Approving the staff resources and supporting costs needed to establish a County Security and Privacy Program and complete an organizational assessment will require an allocation of $681,221 in FY 2015, assuming positions are funded as of March 1, 2015, and $1.9 million annually. Based on the magnitude of this action, the Administration is recommending that this item be included in the Mid-Year review scheduled for early February 2015. When measured against other competing priorities, if the Board chooses to fund this program, resources will be allocated from the reserve for future operations in FY 2015. In FY 2016, annualized funding for this function will be included in the Recommended Budget.
REASONS FOR RECOMMENDATION
The Administration is recommending a two-step process that initially asks the Board to conceptually approve the staff resources and the implementation plan. If the Board decides to move forward with the approach presented by the Administration, staff will return with implementing ordinances and budget modifications during the Mid-Year review.
Since late 2013, the Administration has been exploring best practices regarding privacy and security and discussing internally the steps needed to assess the status of the County organization in terms of where we are and where we should be. The obvious question is why should this be a priority for Santa Clara County?
· Laws and Regulations: There are an increasing number of laws and regulations that regulate the use of personally identifiable information (PII) and electronic protected healthcare information (ePHI) that carry substantial financial penalties for non-compliance. These laws and regulations require the establishment of policies and procedures that govern how this information is managed and expects that staff are trained and educated about these policies. The laws also require annual risk assessments of all organizations who may handle ePHI. Santa Clara County has several departments requiring annual risk assessments including DCSS, the Department of Corrections, Sheriff’s Department, EOD, Protective Services, ISD, Valley Medical Center, HR/ESA and County Counsel. The regulations, statutes and standards include HIPAA, Payment Card Industry, California State laws, the Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST) standards, 42 CFR, and IRS 1075 non-inclusively.
· Protection: Respect for client/customer security and privacy is a critical issue in today’s world. The public is increasingly frustrated with privacy breaches every day in the headlines and they expect that government is doing everything reasonable and responsible to safeguard their PII.
· Increasing Audits: Audits by regulatory agencies are increasing in frequency and scope. Penalties for data loss are increasing in dollar value and frequency. It is expected that policies and procedures are created, documented and adhered to in the job functions and processes provided within the County. Auditors expect these artifacts and review the process, knowledge and training to ensure compliance.
· Advancing Open Data and Digitizing Information: Santa Clara County has increased its web presence and digitization of sensitive information through the deployment of EPIC at the Valley Medical Center, contract engagements with cloud service providers, and expansion of use of web sites and social networking sites. The demands from the public, other government entities and business partners to have access to digital information is increasing, to be more proactive in proving this data the need to handle security and maintain privacy will be crucial. The transmission of sensitive data, although already encrypted in transit, is a target by adversaries such as hackers, hacktivists, cyber criminals and fraudsters.
· Advancing Mobility: Mobile device usage has increased exponentially over the past 5 years as has electronic data creation. The location and subsequent protection of sensitive County data is a priority.
In June, the Administration presented the Finance Committee and subsequently the full Board with a detailed plan laying out the steps that would be needed to execute an organizational assessment that will identify the policies, procedures and program that needs to be implemented in order for the county to be compliant with current statutes and rules related to privacy and security. At that time, the Administration indicated that it would present a more detailed plan of how this plan would be implemented. The County Executives’ Office has worked with Jeff Bardin, the Interim County Chief Information Security Officer and Joyce Wing, the Chief Information Officer, to evaluate the privacy and security gaps that currently exist within the County and recommend the most productive allocation of resources to sustain the progress we have made and further assess the gaps in our management of PII and ePHI moving forward. In addition, it is essential to provide the needed assistance to County resources to operationalize the policies, practices and training required to ensure overall protection in the implementation and maintenance of systems and processes. The discussion below provides additional insight and detail regarding the plan being presented for the Board’s consideration.
Designing how Santa Clara County moves forward in this highly dynamic and rapidly changing policy area has proved to be a difficult question. In reviewing privacy and security, it is important to recognize there are different components in this policy area that have to be considered:
Information Security - is a major issue for any large organization. Santa Clara County has been fully engaged in addressing this issue for several years. We have made some progress in identifying needs but have lacked the resources to effectively implement a comprehensive information security program. We have assessed the organization and have a good idea of where the gaps are and what has to be done to improve information security. Mr. Bardin has done a great deal of work identifying the steps needed to improve our existing systems and developing protocols for incorporating necessary information security concepts in the design of each new system that is considered for implementation by the County. The next logical step is to fund the resources to put the plan in place.
Privacy and Security in the Health Care Setting – As the Board is aware, we have taken steps to strengthen our Ethics and Compliance function in the Health and Hospital System and have made progress in addressing requirements relating to electronic health personal information (ePHI), a major consideration with the implementation of EPIC/Healthlink, our electronic medical record system. We have done a comprehensive assessment and are moving forward implementing a plan to mitigate the most significant gaps in this critical area. Once again, resources are an issue that we need to address in order to educate and train staff in the Health and Hospital system and implement procedures that will improve our effort and performance in this area. Some of the resources that will be identified later in this report are to be allocated within the Health and Hospital system to address the gaps identified by the work that has already been done to identify issues that need to be addressed.
Privacy Issues in the rest of the County - This is an area where we have made the least progress. There are a variety of issues surrounding the use of surveillance cameras and other technologies that needs further review in order to develop policies and procedures, so we are operating in compliance with various rules and statutes.
Operations - This is an area where we have relied on the operational staff to implement and maintain the existing policies and procedures, but we have not had the resources to ensure what has been completed or to the level that is required. This staffing level can be more proactive in the assistance and oversight required to help the departments in these critical areas. Progress has been made in the implementation of automated solutions to monitor and tracking required system changes, but more is needed and will be presented within the budget process.
Initially, we were moving in the direction of recommending the addition of staff resources to conduct an assessment so there would be a familiarity with the location and nature of the gaps in the privacy area. Our belief was that having staff in place doing the assessment would facilitate the creation of appropriate policies and procedures to address the most significant issues. In further analyzing this approach, it was recognized that we had no real basis to determine what staff resources were required within the Privacy area since so little work has been done in this area. As a result, we are now recommending allocating resources to utilize contract staff to do the Privacy assessment that will in part determine the staff resources that will be necessary to implement the recommendations derived from the assessment and manage a privacy office on an ongoing basis.
Considering the potential magnitude of this program, we believe this is a far more reasonable approach as the assessment will provide the necessary information in terms of the skill sets and the depth, breadth and number of staff needed to move Santa Clara County into a position of having a strong privacy program. It will also assist us in determining the staff necessary to assure our policies and procedures are consistently updated as legislation is passed at both the State and Federal levels.
Attached for the Board’s review and consideration is a PowerPoint presentation that outlines the important aspects of our County Security and Privacy Program. In addition to providing the context and reasons why the Administration is bringing this program forward, this document also provides a rough time line outlining the steps that are needed to create a robust Security and Privacy program. The outline presented on pages six and seven of the presentation provides a clear blueprint and specific steps we believe are necessary to achieve our goals. We have also included an organization chart on page eight that identifies the resources that will be necessary to make this happen and where the staff will be assigned within the County organization. In addition, the correlation between the Program area and the Operational areas.
Since we have made the most progress with information security and understand where the gaps and needs are, we are recommending that staff resources be added in this area to develop and implement the policies and procedures, and facilitate the communication of this information to employees throughout the organization.
In the healthcare setting we have also made progress and have a plan to address the highest priority issues. As noted above, several of the staff recommended will be assigned to the Health and Hospital system to begin addressing privacy and security concerns there. With the recent appointment of a new Ethics and Compliance Officer, we believe we are moving in a positive direction although there is a lot of work to do in providing the training and communicating revised policies and procedures relating to HIPAA and other associated healthcare rules and statutes.
The least defined aspect of this plan is in the area of Privacy throughout the remainder of the County. Since we really do not know what we do not know, we are recommending using external resources to design and conduct an assessment that will be focused on the gaps in our program, developing a plan to address these needs and determine the resources required to put this program into place. Eventually, we believe a Chief Privacy Officer is the appropriate position to manage this effort moving forward and we are evaluating consolidating this office with the Ethics and Compliance Office in the Health and Hospital system. This appears to be the most logical and efficient step but additional information is needed to confirm that assertion. In order to complete this effort we are recommending the allocation of $600,000 to do the Privacy assessment and evaluation of the resources required moving forward. This estimate is based on the typical cost of these kinds of resources in the current market. $600,000 will provide for a high level privacy expert and two risk analysts to complete the required task as we see them today.
In summary, the Information Security component of our Security and Privacy Program would add the following 6 positions:
· 1 Configuration, Change and Release Manager (Operational side)
· 1 Senior IT Project Manager
· 3 Information Security Risk Analysts
· 1 Information Security Architect
The PowerPoint presentation, pages 12-15, provides an outline describing the positions we believe are necessary to sustain and improve on the work we are doing in the area of information security.
Also included in this presentation on pages 10 and 11 is a more detailed description of the work that we believe is necessary in the area of Privacy and in the future the duties and responsibilities of a Chief Privacy Officer
The following positions were established in the FY15 Budget and will also be resources to the overall program:
· Chief Information Security Officer (CISO) who reports to the CIO
· 4 Information Security Engineers that report to the CISO; 2 will be located at ISD and 2 will be located at HHS
As mentioned previously, this is a substantial ongoing commitment for the County to undertake at this time. At the same time, this is an example of a need that is growing with the focus on personal privacy and the need for us to focus on the security of the data that we collect and manage. As we accelerate the implementation of complex information systems and advanced equipment that utilize new technologies to store and access information, our responsibility to protect and manage personally identifiable information also increases. The need to provide information and access to the public and business partners is only increasing.
The penalties for non-compliance are increasing as are the public’s expectation that we competently manage their personal information. With this in mind, the Administration requests that the Board direct us to return with implementing actions to create a County Security and Privacy Program and the staff and contract resources identified to implement the assessment, draft policies and procedures and manage this function moving forward.
The recommended action will have no/neutral impact on children and youth.
The recommended action will have no/neutral impact on seniors.
The recommended action will have no/neutral sustainability implications.
On June 12, 2014 the Administration brought forward an outline of a plan to implement Privacy and Security policies within the County organization. This report was heard by the full Board on June 26, 2014. With the Board approval of the conceptual plan, the Administration committed to bring back a more detailed plan of execution that is included in this transmittal.