Upload
zain-brattle
View
221
Download
2
Tags:
Embed Size (px)
Citation preview
Breach Response
TRICARE Management ActivityHEALTH AFFAIRS
2009 Data Protection Seminar
TMA Privacy Office
Breach Response
TRICARE Management ActivityHEALTH AFFAIRS
TRICARE Management ActivityHEALTH AFFAIRS
3
Breach Response
Purpose
The purpose of this presentation is to provide a thorough understanding of the requirements of TRICARE Management Activity (TMA) personnel when assessing and responding to a breach
TRICARE Management ActivityHEALTH AFFAIRS
4
Breach Response
Objectives Upon completion of this presentation, you should be able to:
− Describe the key components of breach reporting, notification, and mitigation
− Define your role in identifying and responding to breaches
− Identify the three components of the TMA Breach Response Administrative Instruction (formerly known as the Breach Notification Standard Operating Procedure)
TRICARE Management ActivityHEALTH AFFAIRS
5
Background
TRICARE Management ActivityHEALTH AFFAIRS
6
Breach Response
SOP vs Administrative Instruction
The TMA Standard Operating Procedure (SOP) for Breach Response has been revised and re-formatted as an Administrative Instruction (AI)
TRICARE Management ActivityHEALTH AFFAIRS
7
Breach Response TMA Breach Notification Administrative Instruction (AI)
Three main sections of the Breach Notification Administrative Instruction
− Roles and Responsibilities: Outlines the expectations of each program office in the process of handling an incident
− Procedures: Details specific actions and a progression of events that occur after a breach has been identified
− Appendices: Provides various resources for assessing, reporting, and mitigating a breach
TRICARE Management ActivityHEALTH AFFAIRS
8
Breach Response
Definitions
Personally Identifiable Information (PII): Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual
TRICARE Management ActivityHEALTH AFFAIRS
9
Breach Response
Definitions (continued)
Protected Health Information (PHI): Individually identifiable information that is transmitted by, or maintained in, electronic media or any other form or medium. This information must relate to:
− The past, present, or future physical or mental health, or condition of an individual
− Provision of health care to an individual
− Payment for the provision of health care to an individual.
If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered PHI
TRICARE Management ActivityHEALTH AFFAIRS
10
Breach Response
Definitions (continued)
Breach: Actual or possible loss of control, unauthorized disclosure, or unauthorized access of personal information where persons other than authorized users gain access or potential access to such information for other than authorized purposes where one or more individuals will be adversely affected
TRICARE Management ActivityHEALTH AFFAIRS
11
Roles & Responsibilities
TRICARE Management ActivityHEALTH AFFAIRS IRT Chair duties - pp. 4-5 of AI
12
Breach Response
Roles & Responsibilities Incident Response Team (IRT) Chairman
− Serve as the central POC for the IRT
− Act as the conduit of information between the information/system owner and the IRT
− Delegate mitigation tasks to IRT members
− Determine the incident severity level based on IRT analysis and recommendations
− Update senior leadership as information becomes available
TRICARE Management ActivityHEALTH AFFAIRS IRT Chair duties - pp. 4-5 of AI
13
Breach Response
Roles & Responsibilities (continued)
IRT Chairman
− Coordinate with the TMA Deputy Director and Chief Financial Officer (CFO) in estimating costs of the breach
− Assign responsibilities for preparation of the after-action report
− Debrief senior leadership
TRICARE Management ActivityHEALTH AFFAIRS CIO duties - pp. 5-7 of the AI
14
Breach Response
Roles & Responsibilities (continued)
Chief Information Officer (CIO) Representative
− Collaborate with the IRT Chairman throughout the breach process
− Secure/isolate the affected equipment from the network to prevent further malicious activity
− Collect information for possible forensic use including logs, inventory of systems, and personal accounts
− Oversee mitigation of any suspected vulnerabilities in centrally managed systems
TRICARE Management ActivityHEALTH AFFAIRS TMA PO duties - p. 7 of AI
15
Breach Response
Roles & Responsibilities (continued)
Director, TMA Privacy Office
− Ensure compliance with all privacy requirements, such as: Incident reports
Updates to leadership
Other internal and external communications
− Ensure compliance with internal incident response plan
− Conduct training for IRT representatives at least annually
TRICARE Management ActivityHEALTH AFFAIRS System Owner duties - pp. 10-11 of A
I16
Breach Response
Roles & Responsibilities (continued)
Information/system owner
− Isolate the system from the rest of the network to preclude further malicious activity
− Identify compromised data including the identification of specific fields (name, rank, address, phone number, etc.)
− Identify potentially affected individuals, and work through the IRT Chairman to contact Defense Manpower Data Center (DMDC) for address information
− Ensure mitigation tasks are executed in accordance with IRT Chairman delegation
TRICARE Management ActivityHEALTH AFFAIRS System Owner duties - pp. 10-11 of A
I17
Breach Response
Roles & Responsibilities (continued)
Information/system owner
− Immediately notify leadership upon discovery and maintain a chronological log
− Analyze compromised assets and identify compromised data
− Routinely monitor the system for any further attempts of subversion
− Define notification requirements, as described in the AI
TRICARE Management ActivityHEALTH AFFAIRS
18
Procedures
TRICARE Management ActivityHEALTH AFFAIRS
19
Breach Response
Procedures The following steps provide for well coordinated management
and control of a breach:− Incident Identification
− Incident Reporting
− Containment
− Mitigation of harmful effects
− Eradication
− Recovery
− Follow-up
Incident Identification
IncidentReporting
Containment Mitigation Eradication Recovery Follow-up
TRICARE Management ActivityHEALTH AFFAIRS
20
Breach Response
Procedures (continued)
Step 1: Incident Identification− Involves the examination of all available information in order to
determine if an event/incident has occurred
− Action steps Analyze all available information Confirm and classify the severity of the incident Determine the appropriate plan of action Acknowledge legal issues addressed by the Office of General
Counsel (OGC) representative Create an incident identification log
Incident Identification
IncidentReporting
Containment Mitigation Eradication Recovery Follow-up
TRICARE Management ActivityHEALTH AFFAIRS
21
Breach Response
Procedures (continued)
Step 2: Incident Reporting− TMA workforce members must report a potential or confirmed
breach
− TMA personnel must notify their TMA component director, who will alert the CIO and TMA Privacy Officer within one hour
− Incidents involving a malicious breach of PHI or PII must be reported to TMA Program Integrity
− The TMA Privacy Officer and/or the CIO will notify the Deputy Director, TMA and senior leadership
Incident Identification
IncidentReporting
Containment Mitigation Eradication Recovery Follow-up
TRICARE Management ActivityHEALTH AFFAIRS
22
Breach Response
Procedures (continued)
TMA Components
− Leadership – Immediately
− TMA Privacy Office – Within 1 Hour− US CERT – Within 1 Hour− DoD Privacy Office – Within 48 Hours
Note: Notify issuing banks if government issued credit cards are involved; law enforcement, if necessary; and all affected individuals within 10 working days of
breach and identity discovery, if necessary
Step 2: Incident Reporting
Incident Identification
IncidentReporting
Containment Mitigation Eradication Recovery Follow-up
TRICARE Management ActivityHEALTH AFFAIRS
23
Breach Response
Procedures (continued)
Step 3: Containment− Involves short-term actions that are immediately implemented
in order to limit the scope and magnitude of an incident
− Containment activities include, at a minimum, the following action steps
Determine a course of action concerning the operational status of the compromised system and identify critical information affected by the incident
Follow existing local and higher authority guidance regarding any additional incident containment requirements
Incident Identification
IncidentReporting
Containment Mitigation Eradication Recovery Follow-up
TRICARE Management ActivityHEALTH AFFAIRS
24
Breach Response
Procedures (continued)
Step 4: Mitigation of Harmful Effects− The information/system owner shall mitigate the harmful effects
of all incidents by taking the following action Securing the information and taking the affected system off-line
as soon as possible Applying appropriate administrative and physical
safeguards/blocking all exploited ports Notifying other information/system owners of the attempted
breach Assessing the need for providing free credit monitoring and
identity fraud expense coverage for affected individuals
Incident Identification
IncidentReporting
Containment Mitigation Eradication Recovery Follow-up
TRICARE Management ActivityHEALTH AFFAIRS
25
Breach Response
Procedures (continued)
Step 5: Eradication
− Entails removing the cause of an incident and mitigating vulnerabilities pertaining to the incident. All eradication activities are to be documented by the IRT and the information/system owner
Specifically, document eradication activities in the incident identification log
Incident Identification
IncidentReporting
Containment Mitigation Eradication Recovery Follow-up
TRICARE Management ActivityHEALTH AFFAIRS
26
Breach Response
Procedures (continued)
Step 6: Recovery
− Recovery is the restoration of business operations to the normal condition
Verify that restoration actions were successful and that the business operation has returned to its normal condition
Execute the necessary changes to the system and document recovery actions in the incident identification log
Notify users of system availability and security upgrades that were implemented due to the incident
Incident Identification
IncidentReporting
Containment Mitigation Eradication Recovery Follow-up
TRICARE Management ActivityHEALTH AFFAIRS
27
Breach Response
Procedures (continued)
Step 7: Follow-up
− Follow-up is a critical step in the incident response process and assists with the response to, and prevention of, future incidents
Develop a lessons learned list, and share with TMA personnel and with other DoD organizations as applicable
Amend operating procedures and policies as appropriate
Provide subsequent workforce training and awareness lessons as necessary
Incident Identification
IncidentReporting
Containment Mitigation Eradication Recovery Follow-up
TRICARE Management ActivityHEALTH AFFAIRS
28
Appendices
TRICARE Management ActivityHEALTH AFFAIRS
29
Breach Response
Appendices
Appendix 1: Incident Response ChecklistLegend: Denotes tasks in progress Denotes completed tasks
Date and Time of incident: _____________________Location of incident: __________________________Point of Contact: _____________________________Date TMA was notified: ________________________TMA informed by: ___________________________Date TMA Privacy Officer/CIO was notified: ______________Notified (DoD 5400.11-R May 14, 2007): ____________ US CERT (within one hour) ____________ Agency Privacy Officer/Senior Representative for the Service/Senior DoD component for Privacy (within 24 hours)____________ Defense Privacy Office and component head (within 48 hours) ____________ All affected individuals within 10 working days of discovery of the loss, theft or compromise of personal information, and the identities of the individuals have been ascertained. ____________ Law enforcement authorities, if necessary ____________ Ensured incident is reported in accordance with appropriate reporting timelines
TRICARE Management ActivityHEALTH AFFAIRS
30
Breach Response
Appendices (continued)
Appendix 4: Guidelines for Breach ReportingReporting of Lost, Stolen, or Compromised
Personally Identifiable and/or Protected Health Information
Today’s Date: U.S. Cert #:
a. Component/Organization involved; Point of Contact/E-mail/Telephone #:
b. Date of incident and the number of individuals impacted, to include whether they are DoD civilian, military, or contractor personnel; DoD civilian or military retirees; family members; other Federal personnel or members of the public, etc.:
c. Brief description of incident, to include facts and circumstances surrounding the loss, theft, or compromise:
d. Describe actions taken in response to the incident, to include whether the incident was investigated and by whom; the preliminary results of the inquiry if then known; actions taken to mitigate any harm that could result from the loss; whether the impacted individuals are being notified, and if not notified within 10 work days, that action will be initiated to notify the Deputy Secretary; **what remedial actions have been, or will be, taken to prevent a similar such incident in the future, e.g., additional training conducted, new or revised guidance issued, etc.; and any other pertinent information that you believe is relevant and pertinent:
**Please fill out and submit the Plan of Action and Milestone Template http://www.tricare.mil/tmaprivacy/downloads/POAandMilestones.doc
(For Official Use Only)
TRICARE Management ActivityHEALTH AFFAIRS
31
Breach Response
Appendices (continued)
Appendix 9: Risk Assessment TableNo. Factor Risk Determination Low:
Moderate:High:
Comments:All breaches of PII, whether actual or suspected, require notification to US-CERTLow and moderate risk/harm determinations and the decision whether notification of individuals is made, rest with the Head of the DoD Component where the breach occurred.All determinations of high risk or harm require notifications
1. What is the nature of the data elements breached? What PII was involved?
a. Name only Low Consideration needs to be given to unique names; those where one or only a few in the population may have or those that could readily identify an individual, i.e., public figure
b. Name plus 1 or more personal identifier (not SSN, Medical or Financial)
Moderate Additional identifiers include date and place of birth, mother’s maiden name, biometric record and any other information that can be linked or is linkable to an individual
c. SSN High
d. Name plus SSN High
e. Name plus Medical or Financial data
High
2. Number of Individuals Affected
The number of individuals involved is a determining factor in how notifications are made, not whether they are made
TRICARE Management ActivityHEALTH AFFAIRS
32
TMA Breach Statistics
TRICARE Management ActivityHEALTH AFFAIRS
33
Breach Response
TMA Breach Statistics Physical Loss/Theft
− Loss/theft of a laptop, briefcase, thumb drive, DVD/CD, paper, or any media
Data in Transit− Misdirected/misplaced fax− Accidental/intentional damage to physical package− Unencrypted email− Misdirected/misplaced hard/soft/copy document
System/Network Vulnerability− Servers/networks negatively impacted by malicious code or a virus− Inadequate/outdated firewalls or security settings− Incidents resulting from complications of system upgrades
TRICARE Management ActivityHEALTH AFFAIRS
34
Breach Response
TMA Breach Statistics (continued)
TMA Data Breaches
02468
10121416
Physical Loss/Theft Data in Transit System/NetworkVulnerability
Category
Nu
mb
er
of
Bre
ac
he
s
2007
2008
2009
TRICARE Management ActivityHEALTH AFFAIRS
35
Breach Response
Summary You should now be able to:
− Describe the key components of breach reporting, notification, and mitigation
− Define your role in identifying and responding to breaches
− Identify the three components of the TMA Breach Response Administrative Instruction (formerly known as the Breach Notification Standard Operating Procedure)
TRICARE Management ActivityHEALTH AFFAIRS
36
Breach Response
Resources DoD 6025.18-R, “DoD Health Information Privacy Regulation”,
January 2003 DoD 5400.11-R “Department of Defense Privacy Program”,
May 14, 2007 DoD 8580.02-R “DoD Health Information Security Regulation”,
July 12, 2007 TMA Standard Operating Procedure for Breach Notification,
October 12, 2007