Breach Response

TRICARE Management ActivityHEALTH AFFAIRS

2009 Data Protection Seminar

TMA Privacy Office

Breach Response

TRICARE Management ActivityHEALTH AFFAIRS

TRICARE Management ActivityHEALTH AFFAIRS

3

Breach Response

Purpose

The purpose of this presentation is to provide a thorough understanding of the requirements of TRICARE Management Activity (TMA) personnel when assessing and responding to a breach

TRICARE Management ActivityHEALTH AFFAIRS

4

Breach Response

Objectives Upon completion of this presentation, you should be able to:

− Describe the key components of breach reporting, notification, and mitigation

− Define your role in identifying and responding to breaches

− Identify the three components of the TMA Breach Response Administrative Instruction (formerly known as the Breach Notification Standard Operating Procedure)

TRICARE Management ActivityHEALTH AFFAIRS

5

Background

TRICARE Management ActivityHEALTH AFFAIRS

6

Breach Response

SOP vs Administrative Instruction

The TMA Standard Operating Procedure (SOP) for Breach Response has been revised and re-formatted as an Administrative Instruction (AI)

TRICARE Management ActivityHEALTH AFFAIRS

7

Breach Response TMA Breach Notification Administrative Instruction (AI)

Three main sections of the Breach Notification Administrative Instruction

− Roles and Responsibilities: Outlines the expectations of each program office in the process of handling an incident

− Procedures: Details specific actions and a progression of events that occur after a breach has been identified

− Appendices: Provides various resources for assessing, reporting, and mitigating a breach

TRICARE Management ActivityHEALTH AFFAIRS

8

Breach Response

Definitions

Personally Identifiable Information (PII): Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual

TRICARE Management ActivityHEALTH AFFAIRS

9

Breach Response

Definitions (continued)

Protected Health Information (PHI): Individually identifiable information that is transmitted by, or maintained in, electronic media or any other form or medium. This information must relate to:

− The past, present, or future physical or mental health, or condition of an individual

− Provision of health care to an individual

− Payment for the provision of health care to an individual.

If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered PHI

TRICARE Management ActivityHEALTH AFFAIRS

10

Breach Response

Definitions (continued)

Breach: Actual or possible loss of control, unauthorized disclosure, or unauthorized access of personal information where persons other than authorized users gain access or potential access to such information for other than authorized purposes where one or more individuals will be adversely affected

TRICARE Management ActivityHEALTH AFFAIRS

11

Roles & Responsibilities

TRICARE Management ActivityHEALTH AFFAIRS IRT Chair duties - pp. 4-5 of AI

12

Breach Response

Roles & Responsibilities Incident Response Team (IRT) Chairman

− Serve as the central POC for the IRT

− Act as the conduit of information between the information/system owner and the IRT

− Delegate mitigation tasks to IRT members

− Determine the incident severity level based on IRT analysis and recommendations

− Update senior leadership as information becomes available

TRICARE Management ActivityHEALTH AFFAIRS IRT Chair duties - pp. 4-5 of AI

13

Breach Response

Roles & Responsibilities (continued)

IRT Chairman

− Coordinate with the TMA Deputy Director and Chief Financial Officer (CFO) in estimating costs of the breach

− Assign responsibilities for preparation of the after-action report

− Debrief senior leadership

TRICARE Management ActivityHEALTH AFFAIRS CIO duties - pp. 5-7 of the AI

14

Breach Response

Roles & Responsibilities (continued)

Chief Information Officer (CIO) Representative

− Collaborate with the IRT Chairman throughout the breach process

− Secure/isolate the affected equipment from the network to prevent further malicious activity

− Collect information for possible forensic use including logs, inventory of systems, and personal accounts

− Oversee mitigation of any suspected vulnerabilities in centrally managed systems

TRICARE Management ActivityHEALTH AFFAIRS TMA PO duties - p. 7 of AI

15

Breach Response

Roles & Responsibilities (continued)

Director, TMA Privacy Office

− Ensure compliance with all privacy requirements, such as: Incident reports

Updates to leadership

Other internal and external communications

− Ensure compliance with internal incident response plan

− Conduct training for IRT representatives at least annually

TRICARE Management ActivityHEALTH AFFAIRS System Owner duties - pp. 10-11 of A

I16

Breach Response

Roles & Responsibilities (continued)

Information/system owner

− Isolate the system from the rest of the network to preclude further malicious activity

− Identify compromised data including the identification of specific fields (name, rank, address, phone number, etc.)

− Identify potentially affected individuals, and work through the IRT Chairman to contact Defense Manpower Data Center (DMDC) for address information

− Ensure mitigation tasks are executed in accordance with IRT Chairman delegation

TRICARE Management ActivityHEALTH AFFAIRS System Owner duties - pp. 10-11 of A

I17

Breach Response

Roles & Responsibilities (continued)

Information/system owner

− Immediately notify leadership upon discovery and maintain a chronological log

− Analyze compromised assets and identify compromised data

− Routinely monitor the system for any further attempts of subversion

− Define notification requirements, as described in the AI

TRICARE Management ActivityHEALTH AFFAIRS

18

Procedures

TRICARE Management ActivityHEALTH AFFAIRS

19

Breach Response

Procedures The following steps provide for well coordinated management

and control of a breach:− Incident Identification

− Incident Reporting

− Containment

− Mitigation of harmful effects

− Eradication

− Recovery

− Follow-up

Incident Identification

IncidentReporting

Containment Mitigation Eradication Recovery Follow-up

TRICARE Management ActivityHEALTH AFFAIRS

20

Breach Response

Procedures (continued)

Step 1: Incident Identification− Involves the examination of all available information in order to

determine if an event/incident has occurred

− Action steps Analyze all available information Confirm and classify the severity of the incident Determine the appropriate plan of action Acknowledge legal issues addressed by the Office of General

Counsel (OGC) representative Create an incident identification log

Incident Identification

IncidentReporting

Containment Mitigation Eradication Recovery Follow-up

TRICARE Management ActivityHEALTH AFFAIRS

21

Breach Response

Procedures (continued)

Step 2: Incident Reporting− TMA workforce members must report a potential or confirmed

breach

− TMA personnel must notify their TMA component director, who will alert the CIO and TMA Privacy Officer within one hour

− Incidents involving a malicious breach of PHI or PII must be reported to TMA Program Integrity

− The TMA Privacy Officer and/or the CIO will notify the Deputy Director, TMA and senior leadership

Incident Identification

IncidentReporting

Containment Mitigation Eradication Recovery Follow-up

TRICARE Management ActivityHEALTH AFFAIRS

22

Breach Response

Procedures (continued)

TMA Components

− Leadership – Immediately

− TMA Privacy Office – Within 1 Hour− US CERT – Within 1 Hour− DoD Privacy Office – Within 48 Hours

Note: Notify issuing banks if government issued credit cards are involved; law enforcement, if necessary; and all affected individuals within 10 working days of

breach and identity discovery, if necessary

Step 2: Incident Reporting

Incident Identification

IncidentReporting

Containment Mitigation Eradication Recovery Follow-up

TRICARE Management ActivityHEALTH AFFAIRS

23

Breach Response

Procedures (continued)

Step 3: Containment− Involves short-term actions that are immediately implemented

in order to limit the scope and magnitude of an incident

− Containment activities include, at a minimum, the following action steps

Determine a course of action concerning the operational status of the compromised system and identify critical information affected by the incident

Follow existing local and higher authority guidance regarding any additional incident containment requirements

Incident Identification

IncidentReporting

Containment Mitigation Eradication Recovery Follow-up

TRICARE Management ActivityHEALTH AFFAIRS

24

Breach Response

Procedures (continued)

Step 4: Mitigation of Harmful Effects− The information/system owner shall mitigate the harmful effects

of all incidents by taking the following action Securing the information and taking the affected system off-line

as soon as possible Applying appropriate administrative and physical

safeguards/blocking all exploited ports Notifying other information/system owners of the attempted

breach Assessing the need for providing free credit monitoring and

identity fraud expense coverage for affected individuals

Incident Identification

IncidentReporting

Containment Mitigation Eradication Recovery Follow-up

TRICARE Management ActivityHEALTH AFFAIRS

25

Breach Response

Procedures (continued)

Step 5: Eradication

− Entails removing the cause of an incident and mitigating vulnerabilities pertaining to the incident. All eradication activities are to be documented by the IRT and the information/system owner

Specifically, document eradication activities in the incident identification log

Incident Identification

IncidentReporting

Containment Mitigation Eradication Recovery Follow-up

TRICARE Management ActivityHEALTH AFFAIRS

26

Breach Response

Procedures (continued)

Step 6: Recovery

− Recovery is the restoration of business operations to the normal condition

Verify that restoration actions were successful and that the business operation has returned to its normal condition

Execute the necessary changes to the system and document recovery actions in the incident identification log

Notify users of system availability and security upgrades that were implemented due to the incident

Incident Identification

IncidentReporting

Containment Mitigation Eradication Recovery Follow-up

TRICARE Management ActivityHEALTH AFFAIRS

27

Breach Response

Procedures (continued)

Step 7: Follow-up

− Follow-up is a critical step in the incident response process and assists with the response to, and prevention of, future incidents

Develop a lessons learned list, and share with TMA personnel and with other DoD organizations as applicable

Amend operating procedures and policies as appropriate

Provide subsequent workforce training and awareness lessons as necessary

Incident Identification

IncidentReporting

Containment Mitigation Eradication Recovery Follow-up

TRICARE Management ActivityHEALTH AFFAIRS

28

Appendices

TRICARE Management ActivityHEALTH AFFAIRS

29

Breach Response

Appendices

Appendix 1: Incident Response ChecklistLegend: Denotes tasks in progress Denotes completed tasks

Date and Time of incident: _____________________Location of incident: __________________________Point of Contact: _____________________________Date TMA was notified: ________________________TMA informed by: ___________________________Date TMA Privacy Officer/CIO was notified: ______________Notified (DoD 5400.11-R May 14, 2007): ____________ US CERT (within one hour) ____________ Agency Privacy Officer/Senior Representative for the Service/Senior DoD component for Privacy (within 24 hours)____________ Defense Privacy Office and component head (within 48 hours) ____________ All affected individuals within 10 working days of discovery of the loss, theft or compromise of personal information, and the identities of the individuals have been ascertained. ____________ Law enforcement authorities, if necessary ____________ Ensured incident is reported in accordance with appropriate reporting timelines

TRICARE Management ActivityHEALTH AFFAIRS

30

Breach Response

Appendices (continued)

Appendix 4: Guidelines for Breach ReportingReporting of Lost, Stolen, or Compromised

Personally Identifiable and/or Protected Health Information

Today’s Date: U.S. Cert #:

a. Component/Organization involved; Point of Contact/E-mail/Telephone #:

b. Date of incident and the number of individuals impacted, to include whether they are DoD civilian, military, or contractor personnel; DoD civilian or military retirees; family members; other Federal personnel or members of the public, etc.:

c. Brief description of incident, to include facts and circumstances surrounding the loss, theft, or compromise:

d. Describe actions taken in response to the incident, to include whether the incident was investigated and by whom; the preliminary results of the inquiry if then known; actions taken to mitigate any harm that could result from the loss; whether the impacted individuals are being notified, and if not notified within 10 work days, that action will be initiated to notify the Deputy Secretary; **what remedial actions have been, or will be, taken to prevent a similar such incident in the future, e.g., additional training conducted, new or revised guidance issued, etc.; and any other pertinent information that you believe is relevant and pertinent:

**Please fill out and submit the Plan of Action and Milestone Template http://www.tricare.mil/tmaprivacy/downloads/POAandMilestones.doc

(For Official Use Only)

TRICARE Management ActivityHEALTH AFFAIRS

31

Breach Response

Appendices (continued)

Appendix 9: Risk Assessment TableNo. Factor Risk Determination Low:

Moderate:High:

Comments:All breaches of PII, whether actual or suspected, require notification to US-CERTLow and moderate risk/harm determinations and the decision whether notification of individuals is made, rest with the Head of the DoD Component where the breach occurred.All determinations of high risk or harm require notifications

1. What is the nature of the data elements breached? What PII was involved?

a. Name only Low Consideration needs to be given to unique names; those where one or only a few in the population may have or those that could readily identify an individual, i.e., public figure

b. Name plus 1 or more personal identifier (not SSN, Medical or Financial)

Moderate Additional identifiers include date and place of birth, mother’s maiden name, biometric record and any other information that can be linked or is linkable to an individual

c. SSN High

d. Name plus SSN High

e. Name plus Medical or Financial data

High

2. Number of Individuals Affected

The number of individuals involved is a determining factor in how notifications are made, not whether they are made

TRICARE Management ActivityHEALTH AFFAIRS

32

TMA Breach Statistics

TRICARE Management ActivityHEALTH AFFAIRS

33

Breach Response

TMA Breach Statistics Physical Loss/Theft

− Loss/theft of a laptop, briefcase, thumb drive, DVD/CD, paper, or any media

Data in Transit− Misdirected/misplaced fax− Accidental/intentional damage to physical package− Unencrypted email− Misdirected/misplaced hard/soft/copy document

System/Network Vulnerability− Servers/networks negatively impacted by malicious code or a virus− Inadequate/outdated firewalls or security settings− Incidents resulting from complications of system upgrades

TRICARE Management ActivityHEALTH AFFAIRS

34

Breach Response

TMA Breach Statistics (continued)

TMA Data Breaches

02468

10121416

Physical Loss/Theft Data in Transit System/NetworkVulnerability

Category

Nu

mb

er

of

Bre

ac

he

s

2007

2008

2009

TRICARE Management ActivityHEALTH AFFAIRS

35

Breach Response

Summary You should now be able to:

− Describe the key components of breach reporting, notification, and mitigation

− Define your role in identifying and responding to breaches

− Identify the three components of the TMA Breach Response Administrative Instruction (formerly known as the Breach Notification Standard Operating Procedure)

TRICARE Management ActivityHEALTH AFFAIRS

36

Breach Response

Resources DoD 6025.18-R, “DoD Health Information Privacy Regulation”,

January 2003 DoD 5400.11-R “Department of Defense Privacy Program”,

May 14, 2007 DoD 8580.02-R “DoD Health Information Security Regulation”,

July 12, 2007 TMA Standard Operating Procedure for Breach Notification,

October 12, 2007