•INFORMATION SECURITY

•DATA QUALITY

To assure the Validity, Timeliness,,Completeness, and Reliability of Data

•EFFECTIVE DATA USAGE

To convert data into information and providedcorrect information to support businessoperations and decision making.

=

INFORMATION ASSURANCE

To protect information from unauthorizedaccess, manipulation, corruptiondestruction and denial of data invadingprivacy

MILITARY HEALTH SYSTEM (MHS)

Marco Johnson,

Chief, Data ArchitectureDepartment of Defense Health Affairs,TRICARE Management Activity, Information

Management, Technology, and Re-engineering

marco.johnson@tma.osd.milhttp://www.hirs.osd.mil/hdp

INFORMATION ASSURANCE CONCEPT

•Personnel Selec tion/ Certific ation

INF OR MAT IONASSU RANCE

•Security C learance

•Sys tem S ecurity•Access Controls

DA TA USAGE

INFORMATION ASSURANCE

HEALTH AFFAIRS

Military Health

Functional Area Models

Activity

Data

Object

Process

EXTERNAL INITIATIVES

INTERNAL INITIATIVES

PROCEDURESBEST

PRACTICES

ROLES ANDRESPONSIBILITIES

Partial list:

• Data Interchange Standards Association

• Health Information Portability and Accountability Act Data Committee

• American National Standards Institute, Healthcare Informatics Standards Board

• Accredited Standards Committee X12 & Health Level 7

• Organization for Economic Cooperation and Development

• Workgroup for Electronic Data Interchange

• Association for Electronic Health Care Transactions

• National Information Assurance Partnership

• National Research Council

• National Committee on Vital & Health Statistics

REQUIREMENTS

APPLICATIONDEVELOPMENT

IMPROVEDCARE OUTCOMESCUSTOMER SATISFACTIONRESOURCE USE EFFICIENCYCOST REDUCTIONCOMMUNICATIONOPERATIONAL EFFICIENCY

• Department of Defense cross- functional projects

• Government Computer-Based Patient Record

Military Health System

Model Progression

WHY RISKSThreats to National Security Information Warfare

Limits Medical Research

Compromised Care

Unauthorized access,manipulation/corruption,destruction/denial of data

Stolen secrets andcomputer crime

Interference with Supportof theWar Fighter

Jeopardized nationaland economic security

Damage to nationaland international communication systems

WHY

PATIENTS RIGHTS

Consent for the collection, use, and sharing of personal health information

Individuals have a right to know who is collecting the data, for what purpose,

where the data originated , and who will receive it

Access rights

Right to have incorrect information rectified.

Protection against accidental/unlawful destruction of data/unauthorized access

Protection against tampering

Principle of disclosure (user informed when personal information is collected on

the Internet)

Principles of Informed Consent

SECURITY AND PRIVACYBusiness Model

A0 - Health Data Security & Privacy

A1Management Controls

A2Technical Controls

A3Environmental Controls

A4Personnel Controls

SECURITY AND PRIVACYBusiness Model

Health Care Data Security & Privacy

ManagementControls

TechnicalControls

Personnel Controls

•Standards

•Policies Development/ Enforcement

•Procedures

•Awareness and Training

•Accreditation/Certification

•Testing

•Management Controls

•Monitoring/Incident Reporting

•Audits

•Access Policies

•Contingency Planning

• Continuity of Support

•Consent/Inspection/DisclosureRequirements

•Audits Trails

•User ID/ Passwords

•Firewalls

•Cryptography

•Access Controls

•Digital signature

•Public key infrastructure (PKI)

•Anti-Virus Protection

• Electronic Transactions/CodeSets

•System Security

•Application Security

• Locks

• Physical Barriers

• Alarms

• Surveillance

• Incident Reporting

• Physical AccessControls

• Guards/Badges

• SecurityChecks

• SecurityClearances

• PositionSensitivityDesignations

Environmenta l Controls

Department of Defense Military Health System

To provide the necessary policy, guidance, and tools to assist in the development, implementation, and enforcement of actions to assure information security and privacy, data quality, and appropriate data usage

INFORMATION ASSURANCE

GOAL