What is a Breach? 8/28/2017

Similar documents
Breaches and Remediation

Breaches and Remediation

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Course Objectives Identifying Personally Identifiable Information (PII) Safeguarding Procedures of PII Reporting PII Breaches Proper disposal of PII

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

PII SPOT CHECK DOCUMENTATION

Red Flags/Identity Theft Prevention Policy: Purpose

Keeping It Under Wraps: Personally Identifiable Information (PII)

Privacy & Information Security Protocol: Breach Notification & Mitigation

HIPAA Federal Security Rule H I P A A

SECURITY & PRIVACY DOCUMENTATION

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Summary Comparison of Current Data Security and Breach Notification Bills

Media Protection Program

Data Privacy Breach Policy and Procedure

HIPAA Compliance Checklist

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Information Security Incident Response Plan

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Virginia Commonwealth University School of Medicine Information Security Standard

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Employee Security Awareness Training Program

Red Flag Policy and Identity Theft Prevention Program

Regulation P & GLBA Training

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

3/2/2012. Background on FISMA-Reheuser. NIST guidelines-cantor. IT security-huelseman. Federal Information Security Management Act

Building a Privacy Management Program

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

Red Flags Program. Purpose

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Information Security Incident Response Plan

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

( Utility Name ) Identity Theft Prevention Program

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

NYDFS Cybersecurity Regulations

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Data Compromise Notice Procedure Summary and Guide

Donor Credit Card Security Policy

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

IDENTITY THEFT PREVENTION Policy Statement

NMHC HIPAA Security Training Version

HIPAA Privacy, Security and Breach Notification

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

The Data Protection Act 1998 Clare Hall Data Protection Policy

HIPAA Security Checklist

UTAH VALLEY UNIVERSITY Policies and Procedures

HIPAA Security Checklist

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Healthcare Privacy and Security:

Privacy Breach Policy

HIPAA Security Rule Policy Map

Putting It All Together:

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

HIPAA & Privacy Compliance Update

Checklist: Credit Union Information Security and Privacy Policies

PRIVACY-SECURITY INCIDENT REPORT

HIPAA-HITECH: Privacy & Security Updates for 2015

DEFINITIONS AND REFERENCES

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Cybersecurity: Incident Response Short

EXHIBIT A. - HIPAA Security Assessment Template -

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

ACM Retreat - Today s Topics:

HIPAA Security and Privacy Policies & Procedures

LCU Privacy Breach Response Plan

The Common Controls Framework BY ADOBE

[DATA SYSTEM]: Privacy and Security October 2013

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

HIPAA and HIPAA Compliance with PHI/PII in Research

Seattle University Identity Theft Prevention Program. Purpose. Definitions

STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

Identity Theft Prevention Policy

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

Information Technology General Control Review

HIPAA Security Manual

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

Federal Breach Notification Decision Tree and Tools

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Credit Card Data Compromise: Incident Response Plan

Privacy and Security Basics for CDSME Data Collection. Updated October 2016

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

HIPAA UPDATE. Michael L. Brody, DPM

7.16 INFORMATION TECHNOLOGY SECURITY

CERT Symposium: Cyber Security Incident Management for Health Information Exchanges

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

Presented by: Jason C. Gavejian Morristown Office

Information Security Policy

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

Orlando, FL September 23-27, Your School Has Been Breached Now What? Cyber Incident Simulation Exercise

Transcription:

Michael E. Reheuser US Department of Defense 1 What is a Breach? The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. 2 rmation that can be used to distinguish or trace an individual s identity, such as their name, SSN, biometric records, etc. alone or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, mother s maiden name, etc. 3 1

4 More than 490,000 complaints to FTC in 2015 More than 17 million people claim to be a victim of identity theft New types of ID theft are emerging including synthetic ID theft 5 Stolen/lost laptops or blackberries Unencrypted emails and attachments containing PII Unauthorized use of another user s account Unauthorized use of system privileges and data extraction Documents containing PII posted to public sites Inappropriate disposal of PII-dumpster dive 6 2

Normally releasable PII does not necessarily mean a breach Release of FOUO documents not necessarily a breach Authorized Releases to Congress/courts 7 Name Past and present position titles Past and present grades, annual salary Past and present duty stations Position descriptions Exceptions for routinely deployable/certain intelligence personnel 8 You need a breach response plan 9 3

10 info 11 Examine all available information in order to determine if an event/breach has occurred all applicable privacy compliance documents Was breach a single instance or recurring event? Identification process is greatly improved by effective training of privacy officials and senior leaders 12 4

Evaluate the risk of harm More sensitive data=greater risk of harm Level of risk depends on manner of the actual breach and the nature of the data involved Is notification required? Decide after risk assessment is complete 13 Nature of data elements Number of individuals affected Likelihood that the information is accessible and useable Likelihood of harm Ability of the agency to mitigate the risk of harm Based on the assessment of these factors, breaches are then classified as Low, Medium, or High 14 15 5

Within agency Between agencies Sometimes a non-federal entity Helps identify affected individuals and eliminate duplicate records 16 Breach Notification Is Breach Notification Required? Timeliness of the Notification Source of the Notification Contents of the Notification Means of Providing Notification Who Receives Notification: Public Outreach in Response to a Breach 17 Agencies should bear in mind that notification of a breach when there is little or no risk of harm might create unnecessary concern and confusion Judgment call by senior leadership Consideration should be given to notifying third parties, such as the media, in order to maintain public trust 6

Component head or senior level individual from the organization where breach occurred 1 st Class US Mail Other means are acceptable if more effective in reaching affected individuals Email Substitute Notice Telephone (must be followed up in writing) 19 A description of the specific data that was involved Facts and circumstances surrounding the loss, theft, or compromise A statement on if and how the data was protected (i.e., encryption) Protective actions that are being taken or any mitigation support services that have been implemented by the agency including toll free number and web-site 20 Workforce members must report a potential or confirmed breach 1 hour to the United States Computer Emergency Readiness Team (US-CERT) 24 hours to Component Senior Official for Privacy 10 working days for individual notification 21 7

22 ment Implement short-term actions immediately to limit the scope and magnitude of a breach Determine the media of PII that may be affected: paper, electronic, or both Minimum Action Steps: Determine a course of action concerning the operational status of the compromised system and identify critical information affected by the breach Follow existing local and higher authority guidance regarding any additional breach containment requirements 23 24 8

Mitigation of Harmful Effects personnel who may be involved and ensure they are performing required duties to contain harmful effects Apply appropriate administrative safeguards, including reporting and analysis Apply appropriate physical safeguards, such as sectioning off the area, controlling any affected PII, and securing hardware Apply appropriate technical safeguards, such as blocking all exploited ports 25 26 Eradication Remove the cause of the breach and mitigate vulnerabilities pertaining to it If the cause of the breach cannot be removed, isolate the affected PII Effective eradication efforts include administrative, physical and technical safeguards Document these activities in the breach identification log 27 9

28 y Verify that restoration actions were successful and that the business operation has returned to its normal condition Execute necessary changes to the environment and document recovery actions in the breach identification log Notify users of policy updates, new standard operating procedures and processes, and security upgrades that were implemented due to the breach 29 30 10

Follow-up and Lessons Learned Develop a lessons learned list, and share with personnel and with other organizations, as applicable Establish new assessment procedures in order to identify or prevent similar breaches in the future Provide subsequent workforce training and awareness lessons, as necessary 31 Train all personnel on privacy, security, and their roles and responsibilities before they access agency information systems Only collect PII that satisfies the purpose of the collection or request Implement strong controls to protect PII Assess those controls for compliance Conduct business practice reviews Audits-internal and third party Learn from good and bad examples 32 Practice proactive risk management Map how PII travels through the facility its location in transit and at rest Determine areas where it may be vulnerable 33 11

In some cases, paper records are more vulnerable than electronic records Implement strong controls for paper PII Ensure cabinets and offices are locked Only take out records when they are in use Protect PII from casual observation Isolate equipment that prints PII 34 Know who Needs to Know Know who has access to systems that collect and maintain PII Install strong password rules Maintain access logs as appropriate Keep areas clean and clear of PII when not in use And finally Follow all policies and procedures for removing or destroying PII Remember individuals have rights to their own PII and act on any suspected breach 35 OMB Memo 17-12 Read it Know it Live it 36 12

37 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback