Presentation on theme: "2009 Data Protection Seminar"— Presentation transcript:
12009 Data Protection Seminar Breach Response2009 Data Protection SeminarTMA Privacy OfficeTRICAREManagement ActivityHEALTH AFFAIRS
2Breach ResponseEven if you take all the necessary precautions, a breach (accident) could occur; however a robust incident response and reporting program can help mitigate the breach.TRICAREManagement ActivityHEALTH AFFAIRS
3Breach Response Purpose The purpose of this presentation is to provide a thorough understanding of the requirements of TRICARE Management Activity (TMA) personnel when assessing and responding to a breachSimilar to relying on a trusted insurance policy to assist in the resolution of a car accident, familiarity with the TMA Breach Notification Administrative Instruction is instrumental in properly mitigating a breachIf writing a single purpose, please write in paragraph form without bullets.If writing more than one purpose, please use level one bullet format.
4Breach Response Objectives Upon completion of this presentation, you should be able to:Describe the key components of breach reporting, notification, and mitigationDefine your role in identifying and responding to breachesIdentify the three components of the TMA Breach Response Administrative Instruction (formerly known as the Breach Notification Standard Operating Procedure)
5BackgroundThis slide serves as a lesson divider and should only consist of the specific lesson title.
6Breach Response SOP vs Administrative Instruction The TMA Standard Operating Procedure (SOP) for Breach Response has been revised and re-formatted as an Administrative Instruction (AI)**Much of the content from the SOP for Breach Response (approved on October 12, 2007) has remained in tact. However, various changes have been implemented.Per OMB Memo (M-07-16), the following:In formulating a breach notification policy, agencies must review their existing requirements with respect to Privacy and Security. The policy must include existing and new requirements for Incident Reporting and Handling as well as External Breach Notification. Finally, this document requires agencies to develop policies concerning the responsibilities of individuals authorized to access personally identifiable information.
7Breach Response TMA Breach Notification Administrative Instruction (AI) Three main sections of the Breach Notification Administrative InstructionRoles and Responsibilities: Outlines the expectations of each program office in the process of handling an incidentProcedures: Details specific actions and a progression of events that occur after a breach has been identifiedAppendices: Provides various resources for assessing, reporting, and mitigating a breachThe three main sections of the document remain consistent with the Breach Notification SOP.
8Breach Response Definitions Personally Identifiable Information (PII): Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individualThis definition was introduced yesterday in the Privacy Impact Assessment (PIA) presentation delivered by Kenneth Cole(will keep this overview brief)
9Breach Response Definitions (continued) Protected Health Information (PHI): Individually identifiable information that is transmitted by, or maintained in, electronic media or any other form or medium. This information must relate to:The past, present, or future physical or mental health, or condition of an individualProvision of health care to an individualPayment for the provision of health care to an individual.If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered PHI
10Breach Response Definitions (continued) Breach: Actual or possible loss of control, unauthorized disclosure, or unauthorized access of personal information where persons other than authorized users gain access or potential access to such information for other than authorized purposes where one or more individuals will be adversely affected
12Breach Response Roles & Responsibilities Incident Response Team (IRT) ChairmanServe as the central POC for the IRTAct as the conduit of information between the information/system owner and the IRTDelegate mitigation tasks to IRT membersDetermine the incident severity level based on IRT analysis and recommendationsUpdate senior leadership as information becomes available(Notable roles & responsibilities)The IRT Chair will be designated by the Deputy Director, TMA. This role will be filled by either the Chief Information Officer or the Director, TMA Privacy Office, based on the nature of the breach.IRT Chair duties - pp. 4-5 of AI
13Breach Response Roles & Responsibilities (continued) IRT ChairmanCoordinate with the TMA Deputy Director and Chief Financial Officer (CFO) in estimating costs of the breachAssign responsibilities for preparation of the after-action reportDebrief senior leadershipBullet 1: Costs include – notification to affected individuals, one year of free credit monitoring and identity fraud expense coverage, establishment of a call center, etc.IRT Chair duties - pp. 4-5 of AI
14Breach Response Roles & Responsibilities (continued) Chief Information Officer (CIO) RepresentativeCollaborate with the IRT Chairman throughout the breach processSecure/isolate the affected equipment from the network to prevent further malicious activityCollect information for possible forensic use including logs, inventory of systems, and personal accountsOversee mitigation of any suspected vulnerabilities in centrally managed systemsThe pertinent actions of the CIO listed on this slide will be taken when instructed by the Deputy Director, TMA.CIO duties - pp. 5-7 of the AI
15Breach Response Roles & Responsibilities (continued) Director, TMA Privacy OfficeEnsure compliance with all privacy requirements, such as:Incident reportsUpdates to leadershipOther internal and external communicationsEnsure compliance with internal incident response planConduct training for IRT representatives at least annuallyTMA PO duties - p. 7 of AI
16Breach Response Roles & Responsibilities (continued) Information/system ownerIsolate the system from the rest of the network to preclude further malicious activityIdentify compromised data including the identification of specific fields (name, rank, address, phone number, etc.)Identify potentially affected individuals, and work through the IRT Chairman to contact Defense Manpower Data Center (DMDC) for address informationEnsure mitigation tasks are executed in accordance with IRT Chairman delegationTying into the accident theme, the role played by the information/system owner is similar to that of the driver, and is pivotal in properly responding to a breach.- For the purposes of the Administrative Instruction, the term “information” serves to include “data”.System Owner duties - pp of AI
17Breach Response Roles & Responsibilities (continued) Information/system ownerImmediately notify leadership upon discovery and maintain a chronological logAnalyze compromised assets and identify compromised dataRoutinely monitor the system for any further attempts of subversionDefine notification requirements, as described in the AIFinal bullet point – will be discussed in further detail in the “Procedures” section, which outlines reporting requirements.System Owner duties - pp of AI
19Breach Response Procedures The following steps provide for well coordinated management and control of a breach:Incident IdentificationIncident ReportingContainmentMitigation of harmful effectsEradicationRecoveryFollow-upIncidentIdentificationReportingContainmentMitigationEradicationRecoveryFollow-up
20Breach Response Procedures (continued) Step 1: Incident IdentificationInvolves the examination of all available information in order to determine if an event/incident has occurredAction stepsAnalyze all available informationConfirm and classify the severity of the incidentDetermine the appropriate plan of actionAcknowledge legal issues addressed by the Office of General Counsel (OGC) representativeCreate an incident identification logAmong other items, the following should be evaluated upon discovery of an incident:Is the incident suspected or confirmed?EvidenceWhere did it happen?What is the extent of the incident (if determinable)?What other information do I need?IncidentIdentificationReportingContainmentMitigationEradicationRecoveryFollow-up
21Breach Response Procedures (continued) Step 2: Incident ReportingTMA workforce members must report a potential or confirmed breachTMA personnel must notify their TMA component director, who will alert the CIO and TMA Privacy Officer within one hourIncidents involving a malicious breach of PHI or PII must be reported to TMA Program IntegrityThe TMA Privacy Officer and/or the CIO will notify the Deputy Director, TMA and senior leadership**It is critical to ensure all breaches are reported. Leadership is aware that breaches occur, and backlash does not occur when they’re reported. However, the issue is raised when breaches are not reported, and leadership is made aware by external channels, such as the media, etc.Third bullet: Notification to TMA Program Integrity for malicious breaches is a new revision to the SOP. TMA Program Integrity serves as the liaison with law enforcement for these incidents.IncidentIdentificationReportingContainmentMitigationEradicationRecoveryFollow-up
22Breach Response Procedures (continued) Step 2: Incident ReportingTMA ComponentsLeadership – ImmediatelyTMA Privacy Office – Within 1 HourUS CERT – Within 1 HourDoD Privacy Office – Within 48 HoursNote: Notify issuing banks if government issued credit cards are involved; law enforcement, if necessary; and all affected individuals within 10 working days of breach and identity discovery, if necessaryWhen a loss, theft, or compromise of information occurs, the breach shall be reported to the appropriate levels of leadership.Bullet 4: The form for reporting a breach can be found on the Privacy Office website. Upon TMA Component submission of this report to the TMA Privacy Office, the TMA Privacy Office will report the incident to DPO.IncidentIdentificationReportingContainmentMitigationEradicationRecoveryFollow-up
23Breach Response Procedures (continued) Step 3: ContainmentInvolves short-term actions that are immediately implemented in order to limit the scope and magnitude of an incidentContainment activities include, at a minimum, the following action stepsDetermine a course of action concerning the operational status of the compromised system and identify critical information affected by the incidentFollow existing local and higher authority guidance regarding any additional incident containment requirementsIncidentIdentificationReportingContainmentMitigationEradicationRecoveryFollow-up
24Breach Response Procedures (continued) Step 4: Mitigation of Harmful EffectsThe information/system owner shall mitigate the harmful effects of all incidents by taking the following actionSecuring the information and taking the affected system off-line as soon as possibleApplying appropriate administrative and physical safeguards/blocking all exploited portsNotifying other information/system owners of the attempted breachAssessing the need for providing free credit monitoring and identity fraud expense coverage for affected individualsThe Information/System Owner also must keep the TMA Privacy Office (and in turn, senior leadership) informed of relevant updates.IncidentIdentificationReportingContainmentMitigationEradicationRecoveryFollow-up
25Breach Response Procedures (continued) Step 5: EradicationEntails removing the cause of an incident and mitigating vulnerabilities pertaining to the incident. All eradication activities are to be documented by the IRT and the information/system ownerSpecifically, document eradication activities in the incident identification logIncidentIdentificationReportingContainmentMitigationEradicationRecoveryFollow-up
26Breach Response Procedures (continued) Step 6: RecoveryRecovery is the restoration of business operations to the normal conditionVerify that restoration actions were successful and that the business operation has returned to its normal conditionExecute the necessary changes to the system and document recovery actions in the incident identification logNotify users of system availability and security upgrades that were implemented due to the incidentIncidentIdentificationReportingContainmentMitigationEradicationRecoveryFollow-up
27Breach Response Procedures (continued) Step 7: Follow-upFollow-up is a critical step in the incident response process and assists with the response to, and prevention of, future incidentsDevelop a lessons learned list, and share with TMA personnel and with other DoD organizations as applicableAmend operating procedures and policies as appropriateProvide subsequent workforce training and awareness lessons as necessarySub-bullet 3: HIPAA Refresher Training is a good example of training that can be implemented to ensure all personnel are acutely aware of their responsibilities as they pertain to information privacy and securityIncidentIdentificationReportingContainmentMitigationEradicationRecoveryFollow-up
29Breach Response Appendices Appendix 1: Incident Response ChecklistLegend: Denotes tasks in progress Denotes completed tasksDate and Time of incident: _____________________Location of incident: __________________________Point of Contact: _____________________________Date TMA was notified: ________________________TMA informed by: ___________________________Date TMA Privacy Officer/CIO was notified: ______________Notified (DoD R May 14, 2007):____________ US CERT (within one hour)____________ Agency Privacy Officer/Senior Representative for the Service/Senior DoD component for Privacy (within 24 hours)____________ Defense Privacy Office and component head (within 48 hours)____________ All affected individuals within 10 working days of discovery of the loss, theft or compromise of personal information, and the identities of the individuals have been ascertained.____________ Law enforcement authorities, if necessary____________ Ensured incident is reported in accordance with appropriate reporting timelinesThis slide only contains the reporting requirements section of Appendix 1.The full Appendix also can be utilized as a guide for communicating and arranging meetings with applicable directorates, and carrying out mitigation activities.
30Breach Response Appendices (continued) Appendix 4: Guidelines for Breach ReportingReporting of Lost, Stolen, or CompromisedPersonally Identifiable and/or Protected Health InformationToday’s Date: U.S. Cert #:a Component/Organization involved; Point of Contact/ /Telephone #:b Date of incident and the number of individuals impacted, to include whether they are DoD civilian, military, or contractor personnel; DoD civilian or military retirees; family members; other Federal personnel or members of the public, etc.:c Brief description of incident, to include facts and circumstances surrounding the loss, theft, or compromise:d Describe actions taken in response to the incident, to include whether the incident was investigated and by whom; the preliminary results of the inquiry if then known; actions taken to mitigate any harm that could result from the loss; whether the impacted individuals are being notified, and if not notified within 10 work days, that action will be initiated to notify the Deputy Secretary; **what remedial actions have been, or will be, taken to prevent a similar such incident in the future, e.g., additional training conducted, new or revised guidance issued, etc.; and any other pertinent information that you believe is relevant and pertinent:**Please fill out and submit the Plan of Action and Milestone Template(For Official Use Only)This form can be found on the TMA Privacy Office website, and must be completed by the TMA directorate responsible for the incident, and forwarded to the TMA Privacy Office.The document:certifies that the incident has been reported to US-CERTidentifies the number individuals impactedbriefly describes the incident and the corresponding facts/circumstances surrounding the breachdefines actions taken in response to the incident (including beneficiary notification, and remedial actions to include training)
31Breach Response Appendices (continued) Appendix 9: Risk Assessment TableNo.FactorRisk DeterminationLow:Moderate:High:Comments:All breaches of PII, whether actual or suspected, require notification to US-CERTLow and moderate risk/harm determinations and the decision whether notification of individuals is made, rest with the Head of the DoD Component where the breach occurred.All determinations of high risk or harm require notifications1.What is the nature of the data elements breached? What PII was involved?a. Name onlyLowConsideration needs to be given to unique names; those where one or only a few in the population may have or those that could readily identify an individual, i.e., public figureb. Name plus 1 or more personal identifier (not SSN, Medical or Financial)ModerateAdditional identifiers include date and place of birth, mother’s maiden name, biometric record and any other information that can be linked or is linkable to an individualc. SSNHighd. Name plus SSNe. Name plus Medical or Financial data2.Number of Individuals AffectedThe number of individuals involved is a determining factor in how notifications are made, not whether they are madeWhen conducting a risk analysis, the following five factors should be used when assessing the likelihood of risk/harm:Nature of the data elements breachedNumber of individuals affectedLikelihood the information is accessible and usableLikelihood the breach may lead to harmAbility of the agency to mitigate the risk of harmThis risk assessment model was provided in the 9/21/2007 OSD Memorandum for Safeguarding Against and Responding to the Breach of Personally Identifiable Information, and can serve as a valuable tool.
33Breach Response TMA Breach Statistics Physical Loss/TheftLoss/theft of a laptop, briefcase, thumb drive, DVD/CD, paper, or any mediaData in TransitMisdirected/misplaced faxAccidental/intentional damage to physical packageUnencryptedMisdirected/misplaced hard/soft/copy documentSystem/Network VulnerabilityServers/networks negatively impacted by malicious code or a virusInadequate/outdated firewalls or security settingsIncidents resulting from complications of system upgradesIn order to show what types of breaches are relevant, we grouped reported breaches into like categories.
35Breach Response Summary You should now be able to:Describe the key components of breach reporting, notification, and mitigationDefine your role in identifying and responding to breachesIdentify the three components of the TMA Breach Response Administrative Instruction (formerly known as the Breach Notification Standard Operating Procedure)
36Breach Response Resources DoD R, “DoD Health Information Privacy Regulation”, January 2003DoD R “Department of Defense Privacy Program”, May 14, 2007DoD R “DoD Health Information Security Regulation”, July 12, 2007TMA Standard Operating Procedure for Breach Notification, October 12, 2007**Once approved, the Breach Administrative Instruction will be incorporated into this section.