Privacy Incident Response & Reporting: Pre and Post HITECH

Transcription

1 Privacy Incident Response & Reporting: Pre and Post HITECH Erika Riethmiller-Bol, Director, Corporate Privacy-Incident Program, Anthem, Inc. HCCA Managed Care Compliance Conference February 16, 2015 Objectives Historical look at incident management in healthcare Organizing your program for success Why it is critical that you get it right 1

2 Questions: What is Incident Response? How do your report an incident at your organization? Can you name one member on your privacy IRT (incident response team) besides the privacy officer? Think of the most effective training you ve ever given or been to. Why was it effective? Who is your /your privacy officer s most critical contact in your organization when something goes wrong? COMPANY CONFIDENTIAL FOR INTERNAL USE ONLY DO NOT COPY 3 Questions, cont. If your CEO/Board asked for 1 key metric to prove your value in 2014, what would you provide him/her? Have you ever heard of someone getting sanctioned for a privacy event? Is quality improvement embedded into the culture of your organization or an after thought? COMPANY CONFIDENTIAL FOR INTERNAL USE ONLY DO NOT COPY 4 2

3 Purpose of Incident Management Identify and respond to unexpected events Minimize occurrence of incidents and lessen severity Mitigate impact (on organization and impacted individuals) Incident Management - Stages Preparation Detection Classification/Triage Investigation Response (Stop Bleed) Report Wrap-up/Lessons Learned 3

4 Types of Incidents Technical Failures of systems, people, processes, etc. Incident Response Pre HITECH Totally a Security thing Birth of security organizations and standards began early 2000 HITRUST (2008) MS-ISAC (2003) ISO (2005) Privacy was busy dealing with Notice of Privacy Practices, Patients / Members Rights, Privacy Complaints, etc. And documenting it via Policies and Procedures, etc. Task driven approach Regulatory focus 4

5 And then. HITECH Act of 2009 Sec Notification In The Case Of Breach A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach. Standards: Notification of Covered Entity by Business Associate Breaches Treated as Discovered Timeliness of Notification Methods of Notice (1) Individual Notice (2) Media Notice (3) Notice to Secretary (4) Posting on HHS Public Website Content of Notification Delay of Notification Authorized for Law Enforcement Purposes Unsecured Protected Health Information Defined 5

6 Table 3-5. Incident Handling Checklist Action Completed Detection and Analysis 1. Determine whether an incident has occurred 1.1 Analyze the precursors and indicators 1.2 Look for correlating information 1.3 Perform research (e.g., search engines, knowledge base) 1.4 As soon as the handler believes an incident has occurred, begin documenting the investigation and gathering evidence 2. Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.) 3. Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery 4. Acquire, preserve, secure, and document evidence 5. Contain the incident 6. Eradicate the incident 6.1 Identify and mitigate all vulnerabilities that were exploited and our world as Privacy Officers/Compliance Officers became more complicated 6.2 Remove malware, inappropriate materials, and other components 6.3 If more affected hosts are discovered (e.g., new malware infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then contain (5) and eradicate (6) the incident for them 7. Recover from the incident 7.1 Return affected systems to an operationally ready state 7.2 Confirm that the affected systems are functioning normally 7.3 If necessary, implement additional monitoring to look for future related activity Post-Incident Activity 8. Create a follow-up report 9. Hold a lessons learned meeting (mandatory for major incidents, optional otherwise) Breaches Affecting 500 or More Individuals Name of Covered Entity State Covered Entity Type Individuals Affected Breach Date Type of Breach Location of Breached Information Business Associate Present Web Description Dermatology Associates of Tallahassee FL Healthcare Provider /30/0002 Unknown Other No \N UNCG Speech and Hearing Center NC Healthcare Provider /01/1997 Hacking/IT Incident Desktop Computer No \N UMass Memorial Medical Center MA Healthcare Provider /06/ /04/2014 Unauthorized Access/Disclosur e Electronic Medical Record, Paper/Films No \N Riverside Mercy Hospital and Ohio/Mercy Diagnostics Healthcare OH /29/2003 Provider Improper Disposal Paper/Films No As of 2/5/15: 1131 Breaches affecting >500 individuals reported since 9/

7 Privacy Needed to Get Organized Needed its own Incident Response and Reporting Process Needed to coordinate with Information Technology/Security when IT issues affected PHI/PII Needed to account for issues going on with Legal, Human Resources, IT, etc., etc. Privacy Officer forced to become jack of all trades and promoter of communication Response & Reporting Reporting easy for Privacy Officers Used to documentation Used to regulatory obligations Comfortable in Legal space Incident Response a little trickier Requires coordination Requires rapid-fire intervention Lots of players involved Mitigation key Planned and organized response CRUCIAL 7

8 Privacy Officers needed to Morph Key IT Security Personality traits* Attention to detail Dependability Initiative Achievement Flexibility Independence Integrity Persistence Cooperation And needed to be/become flexible and comfortable in risk space No Risk Acceptable Total Risk Taker Post HITECH 7 Elements Modified for Incident Response Implementing written policies, procedures and incident response plans Designating a privacy and security officer and incident response team/s Conducting effective training and education Developing effective lines of communication with all stakeholders Conducting internal monitoring and auditing to ensure data is valid and processes are effective Enforcing standards through well-publicized disciplinary guidelines (sanctions) Responding promptly to detected incidents and undertaking corrective action to deter/prevent future incidents 8

9 Post HITECH Privacy Incident Management 7 Elements Implementing written policies, procedures and incident response plans YOU MUST HAVE A PLAN IN PLACE ANSWER HOW, WHAT, WHO, WHERE & WHEN (ALTHOUGH WHEN IS ALMOST ALWAYS IMMEDIATELY) DEFINE YOUR INCIDENT RESPONSE TEAM ROLES AND MEMBERS DOCUMENT IT SO EVERYONE KNOWS WHAT TO DO WHEN CRISIS OCCURS UPDATE IT PERIODICALLY OR WHEN ANYTHING CHANGES TEMPLATES ABOUND ON THE INTERNET Incident Reporting How? Web-based? Paper based? ? Make sure people understand HOW to get you the information you need How Quickly? Immediately Within 24 hours Within 72 hours As soon as possible COMPANY CONFIDENTIAL FOR INTERNAL USE ONLY DO NOT COPY 18 9

10 RE-fine Your Scope What about Ethics Issues? Be Clear about what you want coming to you if not, you may get it all! COMPANY CONFIDENTIAL FOR INTERNAL USE ONLY DO NOT COPY 19 What Do You Need to Know? What Information do you want and need? date and time of incident discovery, general description of the incident, systems, populations and/or data at possible risk, actions they have taken since incident discovery, contact information, any additional information reporter feels is important and relevant COMPANY CONFIDENTIAL FOR INTERNAL USE ONLY DO NOT COPY 20 10

11 Incident Triage What is a Significant Event to Your Organization? Subjective assessment BUT if you keep in mind your culture and goals this process should be fairly straight forward Examples: Incidents involving VIPs or key accounts Incidents for which a press release may or will be issued, or media coverage is anticipated Incidents involving 50 or more affected individuals Incidents likely to result in litigation or regulatory investigation Incidents involving criminal activity Any other incident that is likely to involve reputational, regulatory, or financial risk to organization COMPANY CONFIDENTIAL FOR INTERNAL USE ONLY DO NOT COPY 21 What About Lower-Risk Events? Still Important Consider sub-teams that can handle these lesser incidents Collect data from these as well COMPANY CONFIDENTIAL FOR INTERNAL USE ONLY DO NOT COPY 22 11

12 Post HITECH Privacy Incident Management 7 Elements Designating a privacy and security officer and incident response team/s SEEMINGLY SIMPLE? NEED THE RIGHT MIX OF LEGAL/REGULATORY FOCUS AND ABILITY TO RESPOND UNDER PRESSURE AND IN LINE WITH ORGANIZATIONAL GOALS ABILITY TO HANDLE STRESS WELL; WHAT WE DO IS STRESSFUL PRIVACY AND SECURITY MUST WORK TOGETHER FOR THE GOOD OF ALL Privacy Incident Response Team Members Incident Responder Investigator IT security specialist Business manager Legal Human resources Public Relations Facilities Management Risk Management Etc. Etc. Etc. customize to your organization & how it does business 12

13 Post HITECH Privacy Incident Management 7 Elements Conducting effective training and education YOUR EMPLOYEES NEED TO KNOW HOW TO RESPOND WHEN AN INCIDENT OCCURS REQUIRED RESPONSE TIMEFRAME IS CRITICAL SUPPORTED BY MANAGEMENT/EXECUTIVE LEADERSHIP AND DOCUMENTED IN POLICY NEW HIRE TRAINING/REFRESHER TRAINING DO ANYTHING TO GET IT TOP OF MIND FOR YOUR EMPLOYEES TARGETED TRAINING TO SPECIFIC AREAS IN NEED OF IT AND/OR IN RESPONSE TO AN INCIDENT EMPLOYEES NEED TO KNOW WHO PRIVACY OFFICER IS/OUTREACH IN PERSON AS MUCH AS POSSIBLE Post HITECH 7 Elements Modified for Incident Response Developing effective lines of communication with all stakeholders RELATIONSHIP BUILDING IS THE MOST IMPORTANT PART OF AN INCIDENT MANAGEMENT PROGRAM IF PEOPLE DON T TRUST YOU, THEY WON T TELL YOU WHAT YOU NEED TO KNOW NEED TO RECOGNIZE TOTAL CUSTOMER BASE: INTERNAL, EXTERNAL, REGULATORS, ETC. 13

14 Post HITECH 7 Elements Modified for Incident Response Conducting internal monitoring and auditing to ensure data is valid and processes are effective CRUCIAL TO EFFECTIVE MITIGATION AND MINIMIZATION OF INCIDENTS YOU CAN T MANAGE WHAT YOU DON T KNOW DATA, DATA, DATA IT S THERE; FIGURE OUT A WAY TO CAPTURE IT key performance indicators: employee training statistics/response times/slice & dice of incidents by service line, employee/compare with peers IF YOUR DATA IS BAD, SO ARE ANY CONCLUSIONS YOU DRAW FROM IT SO AUDIT, MONITOR, CRUNCH, REPORT VISUALLY IN DASHBOARDS, PRESENT TO SENIOR MANAGEMENT Post HITECH 7 Elements Modified for Incident Response Enforcing standards through well-publicized disciplinary guidelines (sanctions) NOT ONLY VERY HELPFUL TO DETERING/ PREVENTING FUTURE INCIDENTS BUT REQUIRED BY LAW EMPLOYEES TALK; USE THAT TO YOUR ADVANTAGE REMEMBER CARROT ANDSTICK. SOME OF YOUR BEST MESSAGES WILL COME FROM THOSE WHO HAVE BEEN INVOLVED IN AN INCIDENT AND WATCHED THE TEAM WORK 14

15 Post HITECH 7 Elements Modified for Incident Response Responding promptly to detected incidents and undertaking corrective action to deter/prevent future incidents MITIGATION IS KEY; THE QUICKER YOU CAN STOP THE BLEED, THE LESS THE PAIN WE HAVE TO GET FIXED WHAT WE CAN SO WE CAN BE READY FOR WHAT WE CANNOT PREVENT OR ANTICIPATE 8 th Element Relax/Have Fun/Reward your staff and yourself MOST INDIVIDUALS WHO CHOOSE A CAREER IN COMPLIANCE HAVE LARGE DOSES OF INTEGRITY, CARE DEEPLY ABOUT THEIR ORGANIZATIONS, AND ENJOY A LITTLE CRAZINESS WHILE TYPICALLY DRIVEN INTERNALLY, WE TEND TO CRASH HARDER WHEN WE FINALLY DO RECOGNIZE THIS AND GO ON VACATION, GARDEN FOR AN ENTIRE WEEKEND, ETC. - BEFORE THIS OCCURS! 15

16 Resources President s Data Breach Proposal dated-data-breach-notification.pdf Special Publication Revision 2 OIG s 7 Elements Trainings Office of National Coordinator for Health IT (created by HITECH) Erika Riethmiller-Bol Director, Corporate Privacy-Incident Program erika.bol@anthem.com 16