Incidence Response Plan for loss or theft and data breach
Scope
This response plan is meant to address privacy/security incidents involving any and all Smith Hospital’s location data, including Smith Hospital’s data under the control or responsibility of a Business Associate or other third party.
Goals of Incident Response
In the event of a privacy/security incident, the goals of Smith Hospital’s Privacy/ Incident Response Team are to:
Best services for writing your paper according to Trustpilot
1. Investigate the incident internally (in cooperation with law enforcement if necessary);
2. Mitigate potential harm to affected parties;
3. Minimize adverse impact to Smith hospital in an ethically and legally appropriate manner, to include minimizing reduction in operations, reputational harm, and/or financial harm;
4. Appropriately communicate the incident or loss:
a. To affected parties in a timely manner (as appropriate or as otherwise may be required by law);
b. To regulatory agencies, news media, or other entities (as appropriate or required)
c. To staff (as appropriate or required, especially to leadership);
5. Provide guidance or assistance in the development of specific corrective actions (including disciplinary actions when appropriate); and
6. Conduct post-incident reviews, training and education, and provide internal communications in order to minimize potential future incidents.
Defining a Privacy/Security Incident
While the major goals described above are common to all privacy or security incidents, every privacy or security incident involves different degrees of potential risk and different potential for magnitude of harm to Smith hospital. For instance, a minor incident may involve a low risk but inappropriate verbal disclosure of information that is non-sensitive in nature, while a major incident may involve loss or disclosure of sensitive information of multiple affected parties.
For the purposes of this response plan, a privacy incident is any attempt at, or occurrence of, unauthorized acquisition, exposure, disclosure, use, modification or destruction of sensitive data that compromises the security, confidentiality, or integrity of:
• Smith hospital confidential business information (including information relating to its patients employees, and agents); or
• Individually identifiable information maintained by Smith hospital, its affiliated entities or their agents;
• And:
o May violate privacy/security regulations or laws; or
o May result in the acquirer or another person taking some specific action with the information, (i.e. identify theft, extortion, sale of information, internet posting, reporting to media, etc.).
A Security Incident is any known or suspected event or condition which may put the confidentiality, integrity, or available of sensitive data at risk.
Incident Response Team Members
Appropriate members of the Incident Response Team will be determined by the nature of the incident, but may include a representative(s) from any/all of the following:
o Compliance Officer
o Security Officer
o Privacy and Security Analyst
o Legal Department
o Risk Management
o Information Technology Department
o Public Relations/Marketing Department
Discovery or Reporting of a Privacy/Security Incident
Information relating to privacy/security incidents may be reported or discovered in numerous ways. Some of them are listed below.
1. Patients/members, family members, members of the staff, and others may report (or complain of) a privacy/security incident to any member of the Smith hospital workforce to include employees and contractors, to include call center agents.
2. Employees may report an incident to local management.
3. Workforce members may submit a report by email (Outlook) using their @Smith hospital email address.
4. Employees may report Security Incidents by submitting IT tickets or by contacting staff in the Information Technology Department.
5. Employees may report directly to the Compliance Department in person, by email, or by phone to any member of the Compliance Department or by using the specified department email address ([email protected]).
6. The Compliance function may observe an incident (for instance, while a member is conducting a staff training or during walkthroughs designed to detect risks or spot improper use, disclosure, storage, transmittal, or disposal of information).
7. Business Associates and/or Third Party Vendors may notify a department with whom they conduct business, a member of senior or executive management, or the Compliance Department.
8. Employees may call the Smith hospital Compliance Hotline at 1-800-XXX-SMITH.
Incidents that should be reported may include but are not be limited to:
a. Patient Privacy Complaints relating to:
i. Patient Privacy Rights
ii. Communications
iii. Inappropriate use, access or disclosure of health information
b. Employee-related Privacy Concerns relating to:
i. Inappropriate use, access or disclosure of health information
ii. Inappropriate use, access or disclosure of confidential (non-health) information
iii. Inappropriate modification, deletion or destruction of health information
c. Other Concerns relating to:
i. Loss or deletion of stored data; loss or theft of laptops, handheld devices, portable media storage containing confidential business or individually identifiable information.
d. Theft or Loss of Smith hospital Computer Equipment, including:
i. Desktop computers,
ii. Laptop computers,
iii. External hard drives
iv. Compact disks/DVDs
v. Blackberries/Tablets/PDAs,
vi. Thumb drives,
vii. Medical equipment that stores patient information, or
viii. Any other device or storage media (whether issued by Smith hospital or not) which may contain business records or personal information of any potential compromise of Smith hospital patients, staff or affiliates;
e. Computer/Network Intrusions, Data Losses, or other Compromises, including:
i. The unauthorized access, viewing, copying, forwarding, or removal of electronically stored data; or
ii. Any other incidents that result/may result in unauthorized acquisition or release of any potential compromise of electronically stored business or patient information.
f. Data Transmission Incidents, including:
i. Inadvertent e-mail releases
ii. Unsecured data transmission
Determining that an Incident has Occurred
The Compliance Officer and/or designee(s) have final determination as to whether an incident has occurred that requires an incident response according to this Incident Response Plan. An incident is defined in the section titled “Defining a Privacy/Security Incident.”
If a determination is made that no incident has occurred, responding staff will take appropriate steps to close the response and document the non-incident facts and finding that no incident occurred. This may include communications to staff, keeping in mind that some findings may be restricted.
Involving Management and/or the IT/Compliance Departments
Upon discovery of an incident or receipt of a report that an incident has occurred by any member of the Smith hospital workforce:
1. The receiving or discovering workforce member will perform initial information gathering regarding the incident to report to assist with response activities. In general, workforce members should gather:
a. The name and contact information of the reporting individual (if applicable)
b. The location of the incident
c. The circumstances of the incident to include involved parties
2. The receiving or discovering workforce member will communicate incident information to area management, to the Information Technology Departments, and/or to the Compliance Department as appropriate to the circumstances by phone, email, Hotline, or other means.
3. If area management receives a report, it will immediately notify the Information Technology Department and/or the Compliance Department as appropriate to the circumstances.
4. Area management will communicate with the Information Technology Department and/or the Compliance Department (as appropriate to the circumstances) regarding actions to contain an incident, investigate an incident, and mitigate damage to affected individuals and to Smith hospital.
5. The Information Technology Department and the Compliance Department will communicate and collaborate regarding privacy/security incidents.
6. Compliance may require the completion of an Incident Reporting form to obtain enough information to facilitate response.
Initial Response
Smith hospital’s initial response to an incident can make the difference between a situation that is handled properly and a catastrophe. For instance, if a Security Incident is discovered involving hacking of a Smith hospital system or network, the immediate steps taken to stop unauthorized access and secure data could make a huge difference in the amount of damage that could be inflicted to individuals and to Smith hospital.
Depending on the nature of an incident, its scale, potential impact, risk to the organization, or other factors, Smith hospital staff may respond in a variety of ways to include:
• Containment
• Opening of Incident Case Files
• Analysis and Planning
• Escalation & Activation of the Incident Response Team
Containment
When a breach is discovered, the Incident Response Team may determine the need to conduct containment activities to stop additional information from being lost or disclosed, or to reduce the number of persons to whom information may reach. Incident Response Teams members may, over their areas of responsibility or collaboratively, take steps to attempt having lost/stolen/inappropriately disclosed information returned or destroyed. For instance, area managers may attempt to contain and control an incident by suspending certain activities or locking and securing areas of record storage; Human Resources may suspend employees as appropriate to prevent compromising behavior; and the Information Technology Department may shut down particular applications or third party connections, reconfigure firewalls, change computer access codes, or change physical access codes.
The Help Desk must still be notified of the incident to insure proper notification, resolution and follow up by the appropriate members of the Incident Response Team.
If applicable, staff members closest to the incident will determine the extent of the incident by identifying all information (and systems) affected, and take action to stop the exposure. This may include:
• Securing or disconnecting affected systems
• Securing affected records or documentation
• Halting affected business processes
• Pausing any processes that may rely on exposed information or that may have given rise to the incident (as necessary to prevent further use/exposure/etc)
This would most typically occur in instances of electronic system intrusion, exposed physical (e.g. medical) files or records or similar situations.
If the incident occurred at/by a third party, the Incident Response Team will determine if a legal contract and business associate agreement exist. The Compliance Officer and/or designee will work with the Legal Department and the department holding the contract/business associate agreement to review the contract terms and determine the next course of action.
Continuing Response
Smith hospital must continue to take action on a breach in order to understand what has happened, to reduce potential for damages resulting (both to affected individuals and to the organization), to correct what happened, to prevent future recurrence, to inform parties as appropriate, and to fulfill requirements of law.
To do so, the following steps must be carried out in response to privacy/security incidents:
• Investigation
• Mitigation and Correction
• Notification
• Closing of Incident Case File
• Reporting
Analysis and Planning
Upon notification of a real or potential privacy/security incident, the Compliance Officer or designee will perform a preliminary analysis of the facts and assess the situation to determine the nature and extent of the incident. Such analysis may include contacting the individual who reported the problem.
Analysis will also include research into any potential legal concerns beyond the more familiar federal regulations. For instance, if information is breached for a member who resides in California, analysis will include reviewing California’s privacy, security, and breach notification laws to determine reporting and other requirements of the laws of that state.
The Compliance Officer or designee, with guidance as necessary from Incident Response team members, will establish a specific incident response plan to investigate the incident, mitigate the damages associated with the exposure or disclosure of personal information, and communicate as necessary with staff, law enforcement, the media, and others. Timeliness of establishing and carrying out the plan may be critical to the public’s image of Smith hospital. As needed, any/all members of the Incident Response Team may be involved in carrying out the activities of the Incident Response Plan. The plan will address the following:
• Review of initial containment activities
o Communication regarding containment activities taken thus far
o Assessing risks to information and systems
o Determination of additional containment measures
o Determination of the need to inform law enforcement (for instance, it may be appropriate to notify the FBI in cases of identity theft or hacking) Approval from Legal is Required unless the workforce member determines a delay could result in harm to the company or to individuals internal or external to the company
• Investigation Planning
o Assignment of and coordination with Investigators
o Evidence gathering planning
o Interview planning
• Communications/Public Relations Planning
o Assess how an incident and the response to it may affect Smith hospital’s reputation and public image.
o Internal Communications
? Determine the need to notify Administration at one, some or all Smith hospital facilities
? Determine the need to notify all current employees of the incident or employees of the affected facility or department only
? Determine how employees will be notified (email, mail to home, mandatory staff meetings, etc.)
? Determine who will communicate to the staff
? Determine material content of the notification
o External Communications
? Determine the need for external communications to covered entity, media (press conference or press release if Covered Entity is required to notify the media), etc.
? Determine who will represent Smith hospital publicly
? Determine the material content of the Press Conference and/or Press Release
o Determine the need to post information regarding the incident to the Smith hospital website
Investigation
Thorough investigation, and documentation of that investigation, is a critical component of incident response. Thorough investigation and documentation needs to be timely, accurate, and professional, and serves several purposes as listed below.
Purposes of thorough Investigation:
• Shows due diligence in complying with legal and regulatory requirements.
• Provides management with accurate and detailed information. This is essential to correct processes, contain damage, communicate with staff and with external affected persons, and take other appropriate measures.
• Promotes fair, just, and more objective outcomes in regard to the handling of workforce members, especially as it pertains to discipline.
• Reduces the chances for mistakes that may occur due to incomplete or incorrect information.
• Provides documentation showing the organization’s commitment to protection of the information it holds.
• Provides documentation that may be used in civil or criminal proceedings even years after an incident occurred.
Investigation needs to be timely to insure the most accurate information and to comply with required timeframes. Even so, internal investigations and gathering of data may take several days or even weeks. In the event that law enforcement is involved, this can stretch into months.
Investigation may involve:
• If lost/stolen equipment is recovered, the Information Services Department and the Security Officer may conduct detailed forensics on the equipment in an attempt to determine if business or personal information stored on the equipment was accessed or compromised in any way.
• Involved parties may need to notify local and/or federal law enforcement authorities to assist in further investigation, particularly in cases of lost/stolen equipment. In most cases, Legal and Risk Management should be consulted before law enforcement is contacted.
• If an incident involves a third party such as a business associate, staff may have to communicate with the third party determine which who will be responsible for notifying local and/or federal law enforcement authorities.
• The Human Resources Department may assist with interviewing workforce members; provide guidance to ensure consistent enforcement of discipline; and take action involving staff (such as suspending employees to prevent further damage).
• Complainants, recipients of inappropriately disclosed information, and others may be contacted for questioning or to request return or destruction of information.
Mitigation and Correction
Smith hospital has a legal and ethical obligation to mitigate (reduce) any harmful effects that result from privacy and security incidents. Though this is only legally required if Smith hospital “has actual knowledge of harm,” Smith hospital will also take reasonable and appropriate steps to prevent harm from occurring either to individuals or to the Smith hospital organization. Actual privacy/security incidents may result in negative outcomes for the affected parties several months or years later – Smith hospital must acknowledge and be prepared to handle this risk appropriately.
Closely tied to mitigation, Correction should occur after any privacy or security incident in order to prevent future recurrence and to comply with organizational policy.
Examples of Correction:
• As appropriate, revise written policies and procedures that may be deficient.
• Assess informal/unwritten processes and practices and make changes that correct or improve them.
• Follow human resources policy and disciplinary action guidelines to determine need for disciplinary action on any Smith hospital employee involved in the incident (Human Resources to be involved)
• Determine the need for additional staff training.
• Determine the need for increased security (physical or electronic) measures.
Closing the Incident Case File
Before an incident case file can be closed, Smith hospital must have met the goals of incident response. To recap, those goals are to:
1. Investigate the incident internally (in cooperation with law enforcement if necessary);
2. Mitigate potential harm to affected parties;
3. Minimize adverse impact to Smith hospital in an ethically and legally appropriate manner, to include minimizing reduction in operations, reputational harm, and/or financial harm;
4. Appropriately communicate the incident or loss:
a. To affected parties in a timely manner (as appropriate or as otherwise may be required by law);
b. To regulatory agencies, news media, or other entities (as appropriate or required)
c. To staff (as appropriate or required);
5. Provide guidance or assistance in the development of specific corrective actions (including disciplinary actions when appropriate); and
6. Conduct post-incident reviews, training and education, and provide internal communications in order to minimize potential future incidents.
All information relating to the incident and activities to meet these goals will be documented in the incident case file before it can be closed. A closed incident case file will be retained according to the HIPAA Document Retention Policy.
