privacy incident response & reporting: pre and post … · 2/16/2015 2 questions: what is...

2/16/2015

1

Privacy Incident Response &Reporting: Pre and Post HITECH

Erika Riethmiller-Bol, Director, Corporate Privacy-Incident

Program, Anthem, Inc.

HCCA Managed Care Compliance Conference

February 16, 2015

Objectives

Historical look at incident management in healthcare

Organizing your program for success

Why it is critical that you get it right

2/16/2015

2

Questions:

What is Incident Response?

How do your report an incident at your organization?

Can you name one member on your privacy IRT (incident response team) besides the privacy officer?

Think of the most effective training you’ve ever given or been to. Why was it effective?

Who is your /your privacy officer’s most critical contact in your organization when something goes wrong?

COMPANY CONFIDENTIAL | FOR INTERNAL USE ONLY | DO NOT COPY 3

Questions, cont.

If your CEO/Board asked for 1 key metric to prove your value in 2014, what would you provide him/her?

Have you ever heard of someone getting sanctioned for a privacy event?

Is quality improvement embedded into the culture of your organization or an after thought?


2/16/2015

3

Purpose of Incident Management

Identify and respond to unexpected events

Minimize occurrence of incidents and lessen severity

Mitigate impact (on organization and impacted individuals)

Incident Management - Stages

Preparation

Detection

Classification/Triage

Investigation

Response (Stop Bleed)

Report

Wrap-up/Lessons Learned

2/16/2015

4

Types of Incidents

Technical Failures of systems, people, processes, etc.

Incident Response – Pre HITECH

Totally a Security “thing”

Birth of security organizations and standards began early 2000

• HITRUST (2008)

• MS-ISAC (2003)

• ISO 20000 (2005)

Privacy was busy dealing with Notice of Privacy Practices, Patients’/ Members’ Rights, Privacy Complaints, etc.

And documenting it via Policies and Procedures, etc.

Task driven approach

Regulatory focus

2/16/2015

5

And then….

HITECH Act of 2009 Sec. 13402 - Notification In The Case Of Breach

A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach.

Standards:

Notification of Covered Entity by Business AssociateBreaches Treated as DiscoveredTimeliness of NotificationMethods of Notice

• (1) Individual Notice

• (2) Media Notice

• (3) Notice to Secretary

• (4) Posting on HHS Public Website

Content of NotificationDelay of Notification Authorized for Law Enforcement PurposesUnsecured Protected Health Information Defined

2/16/2015

6

… and our world as Privacy

Officers/Compliance Officers

became more complicated

Table 3-5. Incident Handling Checklist Action Completed

Detection and Analysis

1. Determine whether an incident has occurred

1.1 Analyze the precursors and indicators

1.2 Look for correlating information

1.3 Perform research (e.g., search engines, knowledge base)

1.4 As soon as the handler believes an incident has occurred, begin

documenting the investigation and gathering evidence

2. Prioritize handling the incident based on the relevant factors

(functional impact, information impact, recoverability effort, etc.)

3. Report the incident to the appropriate internal personnel and

external organizations

Containment, Eradication, and Recovery

4. Acquire, preserve, secure, and document evidence

5. Contain the incident

6. Eradicate the incident

6.1 Identify and mitigate all vulnerabilities that were exploited

6.2 Remove malware, inappropriate materials, and other components

6.3 If more affected hosts are discovered (e.g., new malware

infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other

affected hosts, then contain (5) and eradicate (6) the incident for them

7. Recover from the incident

7.1 Return affected systems to an operationally ready state

7.2 Confirm that the affected systems are functioning normally

7.3 If necessary, implement additional monitoring to look for future

related activity

Post-Incident Activity

8. Create a follow-up report

9. Hold a lessons learned meeting (mandatory for major incidents,

optional otherwise)

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Name of Covered

EntityState

Covered Entity

Type

Individuals

AffectedBreach Date Type of Breach

Location of

Breached

Information

Business

Associate

Present

Web Description

Dermatology

Associates of

Tallahassee

FLHealthcare

Provider915 11/30/0002 Unknown Other No \N

UNCG Speech

and Hearing

Center

NCHealthcare

Provider2300 01/01/1997

Hacking/IT

Incident

Desktop

ComputerNo \N

UMass Memorial

Medical CenterMA

Healthcare

Provider2387

05/06/2002 -

03/04/2014

Unauthorized

Access/Disclosur

e

Electronic

Medical Record,

Paper/Films

No \N

Riverside Mercy

Hospital and

Ohio/Mercy

Diagnostics

OHHealthcare

Provider1000 03/29/2003

Improper

DisposalPaper/Films

No

Breaches Affecting 500 or More Individuals

As of 2/5/15: 1131

Breaches affecting

>500 individuals

reported since

9/2009.

2/16/2015

7

Privacy Needed to Get Organized

� Needed its own Incident Response and Reporting Process

� Needed to coordinate with Information Technology/Security when IT issues affected PHI/PII

� Needed to account for issues going on with Legal, Human Resources, IT, etc., etc.

� Privacy Officer forced to become “jack of all trades” and promoter of communication

Response & Reporting

Reporting easy for Privacy Officers

�Used to documentation

�Used to regulatory obligations

�Comfortable in Legal space

Incident Response a little trickier

� Requires coordination

� Requires rapid-fire intervention

� Lots of players involved

� Mitigation key

� Planned and organized response CRUCIAL

2/16/2015

8

Privacy Officers needed to Morph

Key IT Security Personality traits*

• Attention to detail

• Dependability

• Initiative

• Achievement

• Flexibility

• Independence

• Integrity

• Persistence

• Cooperation

And – needed to be/become flexible and comfortable in risk space

No Risk

Acceptable

Total Risk

Taker

Post HITECH – 7 Elements Modified for Incident Response

� Implementing written policies, procedures and incident response plans

� Designating a privacy and security officer and incident response team/s

� Conducting effective training and education

� Developing effective lines of communication with all stakeholders

� Conducting internal monitoring and auditing to ensure data is valid and processes are effective

� Enforcing standards through well-publicized disciplinary guidelines (sanctions)

� Responding promptly to detected incidents and undertaking corrective action to deter/prevent future incidents

2/16/2015

9

Post HITECH Privacy Incident Management – 7 Elements

Implementing written policies, procedures and incident response plans

• YOU MUST HAVE A PLAN IN PLACE

• ANSWER HOW, WHAT, WHO, WHERE & WHEN (ALTHOUGH WHEN IS ALMOST ALWAYS IMMEDIATELY)

• DEFINE YOUR INCIDENT RESPONSE TEAM – ROLES AND MEMBERS

• DOCUMENT IT SO EVERYONE KNOWS WHAT TO DO WHEN CRISIS OCCURS

• UPDATE IT PERIODICALLY OR WHEN ANYTHING CHANGES

• TEMPLATES ABOUND ON THE INTERNET

Incident Reporting

How?

• Web-based?

• Paper based?

• Email?

Make sure people understand HOW to get you the information you need

How Quickly?

• Immediately

• Within 24 hours

• Within 72 hours

• As soon as possible


2/16/2015

10

RE-fine Your Scope

What about Ethics Issues?


Be Clear about what you want coming to you – if not, you

may get it all!

What Do You Need to Know?

What Information do you want and need?

• date and time of incident discovery,

• general description of the incident,

• systems, populations and/or data at possible risk,

• actions they have taken since incident discovery,

• contact information,

• any additional information reporter feels is important and relevant


2/16/2015

11

Incident Triage – What is a “Significant Event” to Your Organization?

Subjective assessment BUT if you keep in mind your culture and goals – this process should be fairly straight forward

Examples: • Incidents involving “VIPs” or key accounts• Incidents for which a press release may or will be issued, or media coverage is anticipated • Incidents involving 50 or more affected individuals • Incidents likely to result in litigation or regulatory investigation • Incidents involving criminal activity • Any other incident that is likely to involve reputational, regulatory, or financial risk to organization


What About Lower-Risk Events?

Still Important

Consider sub-teams that can handle these “lesser” incidents

Collect data from these as well


2/16/2015

12


Designating a privacy and security officer and incident response team/s

• SEEMINGLY SIMPLE?

• NEED THE RIGHT MIX OF LEGAL/REGULATORY FOCUS

AND ABILITY TO RESPOND UNDER PRESSURE AND IN LINE

WITH ORGANIZATIONAL GOALS

• ABILITY TO HANDLE STRESS WELL; WHAT WE DO IS

STRESSFUL

• PRIVACY AND SECURITY MUST WORK TOGETHER FOR THE

GOOD OF ALL

Privacy Incident Response Team Members

Incident Responder

Investigator

IT security specialist

Business manager

Legal

Human resources

Public Relations

Facilities’ Management

Risk Management

Etc. Etc. Etc. – customize to your organization & how it does business

2/16/2015

13


Conducting effective training and education

• YOUR EMPLOYEES NEED TO KNOW HOW TO RESPOND WHEN AN INCIDENT OCCURS

• REQUIRED RESPONSE TIMEFRAME IS CRITICAL– SUPPORTED BY MANAGEMENT/EXECUTIVE LEADERSHIP AND DOCUMENTED IN

POLICY

• NEW HIRE TRAINING/REFRESHER TRAINING – DO ANYTHING TO GET IT TOP OF MIND FOR YOUR EMPLOYEES

• TARGETED TRAINING TO SPECIFIC AREAS IN NEED OF IT AND/OR IN RESPONSE TO AN INCIDENT

• EMPLOYEES NEED TO KNOW WHO PRIVACY OFFICER IS/OUTREACH IN PERSON AS MUCH AS POSSIBLE


Developing effective lines of communication with all stakeholders

• RELATIONSHIP BUILDING IS THE MOST IMPORTANT PART OF

AN INCIDENT MANAGEMENT PROGRAM

• IF PEOPLE DON’T TRUST YOU, THEY WON’T TELL YOU WHAT

YOU NEED TO KNOW

• NEED TO RECOGNIZE TOTAL CUSTOMER BASE: INTERNAL,

EXTERNAL, REGULATORS, ETC.

2/16/2015

14


Conducting internal monitoring and auditing to ensure data is valid and processes are effective

• CRUCIAL TO EFFECTIVE MITIGATION AND MINIMIZATION OF INCIDENTS

• YOU CAN’T MANAGE WHAT YOU DON’T KNOW

• DATA, DATA, DATA – IT’S THERE; FIGURE OUT A WAY TO CAPTURE IT

– key performance indicators: employee training statistics/response times/slice & dice of incidents by service line, employee/compare with peers…

• IF YOUR DATA IS BAD, SO ARE ANY CONCLUSIONS YOU DRAW FROM IT

• SO…AUDIT, MONITOR, CRUNCH, REPORT VISUALLY IN DASHBOARDS, PRESENT TO SENIOR MANAGEMENT


Enforcing standards through well-publicized disciplinary guidelines (sanctions)

• NOT ONLY VERY HELPFUL TO DETERING/ PREVENTING FUTURE

INCIDENTS – BUT REQUIRED BY LAW

• EMPLOYEES TALK; USE THAT TO YOUR ADVANTAGE

• REMEMBER CARROT AND STICK. SOME OF YOUR BEST

MESSAGES WILL COME FROM THOSE WHO HAVE BEEN

INVOLVED IN AN INCIDENT AND WATCHED THE TEAM WORK

2/16/2015

15


Responding promptly to detected incidents and undertaking corrective action to deter/prevent future

incidents

• MITIGATION IS KEY; THE QUICKER YOU CAN STOP THE BLEED,

THE LESS THE PAIN

• WE HAVE TO GET FIXED WHAT WE CAN SO WE CAN BE READY

FOR WHAT WE CANNOT PREVENT OR ANTICIPATE

8th Element

Relax/Have Fun/Reward your staff and yourself

• MOST INDIVIDUALS WHO CHOOSE A CAREER IN COMPLIANCE

HAVE LARGE DOSES OF INTEGRITY, CARE DEEPLY ABOUT THEIR

ORGANIZATIONS, AND ENJOY A LITTLE CRAZINESS

• WHILE TYPICALLY DRIVEN INTERNALLY, WE TEND TO CRASH

HARDER WHEN WE FINALLY DO

• RECOGNIZE THIS AND GO ON VACATION, GARDEN FOR AN

ENTIRE WEEKEND, ETC. - BEFORE THIS OCCURS!

2/16/2015

16

Resources

President’s Data Breach Proposal• http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/up

dated-data-breach-notification.pdf

Special Publication 800-61 Revision 2

OIG’s 7 Elements Trainings• https://oig.hhs.gov/compliance/provider-compliance-

training/files/Compliance101tips508.pdf

Office of National Coordinator for Health IT (created by HITECH)

• http://www.healthit.gov/

Erika Riethmiller-Bol Director, Corporate Privacy-Incident Program [email protected]

privacy incident response & reporting: pre and post … · 2/16/2015 2 questions: what is...

Documents