Who decides what information is collected by VESTA?
The core information collected by VESTA is determined by the need to produce a HUD Annual Performance
Report and the requirement to conform to the Data and Technical Standards released by HUD. Any other
data is collected solely at the discretion of the Continuum of Care and the individual participating
agencies and programs.
Data in VESTA is arranged in logical groupings, e.g. Intake Details such as intake date and prior living
situation are collected together on a single form, Exit Details such as reason for leaving and exit
destination are collected on a single form, etc. Beyond the core information, programs can specify that
they want to collect additional data on an existing form (e.g. they want to collect emergency contact
information along with Intake Details), or they can outline separate customized forms.
Who has access to data in VESTA?
Only authorized users of VESTA have access to any part of the application. Authorized users are:
- Staff of participating agencies which provide services, shelter, or housing for their clients and
- The staff of PCL, which is contracted to provide data quality assurance, technical support, and user
training.
VESTA has several layers of security that impact who can log in to VESTA, what data they can see, and
which tasks they can do while logged in.
What is required to gain access to VESTA? In order to access VESTA a user must have:
- A valid digital certificate approved by PCL staff installed on the computer they are using
- A valid user agreement on file with PCL staff and documented in VESTA
- A username
- A password which is less than 90 days old
- At least one program affiliation
What kinds of user levels are available in VESTA? Whether or not users are permitted to
access any given page in VESTA is determined by their security role/type under their current program
affiliation in combination with the page’s security definition. The user’s security level must be explicitly
granted prior to access to any secure page.
VESTA currently offers the following user levels within an agency:
- Reports only – no access to any client-specific data
- Regular user – all data entry and client review pages, but no report access
- Power user – all data entry and client review pages, plus reports
- Supervisor – same as power user, but has access to all data alerts for all users in his/her program
How do data-sharing partnerships work?
Partnerships between programs are set up to share selected data about clients when programs participating
in the partnership have determined that sharing data will help them to better serve their clients’ needs.
Interagency sharing includes intake history and data about household members. Highly sensitive information
about a client’s special needs (e.g. HIV status), or services that might reveal special needs (e.g.
mental health services) is NEVER shared outside of the originating agency.
How does client consent affect data sharing in VESTA?
- A program must have the informed consent of the client to share information outside of their own agency.
- Within an agency, access to data is permitted regardless of client consent.
- Even with consent, highly sensitive data is never shared outside of an agency.
- Clients may revoke consent at any time. Users will be permitted to revoke consent granted to their program
at any time.
- Consent expires after a pre-defined period of time configurable on a per-program basis.
What client data is shared without a sharing agreement?
In order to prevent the creation of duplicate records, a user must not create a new client record without
first doing a system-wide search for the client. To search the system, the user must know either the
client’s social security number OR both their last name and date of birth. When searching for clients
new to a program, VESTA will not ‘find’ a record for a client who does not have a valid consent on file.
Clicking on a search result does not provide access to a client’s entire record.
How is confidentiality monitored?
In designing VESTA, the confidentiality and security of the data was a primary consideration. Originally,
the software development team for VESTA was employed by Caracole, Inc. – a housing provider for people
with HIV/AIDS. Our social services co-workers made it clear from the beginning that they considered
data security crucial, and would not consider using VESTA unless we could make it virtually ‘bullet-proof.’
VESTA uses Secure Sockets Layer (SSL) protocol with 128-bit encryption; this provides a highly secure,
encrypted connection between our server and the user’s computer. SSL is an industry standard and is
used by many websites – including banks, credit card companies, and others with highly sensitive data
– in the protection of their online transactions with their customers. VESTA exceeds the industry standard,
however, in the use of digital certificates – a further layer of security which permits verification
of a pre-approved computer each and every time a user connects to VESTA.
VESTA's security framework was reviewed by an independent computer security firm, who found that VESTA
is “secure and well-structured to protect against known and unknown attacks.” In addition, they cited
the digital certificates as an “unusual” level of security.
VESTA users are also thoroughly screened and trained. In order to receive a digital certificate, a username,
and a password, a user must go through the following steps:
- Agency Directors must sign an agreement to participate in HMIS/VESTA.
- User Agreements must be co-signed by each user and their Agency Director.
- An on-site technical assessment of a user’s computer and work station location must be conducted and
approved by PCL, at which time the installation of digital certificates occurs.
- A one-on-one training is provided for the user appropriate to job function, covering an introduction
to HMIS and VESTA, confidentiality and security, consent, data sharing levels, data collection and entry,
and reports.
All said, every reasonable measure has been taken to ensure that the data contained in VESTA is secure.