Presentation is loading. Please wait.

Presentation is loading. Please wait.

Breach Response TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Similar presentations


Presentation on theme: "Breach Response TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office."— Presentation transcript:

1 Breach Response TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office

2 Breach Response TRICARE Management Activity HEALTH AFFAIRS

3 TRICARE Management Activity HEALTH AFFAIRS 3 Breach Response Purpose The purpose of this presentation is to provide a thorough understanding of the requirements of TRICARE Management Activity (TMA) personnel when assessing and responding to a breach

4 TRICARE Management Activity HEALTH AFFAIRS 4 Breach Response Objectives Upon completion of this presentation, you should be able to: Describe the key components of breach reporting, notification, and mitigation Define your role in identifying and responding to breaches Identify the three components of the TMA Breach Response Administrative Instruction (formerly known as the Breach Notification Standard Operating Procedure)

5 TRICARE Management Activity HEALTH AFFAIRS 5 Background

6 TRICARE Management Activity HEALTH AFFAIRS 6 Breach Response SOP vs Administrative Instruction The TMA Standard Operating Procedure (SOP) for Breach Response has been revised and re-formatted as an Administrative Instruction (AI)

7 TRICARE Management Activity HEALTH AFFAIRS 7 Breach Response TMA Breach Notification Administrative Instruction (AI) Three main sections of the Breach Notification Administrative Instruction Roles and Responsibilities: Outlines the expectations of each program office in the process of handling an incident Procedures: Details specific actions and a progression of events that occur after a breach has been identified Appendices: Provides various resources for assessing, reporting, and mitigating a breach

8 TRICARE Management Activity HEALTH AFFAIRS 8 Breach Response Definitions Personally Identifiable Information (PII): Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individuals identity, such as their name, social security number, date and place of birth, mothers maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual

9 TRICARE Management Activity HEALTH AFFAIRS 9 Breach Response Definitions (continued) Protected Health Information (PHI): Individually identifiable information that is transmitted by, or maintained in, electronic media or any other form or medium. This information must relate to: The past, present, or future physical or mental health, or condition of an individual Provision of health care to an individual Payment for the provision of health care to an individual. If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered PHI

10 TRICARE Management Activity HEALTH AFFAIRS 10 Breach Response Definitions (continued) Breach: Actual or possible loss of control, unauthorized disclosure, or unauthorized access of personal information where persons other than authorized users gain access or potential access to such information for other than authorized purposes where one or more individuals will be adversely affected

11 TRICARE Management Activity HEALTH AFFAIRS 11 Roles & Responsibilities

12 TRICARE Management Activity HEALTH AFFAIRS IRT Chair duties - pp. 4-5 of AI 12 Breach Response Roles & Responsibilities Incident Response Team (IRT) Chairman Serve as the central POC for the IRT Act as the conduit of information between the information/system owner and the IRT Delegate mitigation tasks to IRT members Determine the incident severity level based on IRT analysis and recommendations Update senior leadership as information becomes available

13 TRICARE Management Activity HEALTH AFFAIRS IRT Chair duties - pp. 4-5 of AI 13 Breach Response Roles & Responsibilities (continued) IRT Chairman Coordinate with the TMA Deputy Director and Chief Financial Officer (CFO) in estimating costs of the breach Assign responsibilities for preparation of the after-action report Debrief senior leadership

14 TRICARE Management Activity HEALTH AFFAIRS CIO duties - pp. 5-7 of the AI 14 Breach Response Roles & Responsibilities (continued) Chief Information Officer (CIO) Representative Collaborate with the IRT Chairman throughout the breach process Secure/isolate the affected equipment from the network to prevent further malicious activity Collect information for possible forensic use including logs, inventory of systems, and personal accounts Oversee mitigation of any suspected vulnerabilities in centrally managed systems

15 TRICARE Management Activity HEALTH AFFAIRS TMA PO duties - p. 7 of AI 15 Breach Response Roles & Responsibilities (continued) Director, TMA Privacy Office Ensure compliance with all privacy requirements, such as: Incident reports Updates to leadership Other internal and external communications Ensure compliance with internal incident response plan Conduct training for IRT representatives at least annually

16 TRICARE Management Activity HEALTH AFFAIRS System Owner duties - pp of AI 16 Breach Response Roles & Responsibilities (continued) Information/system owner Isolate the system from the rest of the network to preclude further malicious activity Identify compromised data including the identification of specific fields (name, rank, address, phone number, etc.) Identify potentially affected individuals, and work through the IRT Chairman to contact Defense Manpower Data Center (DMDC) for address information Ensure mitigation tasks are executed in accordance with IRT Chairman delegation

17 TRICARE Management Activity HEALTH AFFAIRS System Owner duties - pp of AI 17 Breach Response Roles & Responsibilities (continued) Information/system owner Immediately notify leadership upon discovery and maintain a chronological log Analyze compromised assets and identify compromised data Routinely monitor the system for any further attempts of subversion Define notification requirements, as described in the AI

18 TRICARE Management Activity HEALTH AFFAIRS 18 Procedures

19 TRICARE Management Activity HEALTH AFFAIRS 19 Breach Response Procedures The following steps provide for well coordinated management and control of a breach: Incident Identification Incident Reporting Containment Mitigation of harmful effects Eradication Recovery Follow-up Incident Identification Incident Reporting ContainmentMitigationEradicationRecoveryFollow-up

20 TRICARE Management Activity HEALTH AFFAIRS 20 Breach Response Procedures (continued) Step 1: Incident Identification Involves the examination of all available information in order to determine if an event/incident has occurred Action steps Analyze all available information Confirm and classify the severity of the incident Determine the appropriate plan of action Acknowledge legal issues addressed by the Office of General Counsel (OGC) representative Create an incident identification log Incident Identification Incident Reporting ContainmentMitigationEradicationRecoveryFollow-up

21 TRICARE Management Activity HEALTH AFFAIRS 21 Breach Response Procedures (continued) Step 2: Incident Reporting TMA workforce members must report a potential or confirmed breach TMA personnel must notify their TMA component director, who will alert the CIO and TMA Privacy Officer within one hour Incidents involving a malicious breach of PHI or PII must be reported to TMA Program Integrity The TMA Privacy Officer and/or the CIO will notify the Deputy Director, TMA and senior leadership Incident Identification Incident Reporting ContainmentMitigationEradicationRecoveryFollow-up

22 TRICARE Management Activity HEALTH AFFAIRS 22 Breach Response Procedures (continued) TMA Components Leadership – Immediately TMA Privacy Office – Within 1 Hour US CERT – Within 1 Hour DoD Privacy Office – Within 48 Hours Note: Notify issuing banks if government issued credit cards are involved; law enforcement, if necessary; and all affected individuals within 10 working days of breach and identity discovery, if necessary Step 2: Incident Reporting Incident Identification Incident Reporting ContainmentMitigationEradicationRecoveryFollow-up

23 TRICARE Management Activity HEALTH AFFAIRS 23 Breach Response Procedures (continued) Step 3: Containment Involves short-term actions that are immediately implemented in order to limit the scope and magnitude of an incident Containment activities include, at a minimum, the following action steps Determine a course of action concerning the operational status of the compromised system and identify critical information affected by the incident Follow existing local and higher authority guidance regarding any additional incident containment requirements Incident Identification Incident Reporting ContainmentMitigationEradicationRecoveryFollow-up

24 TRICARE Management Activity HEALTH AFFAIRS 24 Breach Response Procedures (continued) Step 4: Mitigation of Harmful Effects The information/system owner shall mitigate the harmful effects of all incidents by taking the following action Securing the information and taking the affected system off-line as soon as possible Applying appropriate administrative and physical safeguards/blocking all exploited ports Notifying other information/system owners of the attempted breach Assessing the need for providing free credit monitoring and identity fraud expense coverage for affected individuals Incident Identification Incident Reporting ContainmentMitigationEradicationRecoveryFollow-up

25 TRICARE Management Activity HEALTH AFFAIRS 25 Breach Response Procedures (continued) Step 5: Eradication Entails removing the cause of an incident and mitigating vulnerabilities pertaining to the incident. All eradication activities are to be documented by the IRT and the information/system owner Specifically, document eradication activities in the incident identification log Incident Identification Incident Reporting ContainmentMitigationEradicationRecoveryFollow-up

26 TRICARE Management Activity HEALTH AFFAIRS 26 Breach Response Procedures (continued) Step 6: Recovery Recovery is the restoration of business operations to the normal condition Verify that restoration actions were successful and that the business operation has returned to its normal condition Execute the necessary changes to the system and document recovery actions in the incident identification log Notify users of system availability and security upgrades that were implemented due to the incident Incident Identification Incident Reporting ContainmentMitigationEradicationRecoveryFollow-up

27 TRICARE Management Activity HEALTH AFFAIRS 27 Breach Response Procedures (continued) Step 7: Follow-up Follow-up is a critical step in the incident response process and assists with the response to, and prevention of, future incidents Develop a lessons learned list, and share with TMA personnel and with other DoD organizations as applicable Amend operating procedures and policies as appropriate Provide subsequent workforce training and awareness lessons as necessary Incident Identification Incident Reporting ContainmentMitigationEradicationRecoveryFollow-up

28 TRICARE Management Activity HEALTH AFFAIRS 28 Appendices

29 TRICARE Management Activity HEALTH AFFAIRS 29 Breach Response Appendices Appendix 1: Incident Response Checklist Legend: Denotes tasks in progress Denotes completed tasks Date and Time of incident: _____________________ Location of incident: __________________________ Point of Contact: _____________________________ Date TMA was notified: ________________________ TMA informed by: ___________________________ Date TMA Privacy Officer/CIO was notified: ______________ Notified (DoD R May 14, 2007): ____________ US CERT (within one hour) ____________ Agency Privacy Officer/Senior Representative for the Service/Senior DoD component for Privacy (within 24 hours) ____________ Defense Privacy Office and component head (within 48 hours) ____________ All affected individuals within 10 working days of discovery of the loss, theft or compromise of personal information, and the identities of the individuals have been ascertained. ____________ Law enforcement authorities, if necessary ____________ Ensured incident is reported in accordance with appropriate reporting timelines

30 TRICARE Management Activity HEALTH AFFAIRS 30 Breach Response Appendices (continued) Appendix 4: Guidelines for Breach Reporting Reporting of Lost, Stolen, or Compromised Personally Identifiable and/or Protected Health Information Todays Date: U.S. Cert #: a. Component/Organization involved; Point of Contact/ /Telephone #: b. Date of incident and the number of individuals impacted, to include whether they are DoD civilian, military, or contractor personnel; DoD civilian or military retirees; family members; other Federal personnel or members of the public, etc.: c. Brief description of incident, to include facts and circumstances surrounding the loss, theft, or compromise: d. Describe actions taken in response to the incident, to include whether the incident was investigated and by whom; the preliminary results of the inquiry if then known; actions taken to mitigate any harm that could result from the loss; whether the impacted individuals are being notified, and if not notified within 10 work days, that action will be initiated to notify the Deputy Secretary; **what remedial actions have been, or will be, taken to prevent a similar such incident in the future, e.g., additional training conducted, new or revised guidance issued, etc.; and any other pertinent information that you believe is relevant and pertinent: **Please fill out and submit the Plan of Action and Milestone Template (For Official Use Only)

31 TRICARE Management Activity HEALTH AFFAIRS 31 Breach Response Appendices (continued) Appendix 9: Risk Assessment Table No.FactorRisk DeterminationLow: Moderate: High: Comments: All breaches of PII, whether actual or suspected, require notification to US-CERT Low and moderate risk/harm determinations and the decision whether notification of individuals is made, rest with the Head of the DoD Component where the breach occurred. All determinations of high risk or harm require notifications 1.What is the nature of the data elements breached? What PII was involved? a. Name onlyLowConsideration needs to be given to unique names; those where one or only a few in the population may have or those that could readily identify an individual, i.e., public figure b. Name plus 1 or more personal identifier (not SSN, Medical or Financial) ModerateAdditional identifiers include date and place of birth, mothers maiden name, biometric record and any other information that can be linked or is linkable to an individual c. SSNHigh d. Name plus SSNHigh e. Name plus Medical or Financial data High 2.Number of Individuals Affected The number of individuals involved is a determining factor in how notifications are made, not whether they are made

32 TRICARE Management Activity HEALTH AFFAIRS 32 TMA Breach Statistics

33 TRICARE Management Activity HEALTH AFFAIRS 33 Breach Response TMA Breach Statistics Physical Loss/Theft Loss/theft of a laptop, briefcase, thumb drive, DVD/CD, paper, or any media Data in Transit Misdirected/misplaced fax Accidental/intentional damage to physical package Unencrypted Misdirected/misplaced hard/soft/copy document System/Network Vulnerability Servers/networks negatively impacted by malicious code or a virus Inadequate/outdated firewalls or security settings Incidents resulting from complications of system upgrades

34 TRICARE Management Activity HEALTH AFFAIRS 34 Breach Response TMA Breach Statistics (continued)

35 TRICARE Management Activity HEALTH AFFAIRS 35 Breach Response Summary You should now be able to: Describe the key components of breach reporting, notification, and mitigation Define your role in identifying and responding to breaches Identify the three components of the TMA Breach Response Administrative Instruction (formerly known as the Breach Notification Standard Operating Procedure)

36 TRICARE Management Activity HEALTH AFFAIRS 36 Breach Response Resources DoD R, DoD Health Information Privacy Regulation, January 2003 DoD R Department of Defense Privacy Program, May 14, 2007 DoD R DoD Health Information Security Regulation, July 12, 2007 TMA Standard Operating Procedure for Breach Notification, October 12, 2007


Download ppt "Breach Response TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office."

Similar presentations


Ads by Google