Privacy Incident Response & Reporting: Pre and Post HITECH

Similar documents
Compliance Case Studies

Preparing for the General Data Protection Regulation (GDPR)

a physicians guide to security risk assessment

You Might Have a HIPAA Breach. Now What?

You Might Have a HIPAA Breach. Now What?

Social Networking. Management Guide. Compliance and Legal Services

VIRTUA DATE OF LAST REVIEW 5/11; 4/14, 8/16

Computer Programs and Systems, Inc. Code of Business Conduct and Ethics

Essentials for Building a Scalable Privacy Response Strategy. Jay Loder Rouleur Privacy Consulting

LIBERTY Dental Plan General Compliance Training

What is GDPR and Should You Care?

PROJECT CHAMPION USER GUIDE

My name is Sam Mulholland and I am the Managing Director of Standby Consulting.

Measuring Compliance Program Effectiveness

Code of Business Conduct and Ethics

Scope Policy Statement Reason For Policy Procedure Definitions Sanctions Additional Contacts History. Scope. University Policies.

Conducting Effective Internal Investigations. From Workplace Harassment to Criminal Conduct and Everything in Between

Preparing for an OCR Audit: What is Expected of You

Better Security More Often. How to Keep Sacramento County Information Systems and Data Secure While Achieving Your Department Mission

NATURAL DISASTERS AND THE WORKPLACE

Healthcare Cybersecurity Transformation for your Organization: Looking to the Future Session #CS5, February 19, 2017 Mitchell Parker, Executive

External Supplier Control Obligations

Securing Intel s External Online Presence

General Data Protection Regulation

OUR CODE OF BUSINESS CONDUCT AND ETHICS

Anti-bribery corporate policy

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

COACHING USING THE DISC REPORT

On the Alert: Incident Response Plan for Healthcare 111/13/2017

HIPAA Compliance and Mistakes:

In-service Education Packet Corporate Compliance

A Guide to Professional Standards

CherryRoad Technologies Inc. Property of

Disciplinary and Dismissal Procedure

Federal Employees Transgender Model Policy

Sharp HealthCare s 2017 Compliance Education. Compliance and Ethics Module 1

GDPR The role of the Internal Audit Function

The Coaching Playbook. Your Must-Have Game Plan for Maximizing Employee Performance

REGULATORY HOT TOPIC Third Party IT Vendor Management

30 Course Bundle: Year 1. Vado Course Bundle. Year 1

Dynamic IT Disaster Recovery Plan

WELCOME. 1

Medicare Parts C and D General Compliance Training

BIG LOTS, INC. CODE OF BUSINESS CONDUCT AND ETHICS

RSM US CODE OF CONDUCT GROUNDED IN OUR VALUES - RESPECT, INTEGRITY, TEAMWORK, EXCELLENCE AND STEWARDSHIP

Mapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013

Responding to Media Requests: A How To Guide

NYSARC/CP Compliance Seminar: Risk Assessments. May 2, 2016 Robert Hussar and Melissa Zambri

September White Paper Series. Implementing a mobile health solution in the clinical setting

"Finnair" and "Finnair Group" as used herein refer to Finnair Plc and its subsidiaries.

Social Media Guidelines

CODE OF ETHICS/CONDUCT

Data Protection (internal) Audit prior to May (In preparation for that date)

BUSINESS CONTINUITY MANAGEMENT

Appendix 8. M&T BANK CORPORATION CODE OF BUSINESS CONDUCT AND ETHICS

ASSOCIATED BANC-CORP CODE OF BUSINESS CONDUCT AND ETHICS

The way we do business

Six Steps to Improving Corporate Performance with a Communication Plan

GUIDED GROUP DISCOVERY PARTICIPANT WORKBOOK

Compliance Program Start Up: What are the Basics Needed for your Infrastructure?

A Risk Management Process for Information Security and Business Continuity

Computershare Group Code of

Contract and Procurement Fraud. Detection and Prevention

Will Your Company Pass a Privacy Audit?

HOW TO HIRE A SECURITY TEAM STRONG AND EFFECTIVE HOW TO HIRE A STRONG AND EFFECTIVE SECURITY TEAM - 1

Forming Effective Groups for Advocacy. Nabz Iran Amplifying Iranian Voices

Data Protection Policy

ACCOUNTABILITY FRAMEWORK FOR HUMAN RESOURCE MANAGEMENT

Marketing Best Practice Records Management. Kemal Hasandedic MBII GDDM MRMA National President RMAA

Managers at Bryant University

HSE Integrated Risk Management Policy. Part 1. Managing Risk in Everyday Practice Guidance for Managers

THE AODA: UNLOCKING. Landlords Obligations Under The Accessibility For Ontarians With Disabilities Act. A ToolKit For Landlords In Ontario

Social Media Guidelines: King County 1

Acceleron Pharma Inc. Code of Business Conduct and Ethics

Managing Third Party Compliance and Ethics Risk

Enterprise Risk Management: Ways to Prepare for and What to Do During a Recall

Risk Management and Safety in Health Care Organizations. DAY 3 Fadi El-Jardali, MPH, PhD November 2016

Breaking Out of the Security Metrics Matrix: Steps in the Right Direction

The Language of Accountability

Incident [Accident] Investigations

ADDING VALUE BY AUDITING HEALTH INFORMATION IMPLEMENTATIONS ALEX ROBISON DAVID ZAVALA

Adopting HITRUST as the Backbone of Your Information Security Program. Mangoné Fall, Kelly Robertson, Sean Murphy

Seven Key Success Factors for Identity Governance

Allegheny County Airport Authority ADMINISTRATIVE POLICY HANDBOOK Business Code of Conduct and Ethics Policy (Effective 04/01/06)

10 Illegal Interview Questions to avoid at all costs

ISO & ISO TRAINING DAY 4 : Certifying ISO 37001

Walter E. Johnson Director of Compliance & Ethics Kforce Government Solutions

TECHNICAL RELEASE TECH 05/14BL. Data Protection Handling information provided by clients

CONTENTS. 03 Introduction. 04 The Code. 07 Compliance with the Code. 08 Who to Contact. 08 Whistleblowing policy. -Ensuring we do not act corruptly

Text. What the Heck is a HIPAA AUDIT? Presented by Sue Miller

Straumann Code of Conduct

Keys to Creating a Culture of Preparedness

Understanding and Mitigating IT Project Risks BY MIKE BAILEY AND MIKE RIFFEL

Office Move. The essential guide to moving your communications.

Privacy and Information Security Sanction Policy

5 BEST PRACTICES FOR ENTERPRISE MONITORING AND MANAGEMENT. How to Successfully Gain a Comprehensive Overview of IT Operations

MassMutual Code of Conduct for Temporary Personnel. The Winning Way

Strathclyde Partnership for Transport

HIPAA Compliance. Mandatory for 7 MILLION Covered Entities (CE) & Business Associates (BA) 70% of the market is NOT compliant!

GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector

Transcription:

Privacy Incident Response & Reporting: Pre and Post HITECH Erika Riethmiller-Bol, Director, Corporate Privacy-Incident Program, Anthem, Inc. HCCA Managed Care Compliance Conference February 16, 2015 Objectives Historical look at incident management in healthcare Organizing your program for success Why it is critical that you get it right 1

Questions: What is Incident Response? How do your report an incident at your organization? Can you name one member on your privacy IRT (incident response team) besides the privacy officer? Think of the most effective training you ve ever given or been to. Why was it effective? Who is your /your privacy officer s most critical contact in your organization when something goes wrong? COMPANY CONFIDENTIAL FOR INTERNAL USE ONLY DO NOT COPY 3 Questions, cont. If your CEO/Board asked for 1 key metric to prove your value in 2014, what would you provide him/her? Have you ever heard of someone getting sanctioned for a privacy event? Is quality improvement embedded into the culture of your organization or an after thought? COMPANY CONFIDENTIAL FOR INTERNAL USE ONLY DO NOT COPY 4 2

Purpose of Incident Management Identify and respond to unexpected events Minimize occurrence of incidents and lessen severity Mitigate impact (on organization and impacted individuals) Incident Management - Stages Preparation Detection Classification/Triage Investigation Response (Stop Bleed) Report Wrap-up/Lessons Learned 3

Types of Incidents Technical Failures of systems, people, processes, etc. Incident Response Pre HITECH Totally a Security thing Birth of security organizations and standards began early 2000 HITRUST (2008) MS-ISAC (2003) ISO 20000 (2005) Privacy was busy dealing with Notice of Privacy Practices, Patients / Members Rights, Privacy Complaints, etc. And documenting it via Policies and Procedures, etc. Task driven approach Regulatory focus 4

And then. HITECH Act of 2009 Sec. 13402 - Notification In The Case Of Breach A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach. Standards: Notification of Covered Entity by Business Associate Breaches Treated as Discovered Timeliness of Notification Methods of Notice (1) Individual Notice (2) Media Notice (3) Notice to Secretary (4) Posting on HHS Public Website Content of Notification Delay of Notification Authorized for Law Enforcement Purposes Unsecured Protected Health Information Defined 5

Table 3-5. Incident Handling Checklist Action Completed Detection and Analysis 1. Determine whether an incident has occurred 1.1 Analyze the precursors and indicators 1.2 Look for correlating information 1.3 Perform research (e.g., search engines, knowledge base) 1.4 As soon as the handler believes an incident has occurred, begin documenting the investigation and gathering evidence 2. Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.) 3. Report the incident to the appropriate internal personnel and external organizations Containment, Eradication, and Recovery 4. Acquire, preserve, secure, and document evidence 5. Contain the incident 6. Eradicate the incident 6.1 Identify and mitigate all vulnerabilities that were exploited and our world as Privacy Officers/Compliance Officers became more complicated 6.2 Remove malware, inappropriate materials, and other components 6.3 If more affected hosts are discovered (e.g., new malware infections), repeat the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then contain (5) and eradicate (6) the incident for them 7. Recover from the incident 7.1 Return affected systems to an operationally ready state 7.2 Confirm that the affected systems are functioning normally 7.3 If necessary, implement additional monitoring to look for future related activity Post-Incident Activity 8. Create a follow-up report 9. Hold a lessons learned meeting (mandatory for major incidents, optional otherwise) Breaches Affecting 500 or More Individuals Name of Covered Entity State Covered Entity Type Individuals Affected Breach Date Type of Breach Location of Breached Information Business Associate Present Web Description Dermatology Associates of Tallahassee FL Healthcare Provider 915 11/30/0002 Unknown Other No \N UNCG Speech and Hearing Center NC Healthcare Provider 2300 01/01/1997 Hacking/IT Incident Desktop Computer No \N UMass Memorial Medical Center MA Healthcare Provider 2387 05/06/2002-03/04/2014 Unauthorized Access/Disclosur e Electronic Medical Record, Paper/Films No \N Riverside Mercy Hospital and Ohio/Mercy Diagnostics Healthcare OH 1000 03/29/2003 Provider https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf Improper Disposal Paper/Films No As of 2/5/15: 1131 Breaches affecting >500 individuals reported since 9/2009. 6

Privacy Needed to Get Organized Needed its own Incident Response and Reporting Process Needed to coordinate with Information Technology/Security when IT issues affected PHI/PII Needed to account for issues going on with Legal, Human Resources, IT, etc., etc. Privacy Officer forced to become jack of all trades and promoter of communication Response & Reporting Reporting easy for Privacy Officers Used to documentation Used to regulatory obligations Comfortable in Legal space Incident Response a little trickier Requires coordination Requires rapid-fire intervention Lots of players involved Mitigation key Planned and organized response CRUCIAL 7

Privacy Officers needed to Morph Key IT Security Personality traits* Attention to detail Dependability Initiative Achievement Flexibility Independence Integrity Persistence Cooperation And needed to be/become flexible and comfortable in risk space No Risk Acceptable Total Risk Taker Post HITECH 7 Elements Modified for Incident Response Implementing written policies, procedures and incident response plans Designating a privacy and security officer and incident response team/s Conducting effective training and education Developing effective lines of communication with all stakeholders Conducting internal monitoring and auditing to ensure data is valid and processes are effective Enforcing standards through well-publicized disciplinary guidelines (sanctions) Responding promptly to detected incidents and undertaking corrective action to deter/prevent future incidents 8

Post HITECH Privacy Incident Management 7 Elements Implementing written policies, procedures and incident response plans YOU MUST HAVE A PLAN IN PLACE ANSWER HOW, WHAT, WHO, WHERE & WHEN (ALTHOUGH WHEN IS ALMOST ALWAYS IMMEDIATELY) DEFINE YOUR INCIDENT RESPONSE TEAM ROLES AND MEMBERS DOCUMENT IT SO EVERYONE KNOWS WHAT TO DO WHEN CRISIS OCCURS UPDATE IT PERIODICALLY OR WHEN ANYTHING CHANGES TEMPLATES ABOUND ON THE INTERNET Incident Reporting How? Web-based? Paper based? Email? Make sure people understand HOW to get you the information you need How Quickly? Immediately Within 24 hours Within 72 hours As soon as possible COMPANY CONFIDENTIAL FOR INTERNAL USE ONLY DO NOT COPY 18 9

RE-fine Your Scope What about Ethics Issues? Be Clear about what you want coming to you if not, you may get it all! COMPANY CONFIDENTIAL FOR INTERNAL USE ONLY DO NOT COPY 19 What Do You Need to Know? What Information do you want and need? date and time of incident discovery, general description of the incident, systems, populations and/or data at possible risk, actions they have taken since incident discovery, contact information, any additional information reporter feels is important and relevant COMPANY CONFIDENTIAL FOR INTERNAL USE ONLY DO NOT COPY 20 10

Incident Triage What is a Significant Event to Your Organization? Subjective assessment BUT if you keep in mind your culture and goals this process should be fairly straight forward Examples: Incidents involving VIPs or key accounts Incidents for which a press release may or will be issued, or media coverage is anticipated Incidents involving 50 or more affected individuals Incidents likely to result in litigation or regulatory investigation Incidents involving criminal activity Any other incident that is likely to involve reputational, regulatory, or financial risk to organization COMPANY CONFIDENTIAL FOR INTERNAL USE ONLY DO NOT COPY 21 What About Lower-Risk Events? Still Important Consider sub-teams that can handle these lesser incidents Collect data from these as well COMPANY CONFIDENTIAL FOR INTERNAL USE ONLY DO NOT COPY 22 11

Post HITECH Privacy Incident Management 7 Elements Designating a privacy and security officer and incident response team/s SEEMINGLY SIMPLE? NEED THE RIGHT MIX OF LEGAL/REGULATORY FOCUS AND ABILITY TO RESPOND UNDER PRESSURE AND IN LINE WITH ORGANIZATIONAL GOALS ABILITY TO HANDLE STRESS WELL; WHAT WE DO IS STRESSFUL PRIVACY AND SECURITY MUST WORK TOGETHER FOR THE GOOD OF ALL Privacy Incident Response Team Members Incident Responder Investigator IT security specialist Business manager Legal Human resources Public Relations Facilities Management Risk Management Etc. Etc. Etc. customize to your organization & how it does business 12

Post HITECH Privacy Incident Management 7 Elements Conducting effective training and education YOUR EMPLOYEES NEED TO KNOW HOW TO RESPOND WHEN AN INCIDENT OCCURS REQUIRED RESPONSE TIMEFRAME IS CRITICAL SUPPORTED BY MANAGEMENT/EXECUTIVE LEADERSHIP AND DOCUMENTED IN POLICY NEW HIRE TRAINING/REFRESHER TRAINING DO ANYTHING TO GET IT TOP OF MIND FOR YOUR EMPLOYEES TARGETED TRAINING TO SPECIFIC AREAS IN NEED OF IT AND/OR IN RESPONSE TO AN INCIDENT EMPLOYEES NEED TO KNOW WHO PRIVACY OFFICER IS/OUTREACH IN PERSON AS MUCH AS POSSIBLE Post HITECH 7 Elements Modified for Incident Response Developing effective lines of communication with all stakeholders RELATIONSHIP BUILDING IS THE MOST IMPORTANT PART OF AN INCIDENT MANAGEMENT PROGRAM IF PEOPLE DON T TRUST YOU, THEY WON T TELL YOU WHAT YOU NEED TO KNOW NEED TO RECOGNIZE TOTAL CUSTOMER BASE: INTERNAL, EXTERNAL, REGULATORS, ETC. 13

Post HITECH 7 Elements Modified for Incident Response Conducting internal monitoring and auditing to ensure data is valid and processes are effective CRUCIAL TO EFFECTIVE MITIGATION AND MINIMIZATION OF INCIDENTS YOU CAN T MANAGE WHAT YOU DON T KNOW DATA, DATA, DATA IT S THERE; FIGURE OUT A WAY TO CAPTURE IT key performance indicators: employee training statistics/response times/slice & dice of incidents by service line, employee/compare with peers IF YOUR DATA IS BAD, SO ARE ANY CONCLUSIONS YOU DRAW FROM IT SO AUDIT, MONITOR, CRUNCH, REPORT VISUALLY IN DASHBOARDS, PRESENT TO SENIOR MANAGEMENT Post HITECH 7 Elements Modified for Incident Response Enforcing standards through well-publicized disciplinary guidelines (sanctions) NOT ONLY VERY HELPFUL TO DETERING/ PREVENTING FUTURE INCIDENTS BUT REQUIRED BY LAW EMPLOYEES TALK; USE THAT TO YOUR ADVANTAGE REMEMBER CARROT ANDSTICK. SOME OF YOUR BEST MESSAGES WILL COME FROM THOSE WHO HAVE BEEN INVOLVED IN AN INCIDENT AND WATCHED THE TEAM WORK 14

Post HITECH 7 Elements Modified for Incident Response Responding promptly to detected incidents and undertaking corrective action to deter/prevent future incidents MITIGATION IS KEY; THE QUICKER YOU CAN STOP THE BLEED, THE LESS THE PAIN WE HAVE TO GET FIXED WHAT WE CAN SO WE CAN BE READY FOR WHAT WE CANNOT PREVENT OR ANTICIPATE 8 th Element Relax/Have Fun/Reward your staff and yourself MOST INDIVIDUALS WHO CHOOSE A CAREER IN COMPLIANCE HAVE LARGE DOSES OF INTEGRITY, CARE DEEPLY ABOUT THEIR ORGANIZATIONS, AND ENJOY A LITTLE CRAZINESS WHILE TYPICALLY DRIVEN INTERNALLY, WE TEND TO CRASH HARDER WHEN WE FINALLY DO RECOGNIZE THIS AND GO ON VACATION, GARDEN FOR AN ENTIRE WEEKEND, ETC. - BEFORE THIS OCCURS! 15

Resources President s Data Breach Proposal http://www.whitehouse.gov/sites/default/files/omb/legislative/letters/up dated-data-breach-notification.pdf Special Publication 800-61 Revision 2 OIG s 7 Elements Trainings https://oig.hhs.gov/compliance/provider-compliancetraining/files/compliance101tips508.pdf Office of National Coordinator for Health IT (created by HITECH) http://www.healthit.gov/ Erika Riethmiller-Bol Director, Corporate Privacy-Incident Program erika.bol@anthem.com 16

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback