Presentation is loading. Please wait.

Presentation is loading. Please wait.

2009 Data Protection Seminar

Similar presentations


Presentation on theme: "2009 Data Protection Seminar"— Presentation transcript:

1 2009 Data Protection Seminar
Breach Response 2009 Data Protection Seminar TMA Privacy Office TRICARE Management Activity HEALTH AFFAIRS

2 Breach Response Even if you take all the necessary precautions, a breach (accident) could occur; however a robust incident response and reporting program can help mitigate the breach. TRICARE Management Activity HEALTH AFFAIRS

3 Breach Response Purpose
The purpose of this presentation is to provide a thorough understanding of the requirements of TRICARE Management Activity (TMA) personnel when assessing and responding to a breach Similar to relying on a trusted insurance policy to assist in the resolution of a car accident, familiarity with the TMA Breach Notification Administrative Instruction is instrumental in properly mitigating a breach If writing a single purpose, please write in paragraph form without bullets. If writing more than one purpose, please use level one bullet format.

4 Breach Response Objectives
Upon completion of this presentation, you should be able to: Describe the key components of breach reporting, notification, and mitigation Define your role in identifying and responding to breaches Identify the three components of the TMA Breach Response Administrative Instruction (formerly known as the Breach Notification Standard Operating Procedure)

5 Background This slide serves as a lesson divider and should only consist of the specific lesson title.

6 Breach Response SOP vs Administrative Instruction
The TMA Standard Operating Procedure (SOP) for Breach Response has been revised and re-formatted as an Administrative Instruction (AI) **Much of the content from the SOP for Breach Response (approved on October 12, 2007) has remained in tact. However, various changes have been implemented. Per OMB Memo (M-07-16), the following: In formulating a breach notification policy, agencies must review their existing requirements with respect to Privacy and Security. The policy must include existing and new requirements for Incident Reporting and Handling as well as External Breach Notification. Finally, this document requires agencies to develop policies concerning the responsibilities of individuals authorized to access personally identifiable information.

7 Breach Response TMA Breach Notification Administrative Instruction (AI)
Three main sections of the Breach Notification Administrative Instruction Roles and Responsibilities: Outlines the expectations of each program office in the process of handling an incident Procedures: Details specific actions and a progression of events that occur after a breach has been identified Appendices: Provides various resources for assessing, reporting, and mitigating a breach The three main sections of the document remain consistent with the Breach Notification SOP.

8 Breach Response Definitions
Personally Identifiable Information (PII): Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual This definition was introduced yesterday in the Privacy Impact Assessment (PIA) presentation delivered by Kenneth Cole (will keep this overview brief)

9 Breach Response Definitions (continued)
Protected Health Information (PHI): Individually identifiable information that is transmitted by, or maintained in, electronic media or any other form or medium. This information must relate to: The past, present, or future physical or mental health, or condition of an individual Provision of health care to an individual Payment for the provision of health care to an individual. If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered PHI

10 Breach Response Definitions (continued)
Breach: Actual or possible loss of control, unauthorized disclosure, or unauthorized access of personal information where persons other than authorized users gain access or potential access to such information for other than authorized purposes where one or more individuals will be adversely affected

11 Roles & Responsibilities

12 Breach Response Roles & Responsibilities
Incident Response Team (IRT) Chairman Serve as the central POC for the IRT Act as the conduit of information between the information/system owner and the IRT Delegate mitigation tasks to IRT members Determine the incident severity level based on IRT analysis and recommendations Update senior leadership as information becomes available (Notable roles & responsibilities) The IRT Chair will be designated by the Deputy Director, TMA. This role will be filled by either the Chief Information Officer or the Director, TMA Privacy Office, based on the nature of the breach. IRT Chair duties - pp. 4-5 of AI

13 Breach Response Roles & Responsibilities (continued)
IRT Chairman Coordinate with the TMA Deputy Director and Chief Financial Officer (CFO) in estimating costs of the breach Assign responsibilities for preparation of the after-action report Debrief senior leadership Bullet 1: Costs include – notification to affected individuals, one year of free credit monitoring and identity fraud expense coverage, establishment of a call center, etc. IRT Chair duties - pp. 4-5 of AI

14 Breach Response Roles & Responsibilities (continued)
Chief Information Officer (CIO) Representative Collaborate with the IRT Chairman throughout the breach process Secure/isolate the affected equipment from the network to prevent further malicious activity Collect information for possible forensic use including logs, inventory of systems, and personal accounts Oversee mitigation of any suspected vulnerabilities in centrally managed systems The pertinent actions of the CIO listed on this slide will be taken when instructed by the Deputy Director, TMA. CIO duties - pp. 5-7 of the AI

15 Breach Response Roles & Responsibilities (continued)
Director, TMA Privacy Office Ensure compliance with all privacy requirements, such as: Incident reports Updates to leadership Other internal and external communications Ensure compliance with internal incident response plan Conduct training for IRT representatives at least annually TMA PO duties - p. 7 of AI

16 Breach Response Roles & Responsibilities (continued)
Information/system owner Isolate the system from the rest of the network to preclude further malicious activity Identify compromised data including the identification of specific fields (name, rank, address, phone number, etc.) Identify potentially affected individuals, and work through the IRT Chairman to contact Defense Manpower Data Center (DMDC) for address information Ensure mitigation tasks are executed in accordance with IRT Chairman delegation Tying into the accident theme, the role played by the information/system owner is similar to that of the driver, and is pivotal in properly responding to a breach. - For the purposes of the Administrative Instruction, the term “information” serves to include “data”. System Owner duties - pp of AI

17 Breach Response Roles & Responsibilities (continued)
Information/system owner Immediately notify leadership upon discovery and maintain a chronological log Analyze compromised assets and identify compromised data Routinely monitor the system for any further attempts of subversion Define notification requirements, as described in the AI Final bullet point – will be discussed in further detail in the “Procedures” section, which outlines reporting requirements. System Owner duties - pp of AI

18 Procedures

19 Breach Response Procedures
The following steps provide for well coordinated management and control of a breach: Incident Identification Incident Reporting Containment Mitigation of harmful effects Eradication Recovery Follow-up Incident Identification Reporting Containment Mitigation Eradication Recovery Follow-up

20 Breach Response Procedures (continued)
Step 1: Incident Identification Involves the examination of all available information in order to determine if an event/incident has occurred Action steps Analyze all available information Confirm and classify the severity of the incident Determine the appropriate plan of action Acknowledge legal issues addressed by the Office of General Counsel (OGC) representative Create an incident identification log Among other items, the following should be evaluated upon discovery of an incident: Is the incident suspected or confirmed? Evidence Where did it happen? What is the extent of the incident (if determinable)? What other information do I need? Incident Identification Reporting Containment Mitigation Eradication Recovery Follow-up

21 Breach Response Procedures (continued)
Step 2: Incident Reporting TMA workforce members must report a potential or confirmed breach TMA personnel must notify their TMA component director, who will alert the CIO and TMA Privacy Officer within one hour Incidents involving a malicious breach of PHI or PII must be reported to TMA Program Integrity The TMA Privacy Officer and/or the CIO will notify the Deputy Director, TMA and senior leadership **It is critical to ensure all breaches are reported. Leadership is aware that breaches occur, and backlash does not occur when they’re reported. However, the issue is raised when breaches are not reported, and leadership is made aware by external channels, such as the media, etc. Third bullet: Notification to TMA Program Integrity for malicious breaches is a new revision to the SOP. TMA Program Integrity serves as the liaison with law enforcement for these incidents. Incident Identification Reporting Containment Mitigation Eradication Recovery Follow-up

22 Breach Response Procedures (continued)
Step 2: Incident Reporting TMA Components Leadership – Immediately TMA Privacy Office – Within 1 Hour US CERT – Within 1 Hour DoD Privacy Office – Within 48 Hours Note: Notify issuing banks if government issued credit cards are involved; law enforcement, if necessary; and all affected individuals within 10 working days of breach and identity discovery, if necessary When a loss, theft, or compromise of information occurs, the breach shall be reported to the appropriate levels of leadership. Bullet 4: The form for reporting a breach can be found on the Privacy Office website. Upon TMA Component submission of this report to the TMA Privacy Office, the TMA Privacy Office will report the incident to DPO. Incident Identification Reporting Containment Mitigation Eradication Recovery Follow-up

23 Breach Response Procedures (continued)
Step 3: Containment Involves short-term actions that are immediately implemented in order to limit the scope and magnitude of an incident Containment activities include, at a minimum, the following action steps Determine a course of action concerning the operational status of the compromised system and identify critical information affected by the incident Follow existing local and higher authority guidance regarding any additional incident containment requirements Incident Identification Reporting Containment Mitigation Eradication Recovery Follow-up

24 Breach Response Procedures (continued)
Step 4: Mitigation of Harmful Effects The information/system owner shall mitigate the harmful effects of all incidents by taking the following action Securing the information and taking the affected system off-line as soon as possible Applying appropriate administrative and physical safeguards/blocking all exploited ports Notifying other information/system owners of the attempted breach Assessing the need for providing free credit monitoring and identity fraud expense coverage for affected individuals The Information/System Owner also must keep the TMA Privacy Office (and in turn, senior leadership) informed of relevant updates. Incident Identification Reporting Containment Mitigation Eradication Recovery Follow-up

25 Breach Response Procedures (continued)
Step 5: Eradication Entails removing the cause of an incident and mitigating vulnerabilities pertaining to the incident. All eradication activities are to be documented by the IRT and the information/system owner Specifically, document eradication activities in the incident identification log Incident Identification Reporting Containment Mitigation Eradication Recovery Follow-up

26 Breach Response Procedures (continued)
Step 6: Recovery Recovery is the restoration of business operations to the normal condition Verify that restoration actions were successful and that the business operation has returned to its normal condition Execute the necessary changes to the system and document recovery actions in the incident identification log Notify users of system availability and security upgrades that were implemented due to the incident Incident Identification Reporting Containment Mitigation Eradication Recovery Follow-up

27 Breach Response Procedures (continued)
Step 7: Follow-up Follow-up is a critical step in the incident response process and assists with the response to, and prevention of, future incidents Develop a lessons learned list, and share with TMA personnel and with other DoD organizations as applicable Amend operating procedures and policies as appropriate Provide subsequent workforce training and awareness lessons as necessary Sub-bullet 3: HIPAA Refresher Training is a good example of training that can be implemented to ensure all personnel are acutely aware of their responsibilities as they pertain to information privacy and security Incident Identification Reporting Containment Mitigation Eradication Recovery Follow-up

28 Appendices

29 Breach Response Appendices
Appendix 1: Incident Response Checklist Legend:  Denotes tasks in progress  Denotes completed tasks Date and Time of incident: _____________________ Location of incident: __________________________ Point of Contact: _____________________________ Date TMA was notified: ________________________ TMA informed by: ___________________________ Date TMA Privacy Officer/CIO was notified: ______________ Notified (DoD R May 14, 2007): ____________ US CERT (within one hour) ____________ Agency Privacy Officer/Senior Representative for the Service/Senior DoD component for Privacy (within 24 hours) ____________ Defense Privacy Office and component head (within 48 hours) ____________ All affected individuals within 10 working days of discovery of the loss, theft or compromise of personal information, and the identities of the individuals have been ascertained. ____________ Law enforcement authorities, if necessary ____________ Ensured incident is reported in accordance with appropriate reporting timelines This slide only contains the reporting requirements section of Appendix 1. The full Appendix also can be utilized as a guide for communicating and arranging meetings with applicable directorates, and carrying out mitigation activities.

30 Breach Response Appendices (continued)
Appendix 4: Guidelines for Breach Reporting Reporting of Lost, Stolen, or Compromised Personally Identifiable and/or Protected Health Information Today’s Date: U.S. Cert #: a Component/Organization involved; Point of Contact/ /Telephone #: b Date of incident and the number of individuals impacted, to include whether they are DoD civilian, military, or contractor personnel; DoD civilian or military retirees; family members; other Federal personnel or members of the public, etc.: c Brief description of incident, to include facts and circumstances surrounding the loss, theft, or compromise: d Describe actions taken in response to the incident, to include whether the incident was investigated and by whom; the preliminary results of the inquiry if then known; actions taken to mitigate any harm that could result from the loss; whether the impacted individuals are being notified, and if not notified within 10 work days, that action will be initiated to notify the Deputy Secretary; **what remedial actions have been, or will be, taken to prevent a similar such incident in the future, e.g., additional training conducted, new or revised guidance issued, etc.; and any other pertinent information that you believe is relevant and pertinent: **Please fill out and submit the Plan of Action and Milestone Template (For Official Use Only) This form can be found on the TMA Privacy Office website, and must be completed by the TMA directorate responsible for the incident, and forwarded to the TMA Privacy Office. The document: certifies that the incident has been reported to US-CERT identifies the number individuals impacted briefly describes the incident and the corresponding facts/circumstances surrounding the breach defines actions taken in response to the incident (including beneficiary notification, and remedial actions to include training)

31 Breach Response Appendices (continued)
Appendix 9: Risk Assessment Table No. Factor Risk Determination Low: Moderate: High: Comments: All breaches of PII, whether actual or suspected, require notification to US-CERT Low and moderate risk/harm determinations and the decision whether notification of individuals is made, rest with the Head of the DoD Component where the breach occurred. All determinations of high risk or harm require notifications 1. What is the nature of the data elements breached? What PII was involved? a. Name only Low Consideration needs to be given to unique names; those where one or only a few in the population may have or those that could readily identify an individual, i.e., public figure b. Name plus 1 or more personal identifier (not SSN, Medical or Financial) Moderate Additional identifiers include date and place of birth, mother’s maiden name, biometric record and any other information that can be linked or is linkable to an individual c. SSN High d. Name plus SSN e. Name plus Medical or Financial data 2. Number of Individuals Affected The number of individuals involved is a determining factor in how notifications are made, not whether they are made When conducting a risk analysis, the following five factors should be used when assessing the likelihood of risk/harm: Nature of the data elements breached Number of individuals affected Likelihood the information is accessible and usable Likelihood the breach may lead to harm Ability of the agency to mitigate the risk of harm This risk assessment model was provided in the 9/21/2007 OSD Memorandum for Safeguarding Against and Responding to the Breach of Personally Identifiable Information, and can serve as a valuable tool.

32 TMA Breach Statistics

33 Breach Response TMA Breach Statistics
Physical Loss/Theft Loss/theft of a laptop, briefcase, thumb drive, DVD/CD, paper, or any media Data in Transit Misdirected/misplaced fax Accidental/intentional damage to physical package Unencrypted Misdirected/misplaced hard/soft/copy document System/Network Vulnerability Servers/networks negatively impacted by malicious code or a virus Inadequate/outdated firewalls or security settings Incidents resulting from complications of system upgrades In order to show what types of breaches are relevant, we grouped reported breaches into like categories.

34 Breach Response TMA Breach Statistics (continued)

35 Breach Response Summary
You should now be able to: Describe the key components of breach reporting, notification, and mitigation Define your role in identifying and responding to breaches Identify the three components of the TMA Breach Response Administrative Instruction (formerly known as the Breach Notification Standard Operating Procedure)

36 Breach Response Resources
DoD R, “DoD Health Information Privacy Regulation”, January 2003 DoD R “Department of Defense Privacy Program”, May 14, 2007 DoD R “DoD Health Information Security Regulation”, July 12, 2007 TMA Standard Operating Procedure for Breach Notification, October 12, 2007 **Once approved, the Breach Administrative Instruction will be incorporated into this section.


Download ppt "2009 Data Protection Seminar"

Similar presentations


Ads by Google