VESTA DETAILS AND SECURITY

  • What kind of application is VESTA? VESTA is an ASP.NET (C# and VB.NET) web application with a Microsoft SQL Server 2008 back-end. It is used as a Homeless Management Information System (HMIS) and as a client-tracking and reporting database by social service projects. Users access VESTA across the Internet using a web browser (Internet Explorer version 7.0 or higher).
  • Is the VESTA server secure? The database and the application itself are run on servers located at the Cincinnati Bell Technology Solutions Data Center in downtown Cincinnati. The Center is monitored by camera 24 hours per day, and provides a secure, temperature-controlled environment with redundant power, redundant HVAC, and disaster recovery.
  • Is VESTA reliable? VESTA’s availability has been about 99.6%. Scheduled outages for system upgrades are limited to times most convenient for users.
  • Is VESTA data customizable? HMIS information collected by VESTA is determined by the need to produce a HUD Annual Performance Report as well as the requirement to conform to the Data and Technical Standards released by HUD. Beyond that, VESTA is completely customizable for agency and project use.  Data in VESTA is arranged in logical groupings, e.g. Intake Details, such as intake date and prior living situation, are collected together on a single form, Exit Details, such as reason for leaving and exit destination, are collected on a single form, etc. Beyond core information about clients, collected in all projects, agencies and projects can specify that they want to collect on an existing form (e.g. they want to collect emergency contact information along with Intake Details), or they can outline separate customized forms.
  • Who has access to data in VESTA? Only authorized users of VESTA have access to any part of the application. Authorized users are:
    • Staff of participating agencies which provide services, shelter, or housing for their clients
    • The staff of PCL, which is contracted to provide data quality assurance, technical support, and user training
    • At the option of CoC agencies, the Continuum of Care can have client level access restricted to homeless certification and HUD HMIS Data Standard fields
    • Funders (e.g. the United Way, the Veterans Administration, the Continuum of Care for the Homeless, etc.) have reports only access that allows them to generate aggregate data on their funded projects

    VESTA has several layers of security that impact who can log in to VESTA, what data they can see, and which tasks they can do while logged in.

  • What is required to gain access to VESTA? In order to access VESTA a user must have:
    • A User Set-Up form signed by the Agency Director.
    • A signed VESTA User Agreement on file with PCL and documented in VESTA. This form must be signed by the User annually.
    • An on-site technical assessment of a user’s computer and work station location must be conducted and approved by PCL.
    • A one-on-one training appropriate to job function, covering an introduction to HMIS and VESTA, confidentiality and security, consent, data sharing levels, data collection and entry, and reports.
    • A username and a password which is updated every 90 days
    • A user selected PIN and answers to security questions (to verify identity in the event of a forgotten username/password or log on from an unrecognized location
    • At least one project affiliation
  • What kinds of user levels are available in VESTA? Whether or not users are permitted to access any given page in VESTA is determined by their security role/type under their current project affiliation in combination with the page’s security definition. The user’s security level must be explicitly granted prior to access to any secure page.
    • Reports only – no access to any client-specific data
    • Regular user – all data entry and client review pages, but no report access
    • Power user – all data entry and client review pages, plus reports
    • Supervisor – same as power user, but has access to all data alerts for all users in his/her project
    • VESTAcard user – can only access the VESTAcard system
  • How do data-sharing partnerships work? Partnerships between projects are set up to share selected data about clients when projects participating in the partnership have determined that sharing data will help them to better serve their clients’ needs. Interagency sharing includes intake history and data about household members. Highly sensitive information about a client’s special needs (e.g. HIV status), or services that might reveal special needs (e.g. mental health services), is NEVER shared outside of the originating agency.
  • How does client consent affect data sharing in VESTA?
    • A project must have the informed consent of the client to share information outside of their own agency.
    • Within an agency, access to data is permitted regardless of client consent.
    • Even with consent, highly sensitive data (e.g. special needs data) is never shared outside of an agency.
    • Clients may revoke consent at any time. Users will be permitted to revoke consent granted to their project at any time.
  • What client data is shared without a sharing agreement? In order to prevent the creation of duplicate records, a user must not create a new client record without first doing a system-wide search for the client. To search the system, the user must know either the client’s social security number OR both their last name and date of birth. When searching for clients new to a project, VESTA will not ‘find’ a record for a client who does not have a valid consent on file. Clicking on a search result does not provide access to a client’s entire record.
  • How is confidentiality monitored? In designing VESTA, the confidentiality and security of the data was a primary consideration. Originally, the software development team for VESTA was employed by Caracole, Inc. – a housing provider for people with HIV/AIDS. Our social services co-workers made it clear from the beginning that they considered data security crucial, and would not consider using VESTA unless we could make it virtually ‘bullet-proof.’
    • VESTA uses Secure Sockets Layer (SSL) protocol with 128-bit encryption; this provides a highly secure, encrypted connection between our server and the user’s computer. SSL is an industry standard and is used by many websites – including banks, credit card companies, and others with highly sensitive data – in the protection of their online transactions with their customers.
    • However, VESTA exceeds the industry standard with the use of digital certificates – a further layer of security which permits verification of a pre-approved computer each and every time a user connects to VESTA.
    • VESTA’s security framework was reviewed by an independent computer security firm, who found that VESTA is “secure and well-structured to protect against known and unknown attacks.” In addition, they cited the digital certificates as an “unusual” level of security.
    • VESTA users are also thoroughly screened and trained. In order to receive a digital certificate, a username, and a password, a user must go through the following steps:
      • Agency Directors must sign an agreement to participate in VESTA.
      • User Set-Up forms must be signed by the Agency Director.
      • A User must sign a VESTA User Agreement form prior to access. This form must be signed annually.
      • An on-site technical assessment of a user’s computer and work station location must be conducted and approved by PCL.
      • A one-on-one training is provided for the user appropriate to job function, covering an introduction to HMIS and VESTA, confidentiality and security, consent, data sharing levels, data collection and entry, and reports.

      Every reasonable measure has been taken to ensure that the data contained in VESTA is secure.