and M-07-16 in 2006 and 2007

HHS CIO officially designated SAOP created in response to M-05-08.

Slide12

The new HHS Privacy Policy identifies responsibilities for the SAOP and Privacy Practitioners throughout the Department

The following are the primary oversight activities of the HHS SAOP:

Collaborates and coordinates with other privacy stakeholders (e.g., Privacy Act Officer, Privacy Policy Advisor and Operating Division (OpDiv) Senior Officials for Privacy) to implement compliance initiatives;

Jointly with General Council, provides advice and guidance on proposed regulations/policies and issuing guidance;

Coordinates with the Data Integrity Board and provides privacy guidance when reviewing HHS and OpDiv computer matching agreements; and

Chairs monthly, weekly, and ad-hoc Privacy Incident Response Team (PIRT) meetings

.

The HHS CISO and the OS CISO oversee many duties on behalf of the HHS SAOP given the inherent partnership between Information Security and Privacy.

12

Slide13

HHS Privacy Program Structure

HHS CISO – Privacy Program Structure

1

Leadership and Policy

Compliance and Risk Management

Enterprise Privacy Integration

Privacy Incident Management

Privacy Training and Awareness

Assurance and Continuous Monitoring

2

3

4

5

6

13

The HHS Privacy Program is centralized under the HHS Senior Agency Official for Privacy

Frank Baitman

HHS Chief Information Officer

Senior Agency Official for Privacy

Kevin Charest, PhD

HHS Chief Information Security Officer (CISO)

Johnny E. Davis Jr.HHS Deputy CISO,OS Deputy CISO

Maya Bernstein, JDPrivacy Policy Advisor

Operating Division Senior Officials for PrivacyBeth Kramer, JDHHS Privacy Act Officer

Julia White, JDHHS Privacy Director

Privacy Incident Response Team (PIRT)

Slide14

HHS Privacy Program Showcase: Privacy Incident Response Team (PIRT)The HHS PIRT uses HHS Computer Security Incident Response Center (CSIRC) daily and weekly reports to provide data for several privacy incident reports.

These reports:

Facilitate PIRT oversight;

Validate privacy incident/breach data;

Provide consistent metrics for OpDiv Incident Response Teams (IRTs) and the PIRT; and

Allow the PIRT to identify trends and communicate solutions.

Reports are reviewed by the SAOP to evaluate the risk to PII and to coordinate with OpDivs regarding an appropriate response.

14

Slide15

Applying the Governance Model15

Slide16

In response to

Cloud

First

, and the HHS Cloud Strategy, OIS leveraged the Federal Risk and Authorization Management Program (FedRAMP) Authorization to Operate (ATO) process to integrate cloud security across HHS and develop a collaborative and transparent agency wide cloud security ATO

process.

FedRAMP is a “perform once, use many times” framework to save on the cost, time, and staff required to conduct cloud security assessments.

The HHS OIS Cloud Security Team working with the FedRAMP PMO, and with sponsorship from HHS OCIO Leadership, collaborated with the HHS Operating Divisions to develop the HHS FedRAMP ATO Process.

HHS Agency ATO

16

Applying the Governance Model to Enable Cloud Security

FedRAMP Option

Agency Option

FedRAMP ATO

Slide17

17

The HHS OIS Cloud Security Team was established and began collaborating with

OpDivs, the

FedRAMP

PMO

,

and Cloud Service Providers to

securely assess cloud solutions that could be used within HHS and other agencies.

Demonstrating Results through Governance and Stakeholder Engagement

Using this process, HHS was the first agency to grant a FedRAMP Agency ATO to a cloud service provider.

Slide18

Contact InformationDr. Kevin CharestHHS Chief Information Security Officer

Office of the Chief Information Officer

U.S. Department of Health and Human Services

200 Independence Avenue

Washington, DC 20201

Kevin.Charest@HHS.gov

18