privacy incident response & reporting: pre and post … · 2/16/2015 2 questions: what is...
TRANSCRIPT
2/16/2015
1
Privacy Incident Response &Reporting: Pre and Post HITECH
Erika Riethmiller-Bol, Director, Corporate Privacy-Incident
Program, Anthem, Inc.
HCCA Managed Care Compliance Conference
February 16, 2015
Objectives
Historical look at incident management in healthcare
Organizing your program for success
Why it is critical that you get it right
2/16/2015
2
Questions:
What is Incident Response?
How do your report an incident at your organization?
Can you name one member on your privacy IRT (incident response team) besides the privacy officer?
Think of the most effective training you’ve ever given or been to. Why was it effective?
Who is your /your privacy officer’s most critical contact in your organization when something goes wrong?
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY 3
Questions, cont.
If your CEO/Board asked for 1 key metric to prove your value in 2014, what would you provide him/her?
Have you ever heard of someone getting sanctioned for a privacy event?
Is quality improvement embedded into the culture of your organization or an after thought?
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY 4
2/16/2015
3
Purpose of Incident Management
Identify and respond to unexpected events
Minimize occurrence of incidents and lessen severity
Mitigate impact (on organization and impacted individuals)
Incident Management - Stages
Preparation
Detection
Classification/Triage
Investigation
Response (Stop Bleed)
Report
Wrap-up/Lessons Learned
2/16/2015
4
Types of Incidents
Technical Failures of systems, people, processes, etc.
Incident Response – Pre HITECH
Totally a Security “thing”
Birth of security organizations and standards began early 2000
• HITRUST (2008)
• MS-ISAC (2003)
• ISO 20000 (2005)
Privacy was busy dealing with Notice of Privacy Practices, Patients’/ Members’ Rights, Privacy Complaints, etc.
And documenting it via Policies and Procedures, etc.
Task driven approach
Regulatory focus
2/16/2015
5
And then….
HITECH Act of 2009 Sec. 13402 - Notification In The Case Of Breach
A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.
Standards:
Notification of Covered Entity by Business AssociateBreaches Treated as DiscoveredTimeliness of NotificationMethods of Notice
• (1) Individual Notice
• (2) Media Notice
• (3) Notice to Secretary
• (4) Posting on HHS Public Website
Content of NotificationDelay of Notification Authorized for Law Enforcement PurposesUnsecured Protected Health Information Defined
2/16/2015
6
… and our world as Privacy
Officers/Compliance Officers
became more complicated
Table 3-5. Incident Handling Checklist Action Completed
Detection and Analysis
1. Determine whether an incident has occurred
1.1 Analyze the precursors and indicators
1.2 Look for correlating information
1.3 Perform research (e.g., search engines, knowledge base)
1.4 As soon as the handler believes an incident has occurred, begin
documenting the investigation and gathering evidence
2. Prioritize handling the incident based on the relevant factors
(functional impact, information impact, recoverability effort, etc.)
3. Report the incident to the appropriate internal personnel and
external organizations
Containment, Eradication, and Recovery
4. Acquire, preserve, secure, and document evidence
5. Contain the incident
6. Eradicate the incident
6.1 Identify and mitigate all vulnerabilities that were exploited
6.2 Remove malware, inappropriate materials, and other components
6.3 If more affected hosts are discovered (e.g., new malware
infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other
affected hosts, then contain (5) and eradicate (6) the incident for them
7. Recover from the incident
7.1 Return affected systems to an operationally ready state
7.2 Confirm that the affected systems are functioning normally
7.3 If necessary, implement additional monitoring to look for future
related activity
Post-Incident Activity
8. Create a follow-up report
9. Hold a lessons learned meeting (mandatory for major incidents,
optional otherwise)
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Name of Covered
EntityState
Covered Entity
Type
Individuals
AffectedBreach Date Type of Breach
Location of
Breached
Information
Business
Associate
Present
Web Description
Dermatology
Associates of
Tallahassee
FLHealthcare
Provider915 11/30/0002 Unknown Other No \N
UNCG Speech
and Hearing
Center
NCHealthcare
Provider2300 01/01/1997
Hacking/IT
Incident
Desktop
ComputerNo \N
UMass Memorial
Medical CenterMA
Healthcare
Provider2387
05/06/2002 -
03/04/2014
Unauthorized
Access/Disclosur
e
Electronic
Medical Record,
Paper/Films
No \N
Riverside Mercy
Hospital and
Ohio/Mercy
Diagnostics
OHHealthcare
Provider1000 03/29/2003
Improper
DisposalPaper/Films
No
Breaches Affecting 500 or More Individuals
As of 2/5/15: 1131
Breaches affecting
>500 individuals
reported since
9/2009.
2/16/2015
7
Privacy Needed to Get Organized
� Needed its own Incident Response and Reporting Process
� Needed to coordinate with Information Technology/Security when IT issues affected PHI/PII
� Needed to account for issues going on with Legal, Human Resources, IT, etc., etc.
� Privacy Officer forced to become “jack of all trades” and promoter of communication
Response & Reporting
Reporting easy for Privacy Officers
�Used to documentation
�Used to regulatory obligations
�Comfortable in Legal space
Incident Response a little trickier
� Requires coordination
� Requires rapid-fire intervention
� Lots of players involved
� Mitigation key
� Planned and organized response CRUCIAL
2/16/2015
8
Privacy Officers needed to Morph
Key IT Security Personality traits*
• Attention to detail
• Dependability
• Initiative
• Achievement
• Flexibility
• Independence
• Integrity
• Persistence
• Cooperation
And – needed to be/become flexible and comfortable in risk space
No Risk
Acceptable
Total Risk
Taker
Post HITECH – 7 Elements Modified for Incident Response
� Implementing written policies, procedures and incident response plans
� Designating a privacy and security officer and incident response team/s
� Conducting effective training and education
� Developing effective lines of communication with all stakeholders
� Conducting internal monitoring and auditing to ensure data is valid and processes are effective
� Enforcing standards through well-publicized disciplinary guidelines (sanctions)
� Responding promptly to detected incidents and undertaking corrective action to deter/prevent future incidents
2/16/2015
9
Post HITECH Privacy Incident Management – 7 Elements
Implementing written policies, procedures and incident response plans
• YOU MUST HAVE A PLAN IN PLACE
• ANSWER HOW, WHAT, WHO, WHERE & WHEN (ALTHOUGH WHEN IS ALMOST ALWAYS IMMEDIATELY)
• DEFINE YOUR INCIDENT RESPONSE TEAM – ROLES AND MEMBERS
• DOCUMENT IT SO EVERYONE KNOWS WHAT TO DO WHEN CRISIS OCCURS
• UPDATE IT PERIODICALLY OR WHEN ANYTHING CHANGES
• TEMPLATES ABOUND ON THE INTERNET
Incident Reporting
How?
• Web-based?
• Paper based?
• Email?
Make sure people understand HOW to get you the information you need
How Quickly?
• Immediately
• Within 24 hours
• Within 72 hours
• As soon as possible
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY 18
2/16/2015
10
RE-fine Your Scope
What about Ethics Issues?
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY 19
Be Clear about what you want coming to you – if not, you
may get it all!
What Do You Need to Know?
What Information do you want and need?
• date and time of incident discovery,
• general description of the incident,
• systems, populations and/or data at possible risk,
• actions they have taken since incident discovery,
• contact information,
• any additional information reporter feels is important and relevant
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY 20
2/16/2015
11
Incident Triage – What is a “Significant Event” to Your Organization?
Subjective assessment BUT if you keep in mind your culture and goals – this process should be fairly straight forward
Examples: • Incidents involving “VIPs” or key accounts• Incidents for which a press release may or will be issued, or media coverage is anticipated • Incidents involving 50 or more affected individuals • Incidents likely to result in litigation or regulatory investigation • Incidents involving criminal activity • Any other incident that is likely to involve reputational, regulatory, or financial risk to organization
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY 21
What About Lower-Risk Events?
Still Important
Consider sub-teams that can handle these “lesser” incidents
Collect data from these as well
COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY 22
2/16/2015
12
Post HITECH Privacy Incident Management – 7 Elements
Designating a privacy and security officer and incident response team/s
• SEEMINGLY SIMPLE?
• NEED THE RIGHT MIX OF LEGAL/REGULATORY FOCUS
AND ABILITY TO RESPOND UNDER PRESSURE AND IN LINE
WITH ORGANIZATIONAL GOALS
• ABILITY TO HANDLE STRESS WELL; WHAT WE DO IS
STRESSFUL
• PRIVACY AND SECURITY MUST WORK TOGETHER FOR THE
GOOD OF ALL
Privacy Incident Response Team Members
Incident Responder
Investigator
IT security specialist
Business manager
Legal
Human resources
Public Relations
Facilities’ Management
Risk Management
Etc. Etc. Etc. – customize to your organization & how it does business
2/16/2015
13
Post HITECH Privacy Incident Management – 7 Elements
Conducting effective training and education
• YOUR EMPLOYEES NEED TO KNOW HOW TO RESPOND WHEN AN INCIDENT OCCURS
• REQUIRED RESPONSE TIMEFRAME IS CRITICAL– SUPPORTED BY MANAGEMENT/EXECUTIVE LEADERSHIP AND DOCUMENTED IN
POLICY
• NEW HIRE TRAINING/REFRESHER TRAINING – DO ANYTHING TO GET IT TOP OF MIND FOR YOUR EMPLOYEES
• TARGETED TRAINING TO SPECIFIC AREAS IN NEED OF IT AND/OR IN RESPONSE TO AN INCIDENT
• EMPLOYEES NEED TO KNOW WHO PRIVACY OFFICER IS/OUTREACH IN PERSON AS MUCH AS POSSIBLE
Post HITECH – 7 Elements Modified for Incident Response
Developing effective lines of communication with all stakeholders
• RELATIONSHIP BUILDING IS THE MOST IMPORTANT PART OF
AN INCIDENT MANAGEMENT PROGRAM
• IF PEOPLE DON’T TRUST YOU, THEY WON’T TELL YOU WHAT
YOU NEED TO KNOW
• NEED TO RECOGNIZE TOTAL CUSTOMER BASE: INTERNAL,
EXTERNAL, REGULATORS, ETC.
2/16/2015
14
Post HITECH – 7 Elements Modified for Incident Response
Conducting internal monitoring and auditing to ensure data is valid and processes are effective
• CRUCIAL TO EFFECTIVE MITIGATION AND MINIMIZATION OF INCIDENTS
• YOU CAN’T MANAGE WHAT YOU DON’T KNOW
• DATA, DATA, DATA – IT’S THERE; FIGURE OUT A WAY TO CAPTURE IT
– key performance indicators: employee training statistics/response times/slice & dice of incidents by service line, employee/compare with peers…
• IF YOUR DATA IS BAD, SO ARE ANY CONCLUSIONS YOU DRAW FROM IT
• SO…AUDIT, MONITOR, CRUNCH, REPORT VISUALLY IN DASHBOARDS, PRESENT TO SENIOR MANAGEMENT
Post HITECH – 7 Elements Modified for Incident Response
Enforcing standards through well-publicized disciplinary guidelines (sanctions)
• NOT ONLY VERY HELPFUL TO DETERING/ PREVENTING FUTURE
INCIDENTS – BUT REQUIRED BY LAW
• EMPLOYEES TALK; USE THAT TO YOUR ADVANTAGE
• REMEMBER CARROT AND STICK. SOME OF YOUR BEST
MESSAGES WILL COME FROM THOSE WHO HAVE BEEN
INVOLVED IN AN INCIDENT AND WATCHED THE TEAM WORK
2/16/2015
15
Post HITECH – 7 Elements Modified for Incident Response
Responding promptly to detected incidents and undertaking corrective action to deter/prevent future
incidents
• MITIGATION IS KEY; THE QUICKER YOU CAN STOP THE BLEED,
THE LESS THE PAIN
• WE HAVE TO GET FIXED WHAT WE CAN SO WE CAN BE READY
FOR WHAT WE CANNOT PREVENT OR ANTICIPATE
8th Element
Relax/Have Fun/Reward your staff and yourself
• MOST INDIVIDUALS WHO CHOOSE A CAREER IN COMPLIANCE
HAVE LARGE DOSES OF INTEGRITY, CARE DEEPLY ABOUT THEIR
ORGANIZATIONS, AND ENJOY A LITTLE CRAZINESS
• WHILE TYPICALLY DRIVEN INTERNALLY, WE TEND TO CRASH
HARDER WHEN WE FINALLY DO
• RECOGNIZE THIS AND GO ON VACATION, GARDEN FOR AN
ENTIRE WEEKEND, ETC. - BEFORE THIS OCCURS!
2/16/2015
16
Resources
President’s Data Breach Proposal• http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/up
dated-data-breach-notification.pdf
Special Publication 800-61 Revision 2
OIG’s 7 Elements Trainings• https://oig.hhs.gov/compliance/provider-compliance-
training/files/Compliance101tips508.pdf
Office of National Coordinator for Health IT (created by HITECH)
• http://www.healthit.gov/
Erika Riethmiller-Bol Director, Corporate Privacy-Incident Program [email protected]