The County of Santa Clara
California

Report
73548
Approved as Amended
Oct 21, 2014 9:00 AM

Approve the recommended implementation plan to establish a County Security and Privacy Program and initiate an assessment of privacy procedures throughout the County. (Office of the County Executive)

Information

Department:Office of the County ExecutiveSponsors:
Category:Report

Body

FISCAL IMPLICATIONS

Approving the staff resources and supporting costs needed to establish a County Security and Privacy Program and complete an organizational assessment will require an allocation of $681,221 in FY 2015, assuming positions are funded as of March 1, 2015, and $1.9 million annually.  Based on the magnitude of this action, the Administration is recommending that this item be included in the Mid-Year review scheduled for early February 2015.  When measured against other competing priorities, if the Board chooses to fund this program, resources will be allocated from the reserve for future operations in FY 2015.  In FY 2016, annualized funding for this function will be included in the Recommended Budget.

REASONS FOR RECOMMENDATION

The Administration is recommending a two-step process that initially asks the Board to conceptually approve the staff resources and the implementation plan.  If the Board decides to move forward with the approach presented by the Administration, staff will return with implementing ordinances and budget modifications during the Mid-Year review.

 

Since late 2013, the Administration has been exploring best practices regarding privacy and security and discussing internally the steps needed to assess the status of the County organization in terms of where we are and where we should be.  The obvious question is why should this be a priority for Santa Clara County?

·        Laws and Regulations: There are an increasing number of laws and regulations that regulate the use of personally identifiable information (PII) and electronic protected healthcare information (ePHI) that carry substantial financial penalties for non-compliance.  These laws and regulations require the establishment of policies and procedures that govern how this information is managed and expects that staff are trained and educated about these policies. The laws also require annual risk assessments of all organizations who may handle ePHI. Santa Clara County has several departments requiring annual risk assessments including DCSS, the Department of Corrections, Sheriff’s Department, EOD, Protective Services, ISD, Valley Medical Center, HR/ESA and County Counsel. The regulations, statutes and standards include HIPAA, Payment Card Industry, California State laws, the Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST) standards, 42 CFR, and IRS 1075 non-inclusively.

·        Protection: Respect for client/customer security and privacy is a critical issue in today’s world.  The public is increasingly frustrated with privacy breaches every day in the headlines and they expect that government is doing everything reasonable and responsible to safeguard their PII.

·        Increasing Audits: Audits by regulatory agencies are increasing in frequency and scope. Penalties for data loss are increasing in dollar value and frequency. It is expected that policies and procedures are created, documented and adhered to in the job functions and processes provided within the County. Auditors expect these artifacts and review the process, knowledge and training to ensure compliance.

·        Advancing Open Data and Digitizing Information: Santa Clara County has increased its web presence and digitization of sensitive information through the deployment of EPIC at the Valley Medical Center, contract engagements with cloud service providers, and expansion of use of web sites and social networking sites. The demands from the public, other government entities and business partners to have access to digital information is increasing, to be more proactive in proving this data the need to handle security and maintain privacy will be crucial. The transmission of sensitive data, although already encrypted in transit, is a target by adversaries such as hackers, hacktivists, cyber criminals and fraudsters.

·        Advancing Mobility: Mobile device usage has increased exponentially over the past 5 years as has electronic data creation. The location and subsequent protection of sensitive County data is a priority.

In June, the Administration presented the Finance Committee and subsequently the full Board with a detailed plan laying out the steps that would be needed to execute an organizational assessment that will identify the policies, procedures and program that needs to be implemented in order for the county to be compliant with current statutes and rules related to privacy and security.  At that time, the Administration indicated that it would present a more detailed plan of how this plan would be implemented.  The County Executives’ Office has worked with Jeff Bardin, the Interim County Chief Information Security Officer and Joyce Wing, the Chief Information Officer, to evaluate the privacy and security gaps that currently exist within the County and recommend the most productive allocation of resources to sustain the progress we have made and further assess the gaps in our management of PII and ePHI moving forward.  In addition, it is essential to provide the needed assistance to County resources to operationalize the policies, practices and training required to ensure overall protection in the implementation and maintenance of systems and processes. The discussion below provides additional insight and detail regarding the plan being presented for the Board’s consideration.

Designing how Santa Clara County moves forward in this highly dynamic and rapidly changing policy area has proved to be a difficult question.  In reviewing privacy and security, it is important to recognize there are different components in this policy area that have to be considered: 

Information Security - is a major issue for any large organization.  Santa Clara County has been fully engaged in addressing this issue for several years.  We have made some progress in identifying needs but have lacked the resources to effectively implement a comprehensive information security program.  We have assessed the organization and have a good idea of where the gaps are and what has to be done to improve information security.  Mr. Bardin has done a great deal of work identifying the steps needed to improve our existing systems and developing protocols for incorporating necessary information security concepts in the design of each new system that is considered for implementation by the County.  The next logical step is to fund the resources to put the plan in place.

Privacy and Security in the Health Care Setting – As the Board is aware, we have taken steps to strengthen our Ethics and Compliance function in the Health and Hospital System and have made progress in addressing requirements relating to electronic health personal information (ePHI), a major consideration with the implementation of EPIC/Healthlink, our electronic medical record system.  We have done a comprehensive assessment and are moving forward implementing a plan to mitigate the most significant gaps in this critical area.  Once again, resources are an issue that we need to address in order to educate and train staff in the Health and Hospital system and implement procedures that will improve our effort and performance in this area.  Some of the resources that will be identified later in this report are to be allocated within the Health and Hospital system to address the gaps identified by the work that has already been done to identify issues that need to be addressed.

Privacy Issues in the rest of the County - This is an area where we have made the least progress.  There are a variety of issues surrounding the use of surveillance cameras and other technologies that needs further review in order to develop policies and procedures, so we are operating in compliance with various rules and statutes. 

Operations - This is an area where we have relied on the operational staff to implement and maintain the existing policies and procedures, but we have not had the resources to ensure what has been completed or to the level that is required. This staffing level can be more proactive in the assistance and oversight required to help the departments in these critical areas. Progress has been made in the implementation of automated solutions to monitor and tracking required system changes, but more is needed and will be presented within the budget process.

Recommended Approach

Privacy

Initially, we were moving in the direction of recommending the addition of staff resources to conduct an assessment so there would be a familiarity with the location and nature of the gaps in the privacy area.  Our belief was that having staff in place doing the assessment would facilitate the creation of appropriate policies and procedures to address the most significant issues.  In further analyzing this approach, it was recognized that we had no real basis to determine what staff resources were required within the Privacy area since so little work has been done in this area.  As a result, we are now recommending allocating resources to utilize contract staff to do the Privacy assessment that will in part determine the staff resources that will be necessary to implement the recommendations derived from the assessment and manage a privacy office on an ongoing basis. 

Considering the potential magnitude of this program, we believe this is a far more reasonable approach as the assessment will provide the necessary information in terms of the skill sets and the depth, breadth and number of staff needed to move Santa Clara County into a position of having a strong privacy program.  It will also assist us in determining the staff necessary to assure our policies and procedures are consistently updated as legislation is passed at both the State and Federal levels. 

Attached for the Board’s review and consideration is a PowerPoint presentation that outlines the important aspects of our County Security and Privacy Program.  In addition to providing the context and reasons why the Administration is bringing this program forward, this document also provides a rough time line outlining the steps that are needed to create a robust Security and Privacy program.  The outline presented on pages six and seven of the presentation provides a clear blueprint and specific steps we believe are necessary to achieve our goals.  We have also included an organization chart on page eight that identifies the resources that will be necessary to make this happen and where the staff will be assigned within the County organization. In addition, the correlation between the Program area and the Operational areas.

Information Security

Since we have made the most progress with information security and understand where the gaps and needs are, we are recommending that staff resources be added in this area to develop and implement the policies and procedures, and facilitate the communication of this information to employees throughout the organization. 

Healthcare

In the healthcare setting we have also made progress and have a plan to address the highest priority issues.  As noted above, several of the staff recommended will be assigned to the Health and Hospital system to begin addressing privacy and security concerns there.   With the recent appointment of a new Ethics and Compliance Officer, we believe we are moving in a positive direction although there is a lot of work to do in providing the training and communicating revised policies and procedures relating to HIPAA and other associated healthcare rules and statutes.

The least defined aspect of this plan is in the area of Privacy throughout the remainder of the County.  Since we really do not know what we do not know, we are recommending using external resources to design and conduct an assessment that will be focused on the gaps in our program, developing a plan to address these needs and determine the resources required to put this program into place.  Eventually, we believe a Chief Privacy Officer is the appropriate position to manage this effort moving forward and we are evaluating consolidating this office with the Ethics and Compliance Office in the Health and Hospital system.  This appears to be the most logical and efficient step but additional information is needed to confirm that assertion.  In order to complete this effort we are recommending the allocation of $600,000 to do the Privacy assessment and evaluation of the resources required moving forward.  This estimate is based on the typical cost of these kinds of resources in the current market.  $600,000 will provide for a high level privacy expert and two risk analysts to complete the required task as we see them today.

In summary, the Information Security component of our Security and Privacy Program would add the following 6 positions:

·        1 Configuration, Change and Release Manager (Operational side)

·        1 Senior IT Project Manager

·        3 Information Security Risk Analysts

·        1 Information Security Architect

The PowerPoint presentation, pages 12-15, provides an outline describing the positions we believe are necessary to sustain and improve on the work we are doing in the area of information security.

Also included in this presentation on pages 10 and 11 is a more detailed description of the work that we believe is necessary in the area of Privacy and in the future the duties and responsibilities of a Chief Privacy Officer

The following positions were established in the FY15 Budget and will also be resources to the overall program:

·        Chief Information Security Officer (CISO) who reports to the CIO

·        4 Information Security Engineers that report to the CISO; 2 will be located at ISD and 2 will be located at HHS

As mentioned previously, this is a substantial ongoing commitment for the County to undertake at this time.  At the same time, this is an example of a need that is growing with the focus on personal privacy and the need for us to focus on the security of the data that we collect and manage.  As we accelerate the implementation of complex information systems and advanced equipment that utilize new technologies to store and access information, our responsibility to protect and manage personally identifiable information also increases. The need to provide information and access to the public and business partners is only increasing. 

The penalties for non-compliance are increasing as are the public’s expectation that we competently manage their personal information.  With this in mind, the Administration requests that the Board direct us to return with implementing actions to create a County Security and Privacy Program and the staff and contract resources identified to implement the assessment, draft policies and procedures and manage this function moving forward.

CHILD IMPACT

The recommended action will have no/neutral impact on children and youth.

SENIOR IMPACT

The recommended action will have no/neutral impact on seniors.

SUSTAINABILITY IMPLICATIONS

The recommended action will have no/neutral sustainability implications.

BACKGROUND

On June 12, 2014 the Administration brought forward an outline of a plan to implement Privacy and Security policies within the County organization.  This report was heard by the full Board on June 26, 2014.  With the Board approval of the conceptual plan, the Administration committed to bring back a more detailed plan of execution that is included in this transmittal.

 

Meeting History

Oct 21, 2014 9:00 AM Video Board of Supervisors Regular Meeting

At request of Supervisor Chavez, motion was amended to include information in the plan relating to identifying who can access information and data and appropriate methods of sharing it. Supervisor Simitian amended the motion to reflect that the implementation plan is for a County Privacy and Security Program, in that order.

RESULT:APPROVED AS AMENDED [UNANIMOUS]
MOVER:S. Joseph Simitian, Supervisor
SECONDER:Cindy Chavez, Supervisor
AYES:Mike Wasserman, Cindy Chavez, Dave Cortese, Ken Yeager, S. Joseph Simitian

Transcript

Oct 21, 2014 9:00 AMBoard of SupervisorsRegular Meeting

 

10:28 AMWe now move on to item 15. Mr. Graves, you're going to lead that, I believe, for the implementation plan for privacy and security assessment.
10:29 AMYes, that's correct, Mr. President. Before you, you have our report that is a follow-on to a conversation that we had with you a couple of months ago laying out really what we believe the needs are for privacy and security within the county organization. We have really been looking at this in a very detailed fashion over the last 12 months and what is before you really is sort of a process that has been iterative in term of trying to define, you know, what the needs are, trying to identify where we have made progress and the areas that we really need to focus additional resources. The recommended action is asking you to approve this plan and concept because of the magnitude of the resources required. We are suggesting that if, in fact, the board is comfortable with this plan that we would return in the mid-year budget review with the specifics, the implementation of salary ordinances to add the positions so that those could be evaluated with the other requests and priorities that you'll be faced with at that time. In the current year, assuming an implementation date of March 1st, we're looking at a cost of about 680,000 and about $1. 9 million annually. So, there is a significant investment. But it is an investment that we do believe is important. As I have looked at this just sort of someone who is really new to this concept, I think it really is -- identifies some areas as we look at the way we he currently do business that we really have to be focused on issues of privacy and security, really to go across sort of three areas. Number one is information, privacy and security, you know, that we really are focused on through the work and mainly in our information serve is he department and also in every department because, of course, information right now is a key part of how we do business. Also really focusing on privacy and security in our health care system because that's an area where, of course, there's been lots of focus and attention. And then really the issue of privacy throughout the remainder of the county and that's the area where we do feel like we are probably the least evolved. And, so, what our plan really focuses on and there is a powerpoint in the back of the report that tries to lay this out a little more graphically. It really attempts to identify and strengthen the information security, that's an area where I think we've made a great deal of progress. But in identifying what our needs are, I think now what we're suggesting is we need to move forward with actually providing the resourceses to make this happen on an ongoing basis. In the area of health and hospital in term of privacy and security, I think that again we've made some improvements there. We brought in some new staff, invested there. And I think we're on the right track. We still need to do some further evaluation. The last area, a mentioned, is where we're least evolved is the area of privacy throughout the rest of the county. And what we're suggesting here is that we actually bring in some external resources because we really kind of don't know what we don't know. And, so, initially we had thought about actually hiring staff to do the assessment and then have them actually implement, but we really just determine that we really didn't even know what that staff might look like. So, we felt like it would be more prudent to bring in some external resource he with expertise to do that assessment and at that point we would evaluate what that need might look like in term of what staff would be required to really operate a program on an ongoing basis. That is really the highlights. There's lots of detail that I would be happy to answer questions about. We've worked closely with joyce wang, the cio and jeff bardons who is our contract chief security information officer. Unfortunately both of them aren't here today so i'm kind of on my own. So, please don't ask me any real specific questions. No. [laughter]
10:34 AMThe reality is that what i've tried to do in sort of providing some oversight to this process is really try to put this in the context, recognizing the many demands that we face in terms of resources, but really this is an area that is really becoming more and more important with the mandates and the concerns that are raised and actually the issues that come to us in the form of statutes in terms of protecting individuals' privacy and the security of the data. We collect a large amount of data. We really need to be in a better place of understanding what data he we actually have to make sure it is protected. So, I do believe that this becomes one of those things that perhaps isn't as sexy as direct service delivery, but becomes very important in terms of the way that we actually do our business and what I think the public expects of us in terms of protecting information in an appropriate manner. So, happy to answer any questions.
10:35 AMThank you, Mr. Graves. we don't have any speaker cards on this item. Supervisor chavez, you wanted a comment or question?
I wanted to ask a couple questions. I'm excited this is coming forward. I know supervisor simitian has been focused on this issue quite a while, and i'm curious about how this program coming forward will mix in with some of the work we're trying to do relative to research and really being able to, in some instances, collect data and use it for the purposes [speaker not understood], but also to improve service provision. We might be helping someone in this department and have a whole 'nother set of information for them in this department and not be able to communicate that. Where does that fit into this work?
I think that generally speaking, what we're looking at is sort of developing a program and an office, if you will, that will develop the expertise to really be resources, number one, you know, for thing that are obvious, like whenever we're implementing an information system to make sure that privacy and security are thought of up front. And at the same time, when there are questions about information sharing, what are the issues and the rules and how can we facilitate that, where is that appropriate, where is that not appropriate? So, we really view this a a resource. And obviously very much involved here as county counsel who currently really is intimately involved in working with us in thos kinds of areas. But this is really creating an additional resource that I think will facilitate that kind of communication and that kind of facilitation because the bottom line is the way we use information or the way that we haven't been able to use it or ways in which we need to use it are all questions that privacy and security is very much entangled with. So, I think that this is going to be a very important resource in terms of us moving forward, being more effective in the use of information.
10:37 AMThe thing I want to make sure of is as this moves forward it is a part of the work plan and I didn't see it in here. The reason I mention is I know that under [speaker not understood]'s office, we have asked, I think it was in children and family services, to make sure we look at who has confidentiality when so we can provide better services. What I don't want and I know supervisor simitian is asking for, we create another way to make it more difficult to provide the services we provide. We need to do them in the most, really protective privacy, at the same time we need to be able to do this more efficiently than we do today. So, I would just want to make sure it's something that's needed a a core function of this office to make sure we're providing the support to program. And frankly, this is also going to impact a number of nonprofits that we interact with. [speaker not understood] we can't give them what they want and who gets t. I think who hold privilege is going to be very important as a question that is always asked. And second, the way we protect people's privacy, but how do we share that information. And third the research component you raised, I know Dr. Smith haedx been working in our office to try to tie together research and kind of envisioning what that would look like so we can do a better job of writing grants, for example. We have a very difficult time doing because we can't access information appropriately. So, I seconded this, but would like to make a motion to make sure we embed that in because I don't want these to be competing interests.
10:38 AMThank you. supervisor simitian.
Thank you. I think it's funny, as I listen to supervisor chavez and i'm just going to speculate, always a little risky, some of this comes from her work on children, seniors and families. [speaker not understood] I had the same concerns 15 years ago when I sat on what was then children and family, the frustration of being told that when we had someone who was trying to deliver services they could only have one piece of information, but not the second, third, fourth piece of information that would give them a more complete sense of who the client was and what the range of issues were that someone was dealing with and what kind of package of services which came to be called wraparound might be appropriate. So, and actually I think a nice job of saying what we're talking about when we start to overlay these privacy concerns is asking the question in a more thoughtful and thorough way, which is to say not simply how can we share this information, but how can we share this information in a way that is respectful and legal with respect to privacy protection. The different example, Mr. President, earlier today we had someone under open forum who wanted to talk to us about license plate readers, cameras, and that sets off a bunch of alarms about privacy concern. But, you know, I voted to support the use of that technology in my prior life in this state legislature and anticipate doing so again here. The question is how can we use the tool appropriately for, in this case, a law enforcement public safety purpose while still protecting people's privacy. And the problem is, Mr. Graves laid it out, too often those two conversations are happening separately rather than blending them together in a way that you've described. So, I think -- i'm very please today see us at this point today and want to thank the staff for their work over the course of the last year. I think staff is wise to say, let's do this in a sort of deliberate fashion rather than try and go 0 to 60 in 3 seconds. I don't think that's going to happen and I don't think it should happen. I think that sort of acknowledging the step-by-step benefits is wise. So, i'm happy to move the item with two additions to the recommended actions. The first is to incorporate explicitly the desire by the board, supervisor chavez referenced to make sure that as we proceed, we focus explicitly on how we can facilitate the appropriate sharing of data and information in a way that is consistent with privacy protections both as a matter of law and policy. And the second, and this will seem a small one, that the recommended subject implementation for [speaker not understood] and under recommended action it says security and privacy program, I would like it to be privacy and security in that order. So, the recommended action would be for privacy and security. And while it's obviously a small and semantic issue, the security it seems to me is designed to ensure the privacy and the privacy is the goal and the security is the means. So, I would -- I will move the recommended action with those two amendments that we establish a county privacy and security program and initiate an assessment privacy procedures throughout the county including the assessment that was referenced by supervisor chavez and which I attempted to form into part of the motion.
10:42 AMThank you. so, we have a motion by supervisor simitian, second by supervisor chavez. I just want to chime in. Mr. Graves, I thought it was interesting when you were listing [speaker not understood] in general the health care system, privacy elsewhere is the biggest need that you currently see now. It was interesting when you said we don't know what we don't know. I think it's very important to point out santa clara county, 17,000 employees, hundreds of thousands of people coming through our hospital system, medical records and all that takes place, the provisions, the security that we have in place is extremely good. It is the desire of this board to make it a impenetrable and private and secure as possible. You've been working on this for 12 months. This approve, which I see is going to go through, is for a lot of dollars, $680,000 now, 1. 9 million ongoing. Drawv approval besides what we're doing here, i'd like to include , if it's not already understood to be included, is security issues i'll say for break-in, break-ins into facilities, that physically improving windows, doors, whatever, that that be included in this overall aspect of increasing privacy and security so someone can't just walk in and take information away physically. Supervisor simitian, do you have a comment?
10:43 AMI just want to say it certainly is, I think it is the intention of the request from staff in term of recommended action to include those kinds of, shall we call them, low-tech privacy and security concerns. In previous conversations the board has heard the phrase privacy by design talked around from time to time. I think part of what this effort is about is creating a culture in the organization that is mindful of, respectful of, and takes action on behalf of the legitimate privacy concern people have with respect to their information. And while that high visibility one is in terms of the data breaches involve pretty sophisticated technological questions, some of this is is a simple as what do you leave op top of your desk. [speaker not understood] someone might come in through the back window. All of that is included by reference.
10:44 AMThank you. supervisor yeager.
Yes, just because you had mentioned what you did, supervisor wasserman, there was an article in yesterday's new york times, these break ins shall we say in telephone lines. Overedth weekend these companies mainly overseas somehow get access and then over a weekend can rack up over a million dollars, $2,000,000 in phone calls and then these companies make money off of those phone call. So, it just seems like you have to be vigilant everywhere. And I appreciate everything that supervisor simitian ha raised on this, but as you said, there are break-in -- there are other ways thing can be compromised.
10:45 AMSure, the highest high tech companies in the world, visa, mastercard, wal-marts whatever, they do everything they can and still there are occurrences. Supervisor cortese.
Just looking down the road on this, I maybe urge all of us here going forward to think about the fact that these two areas May need to actually be separated out. I know we move or trying to move much of county operations into nonsiloed areas, but it almost strikes me [speaker not understood] i'm supporting the motion, but at some level it's almost orwelian to talk about privacy and security assessment the way the world is right now. An idea of having them really be a check and balance at some point going forward, almost like you'd have a police department and an independent police auditor or those kinds of relationships where those who are aggressive about security are finding them self-appropriately checked by those who are aggressive about privacy. So, just food for thought going forward. Thank you.
10:46 AMThank you. and with that, I see all five supervisors have voted. Madam clerk, I have a mover and seconder and passes unanimously 5-nothing. That was item 15.