The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor and sophistication in cybersecurity risk management processes, how well integrated cyber risk decisions are into broader risk decisions, and the degree to which the organization shares and receives cybersecurity info from external parties. The use or disclosure of PHI involves no more, An adequate plan to Protect the identifiers from, An adequate plan to destroy the identifiers at, Adequate written assurance that the PHI will not, Statement IRB or PB determined the alteration or, A brief description of the PHI for which use or, A statement that the alteration or waiver of, Signature of the chair or other member, as, Request use of the minimal necessary information, No re-use or sharing of data without approvals, VHA Handbook 1605.1 states that contacting, HHS states that the Prepatory to Research, A description of the information to be used or, Not so much a difference but a clarification, VHA research is conducted inside a single covered, VHA and HHS requires DUA for use of limited data, ORD policy will additionally require a DUA for, Purpose To balance the governments need to, Background Watergate era and Congress concerned, Curbing illegal surveillance investigations, Potential abuses presented by governments, Restrict disclosure of personally identifiable, Increased rights of access to agency records, The right to seek amendment of agency records, Establish code of fair information practices for, Agencies that maintain a system of records "shall, Systems of Records (SOR) A group of records, Category of individuals covered by the system, Retrievability (name, numbers or identifier), 34VA12 -- Veteran, Patient, Employee, and, 121VA19 -- National Patient Databases - VA, All release/disclosure of information must be, Investigators can not release information to, Written permissions/authorization from individual, Release of information is through the Privacy. Links to all Federal statutes, regulations, To err is human and to blame it on a computer, OMB requires reporting of an incident within 1, US-CERT US Computer Emergency Readiness Team is, Suspected and confirmed breaches must be reported, Others (Your facility may require reporting to, ISO will report it to the VA-Security Operations, Privacy Officer will enter it into the Privacy, VA-SOC will notify US-CERT key VHA/VA officials, VA information may not reside on non-VA systems, Federal Information Security Management Act of, Consult with supervisors/obtain permission, Consult with supervisor and ISO to ensure that, Laptops, external hard drives, or other storage, Contains sensitive/protected information (VAPI), Same confidentiality classification as originals, Laptops portable media must NOT contain the, VAPI stored on computers or other storage media, Password or other authentication information, Do not store on remote systems unless encrypted, Data can not be transmitted by remote access, Protocols contain sufficient information on, Will it remain within VA if not, will all data, Disposition of the data after protocol completed), Allowing access only to authorized individuals, Safeguarding laptops, portable drives, flash, Ensuring all contracts, DUAs, and BAAs contain, Encrypting/password protecting all sensitive data, VA Directive 6504 Waiver of requirements, Granted only by the VA Chief Information Officer. Cybersecurity = Trust = Business ValueCyber is a compelling business differentiator. 