Health Information Security and Privacy Incident Response What

Health Information Security and Privacy Incident Response

What is an “Incident? ” • The properties of security: • Confidentiality • Integrity • Availability • So, an “incident” impairs or threatens one of C-I-A

Examples of incidents • • • Failed logins Infected or crashed server Stolen laptop Slow Internet access, unusual network traffic Unusual file names Threatening email Unexplained configuration change Bounced emails Confidentiality breach

Incident or Breach • Well, a breach is an incident, but not all incidents are breaches. • A “breach” is the “unauthorized acquisition, access, use, or disclosure of PHI” with certain exceptions. • There are reporting requirements for breaches… • And penalties for not reporting!

Penalties and Consequences • Notify each individual • Notify the FTC • Notify HHS annually • If over 500 individuals, notify “prominent media outlets” ( ! ) • Penalty of $50, 000 per violation for “willful neglect. ”

Goals of Information Security • Prevention • Detection • Response and recovery

Prevention • General good security practices. • Firewalls and intrusion prevention/detection devices. • Encryption.

Detection • Help desk calls • Intrusion detection systems • Auditing and log review • Reporting

The Planning Process Preparation Detection Analysis Respond Recover Debrief

Emergency Response Team Prior to an incident, form a team: • Information Technology • Help desk (often the first to know) • Network and server administration • Compliance / legal • Affected business units • Internal audit • Physical security

Information Technology • Designates recovery coordinator • Determines nature and scope of incident • Identifies members of incident response team who are needed. • Monitors progress of investigation • Informs management and business units • Preserves chain of custody of evidence.

Help Desk • Serves as central point of contact • Maintains logs of reports • Notifies recovery coordinator of incidents

Other IT Involvement • Network Administration • • Analyzes traffic Runs tracing tools Point of contact for Internet Service Provider Updates firewall and intrusion detection rules • Server Administration • Ensures that patches are up to date • Provides for backups and restores data as necessary • Reviews server logs

Compliance / Legal • Coordinates with recovery coordinator • Provides guidance on legal issues • Assists with writing statements to affected parties.

Business Units • Notifies help desk of suspected incidents • Collects information requested by recovery coordinator • Implements fall-back procedures as indicated.

Internal Audit • Reviews controls • Audits results of recovery • Reports on changed needed to controls

Physical Security • Reports incidents regarding physical security to the help desk. • Assures compliance with physical controls. • Provides physical security, if needed, during recovery.

When to Plan • Before an incident • When people aren’t stressed. • Also after debriefing from an incident Preparation Detection Analysis Respond Recover Debrief

What is in the Plan • Detection • Response and analysis • Recovery • Escalation • Referral to law enforcement • Internal reporting • Breach notifications, if applicable.

Standards for Evidence • Sufficient – convincing without question • Competent – applicable according to law • Relevant – material to the matter at hand 20

Types of Evidence • Direct: Oral testimony of personal knowledge • Real: physical evidence • Documentary: business records and the like • Demonstrative: models, demonstrations, experiments 21

Rules of Evidence • Best evidence: original evidence is preferable to copies • Exclusionary rule: evidence gathered illegally is not admissible. • Hearsay rule: second-hand evidence is often not admissible. (See best evidence) • There are exceptions to the hearsay rule • Business records gathered in the ordinary course of business may be admissible 22

“The Normal Course of Business” • Log files • Backups of email and other databases • Monitoring records The point is to collect continuously anything you are likely to need as evidence. And document that you do so! 23

The Chain of Evidence When evidence is collected other than in the ordinary course of business, it is important to provide proof that what is presented is what was found. This is the “chain of custody” and involves dated, signed, contemporaneous notes. Message digests may be accepted as evidence that a file has not been changed since the digest was computed. 24

Get Help If… • You are not absolutely certain you know what you’re doing. • You are dealing with evidence of a crime. (It is also a crime to tamper with or conceal evidence!) • You are dealing with something that may become a civil legal matter. 25

Sources of Help • Your corporate counsel, compliance officer, etc. • Law enforcement • Take a detective to lunch • The time to get to know your local law enforcement people is before you need them • Consider carefully before involving law enforcement • Forensics consultants (referrals from law firm or law enforcement official) 26

Law Enforcement Involvement • When an incident constitutes a violation of law, the organization may determine involving law enforcement is necessary • Questions: (Decide these in advance!) • When should organization get law enforcement involved? • What level of law enforcement agency should be involved (local, state, federal)? • What happens when law enforcement agency is involved? 27

Law Enforcement Involvement • Some questions are best answered by organization’s legal department or law firm. • If organization detects a criminal act, it may be legally obligated to involve appropriate law enforcement officials • It is helpful to have made contacts in advance, especially with local law enforcement. 28

Advantages of Law Enforcement Involving law enforcement has advantages: • Agencies may be better equipped to process evidence • Law enforcement agencies are prepared to handle warrants and subpoenas needed • Law enforcement officers are skilled at obtaining witness statements and other information collection 29

Disadvantages of Involvement Involving law enforcement has disadvantages: • Once a law enforcement agency takes over case, organization loses some control over chain of events • Organization may not hear about case for weeks or months • Equipment vital to the organization’s business may be seized as evidence 30

Incident Impact • High: Prevents many users from accomplishing their tasks related to the organization’s mission; may affect patient care. Includes breach of PHI • Medium: Disrupts multiple users, but with little impact on the organization's mission. • Low: A single service is degraded; one or a few users affected; little or no impact on operations.

Incident Urgency • High: Directly affects patient care, patient safety, or employee safety; impairs business operations. • Medium: Degrades patient care services or business operations. • Low: Minimal impact on patient care, safety, or operations.

Impact Low Medium High Impact and Urgency High Priority Quadrant Urgency Low Medium High

Breach Reporting • As soon as possible, but no later than 60 calendar days. • A brief description of the event, including dates. • Description of data involved in the breach. • Steps individuals should take. • Steps the covered entity is taking. • Contact information.

Breach Reporting • Individual notice, including provisions for those with out of date contact information. • Media notice if the breach affected more than 500 people • Annual reporting to HHS.