HEALTH DATA BREACH RESPONSE PLAN
Purpose: The purpose of this health data breach response plan is to provide a comprehensive guide on how to appropriately respond to a data breach within the private network. The Incident Response Team is responsible for putting this plan into action when a breach occurs.
Definition of PHI data breach: As defined by HIPAA, a data breach is “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information” maintained by the company (OCR, 2009). The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414 requires that notification is given when a PHI has occurred.
There are three exceptions to this rule:
¥ The unintentional access of PHI by a covered entity or business associate made in good faith and does not result in further disclosure in a manner that violates the Privacy Rule;
¥ Any inadvertent disclose by an authorized covered entity or business associate to another authorized covered entity or business associate and does not result in further disclosure in a manner that violates the Privacy Rule;
¥ A disclosure by a covered entity or business associate who has a good faith belief that the unauthorized individual was unable to retain and utilize such information.
What is PHI?
Personal Health Information (PHI) is any information that can be used to identify an individual. Use of this information can result in harm, inconvenience, or identity theft of the individual. Examples of PHI include:
¥ First and last name, or first initial and last name in addition to one or more of the following;
¥ Driver’s license number or Identification number;
¥ Social Security number;
¥ Medical and health information; and
¥ Debit card number, credit card number, bank account number
Types of Breaches: A data breach can occur in multiple ways. Some examples are:
¥ Lost or stolen devices – electronic gadgets are used to store and access PHI. Unencrypted and devices that are not password protect are easier to access;
¥ Firewall Attacks – firewall attacks account for 23% of HIPAA breaches (Karn, 2015). Attacks methods include malware, malicious software, or exploiting user profiles;
¥ Improper Disposal – Failure to properly wipe computers, laptops, phones, tablets, and copiers of PHI before disposal can unintentionally give PHI to another user. Trashing paper documents that contain PHI instead of shredding or using secure document bins can provide an opportunity for unauthorized individuals to obtain PHI;
¥ Breach of Personal Information
RESPONSIBLE PARTIES
Incident Responsible Team: The Incident Response Team [IRT] is an interdisciplinary unit whose mission is to prevent unauthorized disclosure of client confidential information and loss of profit by responding immediately and effectively to any notification if a data breach. Members of the IRT include senior leadership representative across multiple departments. The team displays expertise in information technology, information security, privacy, legal requirements, and law enforcement. The IRT will take appropriate steps to mitigate further damage once a breach has been reported and identified.
The IRT is responsible for preventing electronic gadget related breaches, improper access or disclosure, improper disposal of confidential information and through a series of safety measures and employee training.
IRT Members:
Help Desk Manager – the help desk is the first point of contact when a data breach is noticed or suspected. Help desk is available 24 hours a day, 7 days a week, and can contact the IRT leader;
IRT Leader – responsible for contacting IRT members, coordinating meetings with team, overseeing procedure rollout and recovery. IRT leader will meet with CEO, Administration, and law enforcement. IRT leader is also responsible for testing response plan annually and implementing updated safety measures;
Administration – will notify and train healthcare provider management, clerical staff management, and health information privacy management on preventative and responsive steps to mitigate a data breach;
Director of Information Security – responsible for developing a team of security analyst to search the location, time, and details of the breach. Responsible for developing a team of threat researchers to provide a threat assessment;
Compliance Staff – Accounting services. Responsible for acquiring and providing funding for IRT response, recovery, and prevention;
Director of Information Technology – responsible for developing a team to analyze network systems and hardware. The Director if Information Technology will work side-by-side with the Director of Information Security to perform the initial investigation;
Legal Counsel – ensures that evidence collected maintains its forensic value if legal action is taken. Also provides advice regarding liability when a breach affects customers, partners, or vendors;
Public Relations Representative – this representative is the ‘face’ of the team. The representative will communicate with the press, board members, provide public statements, and provide advice on the best way to notify affected individuals with as little damage to the private networks reputation. The presentative is the primary communications coordinator;
Human Resources – Human Resources will take the necessary disciplinary actions if an employee is discovered to be involved with the breach;
NOTIFICATION OF BREACH
A breach has not occurred if there no HIPPA or Privacy violation regarding the use or disclosure of the PHI.
A breach has not occurred if the data was secured and properly disposed in a way that makes the PHI unusable, unreadable, and indecipherable to unauthorized users.
A breach has no occurred if it qualifies under one of the previously stated exceptions to the HIPAA policy.
If the incident does not follow into one of these categories, move on to the risk analysis.
Breach notification is necessary for all reported breaches with the exception of when the covered entity or business associate states there is a low probability of PHI being compromised. In some cases, notification of the breach is to be provided to the media. If a Business Associate is responsible for the breach, the business associate must notify the covered entity. If the PHI breach involves more than 500 individuals, notification must be provided to the U.S Department of Health & Human Services (HHS) where the breach notice will be posted to the HHS website. Finally, The Breach Notification Rule requires covered entities to notify affected individuals of the breach. Notification should be provided within 60 days of the incident report.
RISK ANALYSIS
The HIPAA Omnibus Rule states that an authorized access, acquisition, use, and disclosure of PHI in a manner that violates the Privacy Rule is presumed to be a breach unless it is demonstrated that there is a low probability the PHI has been compromised.
The Omnibus Rule has a multi-factor risk assessment required when conducting and documenting the nature of a breach (HIMSS, 2017). The assessment must include the following:
¥ The nature and extent of the PHI involved and its identifiers;
⁃ Does the breach include PHI?
⁃ Does the breach include identifiable data? If so, which identifiers?
⁃ Does the amount of PHI acquired increase risk?
¥ The unauthorized person who used the PHI and to whom it was disclosed;
⁃ Is the PHI retainable?
⁃ Is the person a member of the covered entity or business associate?
⁃ Is the person authorized to see PHI?
⁃ Is it believed PHI was taken with the purpose to use or sell?
¥ Determine if the PHI was acquired or viewed; and
⁃ Was the PHI acquired or viewed?
⁃ If an electronic device was involved is it possible to show PHI was accessed, acquired, used, and disclosed?
¥ The extent to which the risk has been mitigated.
⁃ Can the risk be mitigated or PHI returned?
Figure 1 – Decision Tree for Assessing a Suspected Breach (HIMSS, 2017)
Once a breach has been noticed and identified, immediately contact the Help Desk Manager to begin the breach response procedure. The Help Desk Manager will create a case ticket that includes the name of the reporting individual, time, date, and where the breach was noticed. This information will assist the IRT with the investigation. The Help Desk Manager will notify the IRT team leader.
IMPACT AND LIKELIHOOD ANALYSIS
All data breaches shall be analyzed and classified as low risk, medium risk, or high risk in order to determine the best course of actions to take in response. This assessment determines the impact and likelihood risk of the disclosed PHI that has been compromised and the impermissible use and disclosure probability.
¥ What is the impact of a threat compromising PHI?
⁃ Low Impact: The PHI does not identify the patient
⁃ Medium Impact: The PHI has the potential to identify the patient
⁃ High Impact: The PHI easily identifies the patient
¥ What is the likelihood of the threat affecting PHI?
⁃ Low Likelihood: The information has a low likelihood probability of impermissible use and disclosure
⁃ Medium Likelihood: The information may likely be impermissible and disclosed
⁃ High Likelihood: The information is more than likely impermissible and could be disclosed
Table 1: Impact – Likelihood Risk Probability
Likelihood
Impact
Low
Medium
High
Low
Low Risk
Low Risk
Low Risk
Medium
Low Risk
Medium Risk
Medium Risk
High
Low Risk
Medium Risk
High Risk
There are many methods to performing risk management analysis. However, the steps below provided by HHS are adapted for covered entities to utilized in the risk analysis.
RISK ANALYSIS STEPS
¥ Identify scope of analysis
¥ Collect Data
¥ Identify potential threats and vulnerabilities
¥ Access security measures
¥ Determine likelihood of threat occurring and potential impact of threat occurrence
¥ Determine level of risk
¥ Identify security measures
IMPACT OF DATA BREACH
Low Risk/Impact: If the risk/impact of the breach is low, the IRT will determine if corrective measures are required or decide if the risk is acceptable.
Medium Risk/Impact: If the risk/impact of the breach rates medium, the IRT will develop and implement a corrective contingency plan that incorporates preventative measures within a timely fashion.
High Risk/Impact: If the risk/impact of breach is high, the existing system may need to be replaced. The Director of IT and Direction of IS may deem it necessary to restrict or limit access to the system until a safe and acceptable solution is in place. Corrective contingency plan must be put into place as soon as possible.
RESPONSE TO DATA BREACH
If a data breach has occurred, the Help Desk Manager will notify the IRT Leader. The Director of IT and Director of IS will conduct the initial investigation.
When reporting a suspected breach to the Help Desk, the following information is required for the case ticket:
¥ Name of caller reporting incident
¥ Time of report
¥ Incident discovered
¥ Which system or person involved
¥ Location of incident
¥ How and who detected the incident
The Director of IT and Director of IS can further determine specifically the systems targeted, what information was accessed, where the breach occurred, IP address, and the severity of the impact using the risk analysis assessment. The investigation should look at:
¥ System logs
¥ System gaps
¥ Firewall logs
¥ Network Programs
¥ Password File
¥ Unusual files
¥ Host
If a breach has been confirmed, the Directors will notify the IRT Leader. It is up to the IRL Leader to decide which members of the IRT will need to respond to the breach. The IRT will determine the response strategy. Areas to consider include:
¥ Is the breach ongoing?
¥ Did it occur inside the network?
¥ Where are the systems physically located?
¥ Can the incident be contained?’
¥ Does the incident require the systems to be switched offline?
¥ What type of incident is it? (virus, worm, hacking, etc.…)
¥ Is PHI threatened?
The Director of IT will assign a team to work on the recovery and restoration of the affect system. The Director if IS will assign a team to work on new security measures and test the system for vulnerability. If the breach has a high impact risk and affected more than 500 individuals, the IRL Leader will contact legal counsel and public relation presentative to assist with notifying the public, media, business associates, and HHS. If a member of the network is identified as possessing the intention of selling or using PHI, the IRT will contact the Human Resources Manager and Legal Counsel. If the IRT determines the incident could have been prevented with further training, the IRL will contact Administration to set up a training schedule for each department.
RECOVERY
The IRT is responsible for locating security vulnerabilities and restoring affected systems. If possible, the IRT will attempt to recover stolen PHI if the information was sold to a third-party.
PERIODIC TESTING
The IRT Leader, Director of IT, and Director of IS will test and review the Data Breach Response Plan quarterly for any vulnerabilities, weak points of access, and risk of impact and likelihood assessment. If the test shows vulnerabilities, the IRT members will remedy the error and retest. The Data Breach Response Plan will be updated accordingly to any changes the IRT team deem necessary to ensure the HIPAA Privacy Rule and HIPAA Security Rule is not intentionally or unintentionally violated. The IRT can utilized the Risk Management Assessment provided by AHIMA during their periodic test. The list below illustrates the Risk Analysis Methodology as provided by AHIMA (2013).
¥ System Characterization
¥ Threat Identification
¥ Control Assessment
¥ Vulnerability Identification
¥ Likelihood Determination
¥ Impact Analysis
¥ Risk Determination
¥ Recommended Controls
¥ Summary of Findings
SAFEGUARDS
There are three HIPAA security standard safeguards that must be successfully incorporated into any HIPAA compliance program in order to prevent a PHI breach. These safe guards are administrative safeguards, technical safeguards, and physical safeguards. The list below provides methods to implementing these safeguards.
¥ Administrative Safeguards
⁃ Security risk analysis must be performed quarterly
⁃ In the event of technology or practice procedures change before the quarterly risk analysis is performed, an additional security risk analysis must be performed
⁃ Training sessions are to be provided for every new hire and yearly for the rest of the staff. Failure to complete this training session will result in frozen access to all systems
⁃ Visible security presence
¥ Technical Safeguards
⁃ Data must be encrypted
⁃ Secure user ID’ and passwords
⁃ Contingency plans are in place and regularly updated
⁃ Routine audits are conducted
⁃ Antivirus, anti-malware, and anti-hacking software are installed
⁃ Transmission security
⁃ Controls access to EHR
¥ Physical Safeguards
⁃ Offices, computer, filing cabinets, and storage units must be locked if not in use. Failure to comply may result in theft of PHI or unauthorized usage of an employees work profile
⁃ Electronic gadget control
¥
WHAT IS MY ROLE IN PREVENTION?
The purpose of this training agenda is to ensure all employees are prepared to keep the network and PHI safe from unauthorized access. Topics to be presented in a companywide employee training program include but are not limited to:
¥ Protecting confidentiality, ensuring integrity, and maintain availability
¥ What is PHI?
⁃ Components of private health information
¥ Where is PHI located?
⁃ EHR,
⁃ paper files,
⁃ electronic gadgets,
⁃ computers,
⁃ business associates
¥ How do breaches occur?
⁃ Improper internet usage (viruses, malware, hacking)
⁃ Improper system access
⁃ Improper disposal
⁃ Unsafe emails
⁃ Theft
¥ Detriments of PHI breach
⁃ Loss in profit
⁃ Identify theft
⁃ Fraud
⁃ Financial stress
⁃ Damage to reputation
¥ The Do’s and Don’ts of Data Security; Examples:
⁃ Do not share passwords
⁃ Do not leave workstations unlocked
⁃ Do not access information without authorization
⁃ DO update passwords regularly
⁃ DO lock away documents with PHI
¥ What to do if you suspect a breach of PHI?
⁃ Contact Help Desk
⁃ Know your organizations contingency plan